Just like every company in the business world, cybercriminals are looking to boost their sales. With ransomware, they’ve found a way to force victims to pay. And in their quest, cyber attackers are borrowing a playbook from sales teams in legitimate businesses. I’ve noticed the similarities between ransomware criminal tactics and those of corporate sales operations. It’s important to understand the similarities because ransomware attacks won’t be stopping anytime soon. 

Cybercriminals have been moving toward legitimate business models for years. Cybercrime-as-a-service operations allow unskilled criminals to outsource their botnets, phishing and ransomware attacks to more specialized hackers. Help desks, invoices, and even money-back guarantees have become standard in the criminal underground. Ransomware has become such big business in its own right that cyber gangs are giving it the white glove treatment. Here are some ways that ransomware attackers are mirroring traditional sales techniques:

Prospecting and Reconnaissance

The first step in acquiring customers is to define your target audience. For ransomware attackers, reconnaissance is similar to traditional prospecting where they are trying to find victims who can be forced to consider paying. Like legitimate businesses, cybercriminals do their homework to find out which organizations and in which sectors are the most likely to end up paying ransom to get their data and services back in their control. They’ll use social networks like LinkedIn and Twitter to find personnel to target.

Launching a Campaign

Cybercriminals need to have deep insight into the organization they’re targeting. Much like standard sales campaigns, they typically start out with the perfect pretext. Once malware drops they’ll do reconnaissance within the organization’s network. They look for vulnerabilities to exploit and where the critical assets and infrastructure are. The phishing email has to be carefully crafted with just the right message to entice a call to action — the recipient to open it and either download an attachment or click a link. The average open rate for standard email marketing campaigns is 15%-25% with a click through rate of 2.5% compared with 30% of phishing emails that are opened. 

Provide a sample  

In order to turn interested customers into actual buyers, marketers will often provide a product sample or trial. In ransomware attacks, cybercriminals prove to victims that they have compromised the network by providing a sample of stolen data. Often cybercriminals provide proof that the keys to unlock the encrypted data actually work. Cybercriminals typically keep their word and return the data so as not to burnish their reputations. One study found that 58% of victims pay the ransom and another found that criminals don’t decrypt the data after receiving payment a mere 1% of the time. 


While it’s not common for many merchants to lower their price at the customer’s request, it happens in situations where the market is more fluid and the sales pipeline is limited. Ransomware cybercriminals expect to negotiate on price because they know the data isn’t as valuable to anyone else. If the organization doesn’t pay, the cybercriminal can release the data publicly, which embarrasses the victim. But criminals would rather drop the price than not get paid at all — a big loss when the average ransomware price is more than $110,000

Here are some recommendations to help organizations avoid being hit with ransomware and to minimize damage if they are: 

·         Batten down the hatches

Organizations need to try to keep malware out of their networks. One in five breaches involves phishing, according to Verizon, so training employees to identify phishing emails and using anti-phishing and anti-malware tools is crucial. Also, keep up to date on application and operating system updates and patches to prevent attackers from getting in via vulnerable software -- 60% of breaches involve unpatched software.  

·         Back to Basics

Don’t forget to make frequent and regular backups of data and keep back ups separate from everyday networks that are likely to get hit by ransomware attacks. Backups need to be in a place where attackers can’t reach them, such as air gapped or physically separated from the internet-connected network. This requires manual updates, but it’s the safest approach.  

·         Tabletop exercises

Organizations need to practice business continuity planning so they are prepared in case of a ransomware attack and can recover quickly. This involves having everyone from technical and security teams, to legal, finance and PR, on the same page. Teams should run through different scenarios and practice the steps they will need to take in the event of an attack. These tabletop exercises should be done at least quarterly. Teams also should practice recovering data from a backup and make sure they actually get to the data when they need to and that they know where the key data is stored.

For cybercriminals, the Total Addressable Market for ransomware is hard to quantify but really big — basically any company is a potential target. Ransomware may be hitting critical industries like government, healthcare and education right now, but every organization has their threshold for business operations and data they would pay not to lose.