The reasons are simple — ransomware is victim agnostic, you can attack a manufacturing company today, and then target a bank tomorrow. Ransomware is also usually payed out in bitcoins, reducing the need for cybercriminals to bother with more complicated money laundering infrastructure and high-risk money mules.
Additionally, ransomware has a high conversion ratio — many victims do pay to recover their data. In fact the tactic has become so popular that the cybercrime underground is replete with hosted models and software-as-a-service packages for non-technical cybercriminals to execute their own ransomware campaigns.
What are the types of ransomware campaigns?
Ransomware as a threat is rapidly evolving. The first generation simply encrypted the local hard-drive, often with fairly rudimentary encryption that was easily reversed, or didn’t adequately delete the user’s data. Over time, ransomware has been expanded to automatically seek out other victims on the network, such as file-servers and open file shares on workstations. This attack is what we call ‘commodity ransomware’ that can be delivered through drive-by downloads, malicious advertising networks and spam campaigns.
Targeted ransomware is the apex variant of the ransomware campaign. Here, instead of a drive-by download or similar distribution method, a victim organisation is specifically targeted, and the attackers go through many of the same phases of the kill-chain as an APT attacker, including reconnaissance, spear-phishing, privilege escalation and lateral movement. They use the lateral movement phase to identify data or information systems that are of crucial importance to the victim, substantially increasing the chance of a payout.
Some examples of the assets at risk from targeted ransomware include customer databases, intellectual property such as source-code or R&D research, financial / accounting data, and senior management systems. The attack often includes data-theft and threats of public release of confidential information in addition to the standard encryption and deletion that commodity ransomware attacks exhibit.