What Could The Next Ransomware Note Say? Let’s Learn from 2016

By Ryan Olson, Gunter OllmannFlorin LazurcaSimon Puleo

While ransomware threats are mostly an unknown entity to everyday consumers and Internet users, the widespread havoc these types of attacks have waged on healthcare organizations during 2016 started hitting a little too close to home. Consumers need to dispel the mindset of “that won’t happen to me” and make the connection that their information is being targeted – it’s just happening through a third party database, not their personal devices. Information can’t get more personal than health data, and the fact that this industry has been a constant target of ransomware attacks over the last twelve months demonstrates a pressing need to find a solution to these threats. With several other security concerns plaguing the healthcare industry, such as insecure medical devices, we do not need ransomware attacks to create a future where individual patients are being targeted by hackers during an operation or stay at a healthcare organization. That’s an entirely new frontier we do not want to cross.

Beyond the targeting of healthcare organizations, some ransomware variants morphed into something truly evil and unprecedented in its threat history: actually deleting company data even though the ransom was paid. For example, we saw with the Jigsaw ransomware that it would delete files every hour, and each time the infection restarted until the victim paid the ransom. While this wasn’t the first time the industry has seen ransomware threaten to delete files, Jigsaw was the first time the attack actually acted on the threat to delete files.

Given the prevalence of ransomware and the impact it can have on our society today and in the future, we wanted to find out what some of the InfoSec experts had to say about this growing underground industry. Their responses are captured below.


Ryan Olson
Intelligence Director
Unit 42, Palo Alto Networks


2016: Maturation of the Ransomware Industry

Ransomware has certainly been the biggest threat and ongoing story throughout 2016 because of the continuous drumbeat of scary headlines these types of attacks have generated, mostly in regards to the healthcare industry. But it’s also been the biggest threat of the year because in 2016 ransomware became a truly mature cybercriminal industry.

In our report on ransomware in May 2016, “Ransomware: Unlocking the Lucrative Criminal Business Model”, we showed the ransomware “market” had over 30 different competing families. Additionally, the cybercrime industry has matured in 2016 so much so that it's seeking to expand into new “markets”. Ransomware is no longer just a problem on Microsoft Windows; we’ve seen ransomware on Google Android as well as Apple iOS. And we’ve seen evidence that some ransomware cybercriminals are “test marketing” ransomware in the Internet of Things (IoT) space.

Looking forward to 2017, we can expect these trends to continue. But underlying them is the crucial fact that in 2016 ransomware became a mature industry to a degree that’s unprecedented in cybercrime.

2017: The ransomware business model moves to new platforms

As we highlighted in our May report, ransomware is not a malware problem, it’s a criminal business model. Malware is typically the mechanism by which attackers hold systems for ransom, but it is simply a means to an end. As noted in our report, the ransomware business model requires an attacker to successfully perform five tasks:

  1. Take control of a system or device. This may be a single computer, mobile phone, or any other system capable of running software.
  2. Prevent the owner from accessing it. This may happen through encryption, lockout screens, or even simple scare tactics, as described later in this report.
  3. Alert the owner that the device has been held for ransom, indicating the method and amount to be paid. While this step may appear obvious, one must remember that the attackers and the victims often speak different languages, live in different parts of the world, and have very different technical capabilities.
  4. Accept payment from the device owner. If the attacker cannot receive a payment, and, most importantly, receive the payment without becoming a target for law enforcement, the first three steps are wasted.
  5. Return full access to the device owner after payment has been received. While an attacker may have short-lived success with accepting payments and not returning access to devices, in time this will destroy the effectiveness of the scheme. Nobody pays a ransom when they don’t believe their valuables will be returned.

The ransomware business model can target any device, system, or data, where someone can perform all five of these tasks. At DEFCON 24 in August 2016, researchers from Pen Test Partners demonstrated taking over an Internet-connected thermostat and locking its controls before displaying a ransom note demanding one Bitcoin in payment.

While this was not a live attack, similar ransoms are sure to occur on other Internet-connected devices in 2017. For a cybercriminal, making money is the name of the game. If they can capture control of a device, it’s only truly valuable if they can monetize that control. If they take control of an Internet-connected refrigerator, they will probably struggle to find data they can sell or otherwise turn into cash, but holding the refrigerator for a small ransom could be very profitable. The same is true for nearly any Internet-connected device, as long as they can complete all five tasks outlined above. It would be hard to communicate a ransom note via an Internet-connected light bulb, unless the victim is fairly conversant in Morse code.


Gunter Ollmann
Vectra Networks


Ransomware proved to be highly damaging and costly for those organizations that were hit over the past year. Attackers have widely adopted ransomware as it has proven to work, has been easy to use, and most importantly, is profitable. Bitcoin has played a significant factor because it enables cyber criminals to remain anonymous while being paid directly by the victim and it has simplified the money laundering process (see image). However, according to US CERT, paying the ransom with Bitcoin doesn’t always guarantee the encrypted files will be released, and since Bitcoin is untraceable, the victim has no recourse. In the ransomware attack against Kansas Heart Hospital, the files remained locked even after paying the ransom.

2016 also saw attackers changing and combining techniques. Attacker techniques evolved from solely relying on email phishing that required a user to click on a link to inserting malicious code directly to legitimate websites that would infect unknowing visitors. Because ransomware provides quick and direct access to untraceable money, we have seen the rise of ransomware-as-a-service with its customers, including criminal organizations who use it to quickly fund illicit activities. Locky ransomware took advantage of existing Dridex banking malware botnets to expedite their attack on high-value targets. Some ransomware propagated in 2016 using established banking malware botnets. Others introduced botnets to systems after the ransomware attack or DDoS or Bitcoin mining.

As we head into 2017, ransomware will continue to be used in combination with even more techniques for blended attacks. While 2016 did see organizations refuse to pay, and improvements were made in ransomware detection techniques, most organizations still do not have a suitable offline backup strategy to restore files, regardless of whether the ransom is paid or the attacker provides the encryption key. Even with backups mitigating the risk of a ransomware attack, the time to recover files will disrupt most organizations.


Florin Lazurca
Senior Technical Manager for Security


In 2016, ransomware quickly outgrew its initial target base – the average home Internet user – to organizations and institutions. Healthcare was a soft target  because of the urgency of restoring access and data. Ransomware will evolve to expand its market to more organizations. In 2017 we could very well see the spread into:

  • Critical infrastructure: water, power, and communications management are vulnerable to the same techniques of locking out access and extortion.

  • IoT: as more consumer and enterprise devices are connected to the Internet, they are exposed to malicious software used to hijack functionality and demand payment.

  • Banking: Consumer and backend applications targeted to halt transactions until payments are delivered.


Simon Puleo
Security Researcher
Micro Focus


Heading into 2017 the security industry is getting ahead of the ransomware game. SIEM vendors have new filters that look for changes to file extensions like .vvv that preclude an attack.  Network monitoring like Snort is now on the hunt for ransomware signatures and can be tuned to shut down bad traffic. Most importantly, the Security Operation Centers are aware of the threat and instituting DRaaS (Data Recovery as a Service) for sensitive data as well as creating controls designed to isolate and quarantine an attack.

In 2017, I predict we’ll see ransomware infected apps for Android and Apple. Hackers may find a way to corrupt the built-in device-lock algorithms, bricking a device until payment is made.  When possible I always recommend using biometric authentication as a default to unlock a device as the level of encryption is several times higher than a 4-6 digit code.

While I do expect ransomware to stay at the number two spot on the Verizon breach report, I don't expect that it will continue to rise as the EU and other countries start implementing new AML (Anti-Money Laundering) policies focused on BTS and enforcement of  blockchain technologies. Hackers might be left asking for the loot to be left in a train locker like the old days!

Overall, it’s important for us a security community to come together and acknowledge the battle we fought against ransomware – particularly over the last year – and use those learnings to predict what may come in the future so we can always stay one step ahead of the bad guys.