Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and Management

Defending Against Ransomware: The Growth of Targeted Attacks

Ransomware attacks are getting bolder and affect enterprises of all sizes.

By Anthony Giandomenico
SEC1119-awareness-Feat-slide1_900px
SEC1119-awareness-fig1-slide2_900px

Figure 1: Devices detecting Ryuk variants

SEC1119-awareness-Feat-slide1_900px
SEC1119-awareness-fig1-slide2_900px
November 7, 2019

The evolution of ransomware attacks continues a trend in which cybercriminals are moving away from mass-volume, opportunistic ransomware attacks and are focusing their efforts on enterprises that they believe will pay their ransoms. To make this even more likely, they are adding focused attack strategies that include deep reconnaissance and targeted payloads, such as pre-selected detection evasion strategies, to ensure their attacks are particularly effective and damaging to the enterprises being targeted.

Ransomware continues to play a significant role in the cyberthreat landscape, as reported in Fortinet’s Q2 2019 Threat Landscape Report.

 

Current Applications of Ransomware

Multiple different ransomware attacks have made recent headlines. An example includes the attack on the city of Baltimore, which disrupted critical services for weeks and forced government officials to set up manual workarounds to handle real estate transactions, utility payments, property taxes and more critical municipal functions. Baltimore officials, acting on the advice of the FBI, refused to pay the approximately $100,000 the attackers wanted as ransom and ended up spending more than $18 million on recovery efforts. For this series of attacks, cybercriminals used a ransomware variant called Robbinhood.

Analysis of Robbinhood shows it was designed to attack an enterprise’s network infrastructure, and based on detailed analysis of it attack trajectory, it is most likely being distributed using weaponized remote desktop applications. In addition to encrypting and holding data for ransom, this malware’s capabilities also include disabling Windows services that prevent data encryption and disconnecting from shared drives.

Ryuk, which surfaced last year, has also been used in recent attacks. It uses several evasion tactics, including destroying its encryption key and deleting shadow copies on an infected system. Researchers have primarily linked the use of Ryuk to targeted attacks, and the low number of detections in Figure 1 supports that position. This malware is likely being distributed via spearphishing or brute force attacks on RDP services.

These and many other ransomware attacks noted last quarter are all part of a trend that began last year. Cybercriminals are continuing to move away from mass-volume, opportunistic ransomware attacks and are increasingly focusing their power on enterprises that they perceive as having both the ability and the incentive to pay big ransoms.

It’s also common in these targeted attacks for cybercriminals to have already gained access to their victims’ network, and used that time to conduct considerable reconnaissance before deploying their ransomware on carefully selected systems. As a result, some report a sharp increase both in the average ransom payments that enterprises are making to get their data back, as well as in disruption-related costs.

Another new ransomware variant called Sodinokibi (aka Sodin) surfaced during the second quarter of 2019 that may become a major threat for enterprises this year. Functionally, Sodinokibi is not very different from a majority of ransomware tools in the wild. What makes it troublesome is that it exploits a recently announced critical vulnerability that allows for arbitrary remote code execution.

The impact of this could be severe because an unpatched system with this vulnerability can get infected without the victim doing anything to trigger it.

While investigating Sodinokibi, researchers encountered the newly discovered Nemty ransomware. It has an artifact embedded in its binary that the GandCrab ransomware also used, and it is being distributed using the same method as Sodinokibi. Nemty contains some irregularities that led investigators to believe that it is still in its early stage of development.

Nemty ransomware uses a combination of AES-128 in CBC mode, RSA-2048 and the unusual RSA-8192 for its file encryption and key protection. The strings used throughout Nemty’s execution are obfuscated using a combination of simple base64 encoding and RC4 encryption. To express their unsurprising animosity towards the security industry, this variant used a vulgar RC4 encryption key.

 

Best Practices for Today’s Security

As ransomware and other forms of destructive malware grow in sophistication and volume, there are practical security measures you can take to protect your enterprise:

  1. Have a copy of critical data and resources stored off-network on a separate device so that operations can be restored and resumed if a ransomware attack occurs. Backup systems regularly, scan backups for infection and run data restoration drills so that recovery from an attack is routine and predictable.
  2. Prioritize regular patching and update operating systems, devices and software. Consider automating patching processes. Upgrade systems that are no longer supported by the manufacturers. And for those systems that cannot be patched or updated (i.e. IoT and similar devices), make sure that adequate proximity controls are in place along with intent-based network segmentation to limit the scope of a compromise.
  3. Ensure network and device antivirus, IPS and anti-malware tools are running the latest updates. Just as importantly, also ensure that they and other security tools can share real-time security intelligence to ensure that they can launch a coordinated response in the event that such a threat is detected.
  4. Analyze email attachments, websites and files for malware with professional email and web security tools that can block potentially compromised advertisements and social media sites that have no business relevance. These tools should include sandbox functionality so that new or unrecognized files can be executed and analyzed in a safe environment.
  5. Create and enforce a BYOD security policy that can inspect and block devices that do not meet standards for security (antivirus files are out of date, client or anti-malware is not installed, operating systems need critical patches, etc.).
  6. Use application whitelisting where possible, especially on devices with a limited scope of function, which prevents unauthorized applications from being downloaded or run. This is especially critical in OT environments.
  7. Segment networks into security zones to ensure that an infection in one area cannot easily spread to another.
  8. Use the policy of “least privileged.” Create and enforce permission and privilege to ensure that the fewest number of users have the potential to infect business-critical applications, data or services. Use this same strategy for hardening and controlling embedded software, such as PowerShell, that are increasingly being hijacked in order to hide malicious behaviors inside legitimate traffic.
  9. Implement forensic analysis tools so that after an attack, you can identify:
    1. where the infection came from.
    2. how long the threat has been in the environment.
    3. what other devices may have been impacted.
    4. that all threats have been removed from every device.
    5. that you can ensure the threat doesn’t come back.
  10. User awareness training is also critical to ensure that employees know not to download files, click on email attachments, or follow unsolicited web links in emails. Empower them with knowledge, training and education.

 

A New Security Strategy

Ransomware isn’t going anywhere. In fact, it’s becoming more targeted – and, therefore, more effective against enterprises. And while this trend is certainly concerning, ransomware is just one example of the types of focused, recon-based attacks that are possible today.

Such attacks make security more challenging than ever, but victory is possible. Use the best practices listed above to create a security posture that protects the network on all fronts without slowing down critical applications and services.

KEYWORDS: cyber security cybersecurity malware ransomware

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Anthony giandomenico

Anthony K. Giandomenico is a Senior Security Strategist & Researcher at Fortinet. He has more than 20 years of comprehensive Information Security experience across all industries, including security program and networking system development, intrusion detection, firewall, security incident and event management, incident response procedures, security risk assessments and technology integration.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cyber Liability Insurance: Moving from Insurance to Assurance; cyber security news

    How to protect businesses against the threat of ransomware attacks and the role of cyber insurance

    See More
  • campus-lawn-freepik59693.jpg

    Northeastern University to lead Center of Excellence to protect against targeted attacks

    See More
  • cyber data

    CISA and NIST release new interagency resource: Defending against software supply chain attacks

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

See More Products
×
Figure 1: Devices detecting Ryuk variants

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!