Security Experts:

Connect with us

Hi, what are you looking for?



The Growing Threat of Targeted Ransomware

Ransomware targeting organizations is a growing threat. The extent of that threat is not always obvious. Except for the healthcare sector, disclosure of a ransomware attack is not generally required — so victims will not necessarily report an incident. This is exacerbated by those victims who simply pay up and recover their files without the problem becoming obvious.

Ransomware targeting organizations is a growing threat. The extent of that threat is not always obvious. Except for the healthcare sector, disclosure of a ransomware attack is not generally required — so victims will not necessarily report an incident. This is exacerbated by those victims who simply pay up and recover their files without the problem becoming obvious.

A new analysis from Symantec (PDF), using its own telemetry, shows the extent of the growth in targeted attacks against organizations over the last two years — and especially since the beginning of this year.

Before the start of 2018, the SamSam group was the only ransomware group targeting organizations. Its attack against the city of Atlanta in March 2018 brought it to the media’s attention. Atlanta declined to pay the ransom, but the subsequent cleanup costs– which will almost certainly exceed $10 million — ensured that the incident, including the attraction of targeting larger organizations and the pros and cons of paying ransoms, kept eyes focused on SamSam throughout 2018.

What was less obvious, however, was that a new group had arrived: Ryuk. After the indictment of two Iranian citizens for the involvement with SamSam, new SamSam attacks dipped in November and December 2018; but began to increase again from January 2019. In fact, there were more SamSam attacks in April 2019 than any previous month. But media attention had moved on from SamSam.

Ryuk was now the center of attention, possibly because of its involvement in a major ransomware attack against Tribune Publishing in December 2018 — just around the time of the SamSam indictment. In fact, Ryuk attacks have been more frequent than SamSam attacks in almost every month since Ryuk first appeared in February 2018. 

Ryuk is believed to be an evolution of the Hermes ransomware that first appeared in 2017. The actors behind Ryuk are still unknown, with North Korea, Russian hackers, and a blend of both being variously blamed.

Possibly because of the success of these two groups, new targeted ransomwares have emerged in 2019. GoGalocker (also known as LockerGoga) was the first in January, and was followed by MegaCortex and Robbinhood in May. “In quick succession, [GoGalocker] was deployed in targeted attacks against a range of organizations, causing serious disruption for several of its victims,” says Symantec. One of the victims is thought to be Norsk Hydro in March 2019.

Interestingly, GoGalocker has a high proportion of its victims located in Scandinavia. Overall, the U.S. is the country most affected by targeted ransomware attacks, with almost 900 victims between January 2017 and May 2019. Partly, this is because of the almost total focus on the U.S. by SamSam, but almost certainly also because of the concentration of large and attractive targets. This is not so with GoGaLocker. Scandinavian countries account for 46% of affected organizations, with the U.S. accounting for a relatively lowly 23%. It isn’t known why GoGalocker focuses on Scandinavia.

MegaCortex first appeared in May 2019, targeting organizations in the U.S., South Korea, Italy, Israel, and the Netherlands. There are similarities between GoGalocker and MegaCortex, which targeted 11 organizations in May. The similarities are more internal than in deployment — both, for example, use Cobalt Strike malware. “Furthermore,” says Symantec, “one of the Cobalt Strike beacons used in a MegaCortex attack connects to an IP address (185.202.174[.]44) that is also mentioned in FireEyeís report about GoGalocker.”

Symantec suggests, “While it is possible the two groups of attackers are linked, it may also be the case that the ransomware was developed by the same third-party developer for both groups.”

RobbinHood is the latest targeted group to emerge, believed to be behind the city of Baltimore attack. Samples of RobbinHood were found by researchers in April. However, there is little yet publicly known about the malware or the group behind it. There were early suggestions that the Baltimore infection had been through use of an EternalBlue exploit, but this has not been confirmed. Brian Krebs has raised the possibility that it may be a new group trying to marry the concept of ransomware-as-a-service (as used by GandCrab) to targeted attacks.

The two primary differences between targeted attacks and the early versions of spray-and-pray ransomware attacks is the size of ransom demanded and the technical expertise of the hackers. Symantec has analyzed six stages of a targeted attack: initial (typically involving PowerShell); lateral movement (typically with Mimikatz and/or Putty); stealth and countermeasures (with signed malware and disabled security software); ransomware spreading (typically through batch files and PS Exec); triggering the encryption; and finally the ransom demand.

In January 2017 there were just two targeted attacks per month. By May 2019 this had risen to more than 50 per month, with the sharpest increasing occurring in 2019. There have already been at least two and probably three new targeted attack groups discovered. The pace of targeted attacks is clearly increasing, and it looks like it will continue to increase. Targeted ransomware attacks have evolved into one of the biggest cyber threats to business today.

Related: U.S. Mayors Pledge Not to Give in to Ransomware Demands 

Related: Indiana County Pays $130,000 in Response to Ransomware Attack: Reports 

Related: As Ransomware Rages, Debate Heats Up on Response 

Related: Legislation Would Stiffen Penalties for Ransomware Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.