Taxonomy and Evolution of Ransomware Attacks

Taxonomy and Evolution of Ransomware

Ransomware comes in a variety of flavors. Let’s take a step back and see what they are.

Any cyberattack that ends with the victim being extorted for a ransom is typically referred to as a ransomware attack. There are many types of ransomware attacks, but the commonality is the goal to encrypt the victims’ data and to promise to provide the key needed to decrypt it in return for a ransom.

Commodity Ransomware

A commodity ransomware is a fully automated type of malware that automatically downloads and deploys once it gets on a system. It encrypts files on a single system, and in the past, only some versions unintentionally encrypted also files on network drives.

With this ransomware, the ransom amount is usually modest. Most of the time, only a percentage of the victims are expected to pay. CryptoLocker is one example of such ransomware.

The next evolutionary step was when ransomware could find network drives of the compromised user that had not already been mounted and encrypt them as well.

The attackers also shifted their target from individuals who would pay a ransom to decrypt family photos to organizations that would pay multiple ransoms to recover business-critical files. And by encrypting more files, attackers increased the likelihood that a ransom was paid.

Finally, the evolution of commodity ransomware lead to combining it with a worm. This method of combining it with self-replicating malware allowed to infect thousands of neighboring systems in the victim’s organization in one go. The trick works by tricking a single phishing victim into deploying malware that will infect thousands of systems with the ransomware.

Human-Operated Ransomware

This type of attack is more sophisticated and targeted than its commodity counterpart and usually ends in a large ransom.

The targeted attack typically starts with an initial foothold within the organization. It requires multiple steps to execute the attack and many of the steps are manual as attackers have to adjust to the target organization’s environment. But attackers do use tools to facilitate launching these attacks.

Human-operated ransomware attacks usually take quite a bit of time to pull off. Most of the time, the attackers need to get malware pieces in the right places within the target organization’s network. Once the attack’s arsenal has been prepared, all the pieces go into action simultaneously to encrypt all the victim’s data.

Using this approach, SamSam group attacked various establishments like municipalities, hospitals, healthcare systems, and several universities in 2018.

Double, triple Extortion Game

As organizations started to make better backups, another evolutionary step emerged: the ability to exfiltrate data before encryption. Attackers started threatening to expose the victim’s data if they didn’t pay up. Triple extortion has recently emerged when attackers demand ransom not only from the main victim but also from the victim’s customers, third parties, etc.


The evolution of the ransomware industry has also occurred: From a service-based model to a franchise model. With the rise of ransomware gangs like REvil and DarkSide, the franchise model became the norm. The author of the ransomware is the franchiser who provides the tooling and other attack infrastructure to its franchisees or affiliates who use these services to carry out their attacks. The latter gives a portion of the ransom payment back to the franchiser.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.