Deconstructing ransomware, cybercriminals and their modus operandi

 Lock on Laptop Screen
Lock on Laptop Screen

The problem of ransomware is a seemingly age-old problem that is not going away, at least not any time soon. Governments and law enforcement are banding together to try to battle this issue with financial sanctions and takedowns of the groups behind ransomware attacks but they’re like the mythical beast Hydra – take the head off one and 3 more will sprout in its place. It's why we are living in a world where ransomware attacks have only increased compared to last year.

News of a ransomware attack or a new malware strain being discovered is a daily occurrence and only adds to the apprehension and anxiety business leaders and security teams feel. Businesses of all sizes are under threat and must mobilize to better understand the enemy, what their methods are, how they operate and how they are getting away with it.

How ransomware groups operate

In recent years, more and more threat actors have banded together to create cybercriminal groups that are determined to piggyback on the success of the lucrative spoils from ransomware. This has led to a ransomware landscape where a core number of threat groups drive most of the malicious activity.

One of the most infamous and largest ransomware groups was Conti which originated from Russia. During the early stages of the Russian invasion of Ukraine, Conti group announced it would retaliate should anyone target Russia with cyber warfare. That was quite an intense statement, particularly considering that a lot of Conti’s affiliates are Ukrainian organizations. However, a Ukrainian security researcher leaked all of Conti’s internal chats within a year which led to over 160,000 published chat messages covering source code, the group's operations, their own defense strategy and the number of members, which is thought to have reached 100.

In 2021, it was estimated that Conti had extorted $180 million. However, when you delve deeper into this group, and the leaked information, many individuals that joined the group were unaware it was a criminal organization and were offered more money to stay on. They spent an estimated $2 million per year to maintain their infrastructure, with a substantial proportion used on commercial software. When examining Conti’s popular targets, the nations that have strong economic power are high on the list.

Culture also plays a crucial role in their targets. This is a business of extortion where the threat actor will carry out an attack, steal information, then negotiate with their victims to extort money. To negotiate with someone, you must understand them, understand their culture and converse in their language. This is why it is easier and more lucrative for cybercriminals to target English speaking nations.

Another note of interest is the similarity in how ransomware groups operate to normal businesses. For example, Conti has two physical offices, a HR department and just like the very organizations they target, they face the same challenges including turnover of staff and talent retention. For this reason, they have initiatives for recruitment whereby if an affiliate brings a friend, then they will receive a bonus.

Furthermore, Conti had intent on growing and this ambitious threat group had an M&A strategy which involved the acquisition of developers from the Emotet Crimeware-as-a-Service network. It is understandable why the US government had a $15 million bounty on Conti’s leaders.


As the cybercrime landscape evolved, the ‘as-a-service' model became more prominent, especially to help those who are not technical but still wish to carry out nefarious acts. Ransomware is no exception, and the Ransomware-as-a-Service (RaaS) is readily available on the internet to be purchased or subscribed to just as you would Netflix or Amazon. This essentially allows ransomware operators to write malware code and allow users to pay to launch attacks using the created malware. The benefit is users do not need to have technical skills of their own but rely on the technical skills of the operators.

Moreover, RaaS providers have the means to locate the data, ex-filtrate it and then launch the malware on the chosen target. Names that have grown in notoriety include Hive, DarkSide, REvil (also known as Sodinokibi), LockBit, Dharma. DarkSide were behind the Colonial Pipeline cyberattack that led to a shortage in fuel in America and caused a national state of emergency. Ultimately, there is low risk but high reward for cybercriminals that subscribe to RaaS which is why it has become so popular in recent years.

Attack vectors to protect against

There are a multitude of avenues cybercriminals can take to exploit an organization. Social engineering techniques like phishing is at the top of the list. Another technique hackers use is to target insecure or unpatched internet facing gateways and VPNs which are being widely used in the modern remote working world. Threat actors are turning their attention to remote desktop protocol to steal the credentials within these systems. Hackers will also achieve access by exploiting commonly known attacks then restrict access to servers for regular users. This is an age-old problem that has a relatively easy fix in patching and updating systems as soon as fixes become available.

Once the criminals gain access to a system, they want to navigate and laterally move towards critical assets, sensitive data and locate backup accounts. As a rule of thumb going forward, never name files ‘backup’ because this is one of the first things threat actors look for. Their sole objective is to ex-filtrate information, regardless of if it is encrypted or not, so long as it is valuable to the organization; and the more stolen, the more leverage they have when negotiating the ransom fee.

To mitigate such threats, following security best practices is a good foundation to build from. Ensure all passwords are not generic or factory set. For example, the password on the router that is visible on the outside should not be used internally. Continue to check administrator activity on a regular basis to detect any odd or abnormal behavior. Cybercriminals are persistent beings and will create their own admin account once they get inside the domain control room. To the untrained eye everything will look normal so security and IT teams will need to go back through the change control process to check whether the profile made is generic or malicious. Defense in depth is going to be key in the battle against ransomware and not only with networks but also from a social engineering standpoint. Having the ability to patch, mitigate social engineering and arm the workforce with the knowledge they need to spot rouge URLs is vital. Training the workforce to be the last line of defense with security awareness training will help reduce the risk of falling victim and build a security culture within the organization that can achieve this.

We've features the best online cybersecurity courses.