Published in


The Road to Ransomware Resilience, Part One: The State of Ransomware

Understanding Active and Emerging Threats & Developing a More Effective Novel Response

How do you combat this digital pandemic of ransomware attacks?

The rocky road to constructing an effective novel response against ransomware begins with understanding the recent trends of the underground ransomware ecosystem, common targets of ransomware, typical ransomware behavior, common ransomware encryption schemes, decryptor construction and application, and integration with defender protocols and tools.

Recent Trends of the Ransomware Ecosystem

The romantic days of the lone hooded hacker frantically typing away in a dark basement full of servers and wires have long since passed. The cybercrime underground is a diverse ecosystem with specialists in every possible field. Ransomware today operates similarly to any professional SaaS business. And business has been booming.

Recent Trends of the Ransomware Ecosystem

Double Extortion

After WannaCry and NotPetya (2017), enterprises put more effort into improving data backup and restoration processes; therefore, if any data were to be encrypted, the enterprise could easily get back to business without the need to pay the ransom. However, Maze (2019) and Sodinokibi (2020) encrypted and exfiltrated sensitive data, so if the targeted enterprise did not pay the ransom, the exfiltrated data would be leaked or sold online. Other ransomware gangs quickly followed suit. Double extortion not only increases the attacker’s potential revenue but also applies added pressure on the victim to pay the ransom faster.

Supply Chain Attacks

While not new to the threat landscape, the modern supply chain attack has not only a far greater blast radius but also a far more severe impact than supply chain attacks a decade ago. Solar Winds, Microsoft Exchange Server, and Kaseya are all prime examples of how one attack on a supplier can directly affect thousands of their customers’ environments.

“Yes, this [targeting organizations that have cyber insurance] is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

“Unknown”, REvil Representative

Cybercriminal Ecosystem Specialization

One ransomware attack is seldom the work of solely one group, nor does the appearance of one kind of ransomware or tool immediately attribute the attack to said ransomware gang. One ransomware attack could be jointly operated by a number of stand-alone groups or affiliates, with each receiving a percentage of the ransom paid.

Ransomware as a Service (RaaS)

Make no mistake. RaaS is a growth industry, with some analysts estimating total ransomware revenue in 2020 exceeding 20 billion. While some RaaS groups simply sell their ransomware on the dark web, others more closely follow the SaaS service model, selling their ransomware to their affiliates for a cut of the profits.

Ransomware in Taiwan & Japan

CyCraft Technology, operating in Taiwan, faces a unique cybersecurity milieu. Due to its rather distinctive geopolitical situation, Taiwan frequently encounters the most sophisticated, persistent, and aggressive threats before the rest of the world.

Fig. 1 — Notable Ransomware Attacks with Targets in Taiwan and Japan

“It’s definitely changed. The crisis [the pandemic] is palpable; they [victims] are not able to pay the same amounts as before. Except for manufacturers of pharmaceutical products. I think it is worth paying more attention to them.”

“Unknown”, REvil Ransomeware Representative

In Japan, in the span of 2 months, at least 3 major enterprises in high-tech or manufacturing (Yaskawa Electric Corporation, Asunaro Aoki Construction, and Tekken Kenetsu) were targeted and attacked by 3 different ransomware gangs in 2020.

Everything Starts From Security

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.

Engage with CyCraft

Blog | LinkedIn | Twitter | Facebook | CyCraft

Additional Resources

  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at