Ransomware, a phenomenon now very well known, serves one ultimate and obvious purpose:
Monetary gain for the cybercriminal(s).
However, multiple scenarios are, in fact, possible. Consider any and all of the following:
Deployed as Ransomware, extortion
This has been the traditional approach – ransomware is installed on the victim’s machine, and its only purpose is to create income for the cybercriminal(s).
In fact, ransomware is simple extortion, but via digital means.
Note that while most ransomware attacks will go for the classic extortion scheme – holding the data for ransom, and that’s that – some criminals may take it a step further by also threatening to publish this data online (whether the victim pays or not), as a follow-up extortion attempt. It may also be the criminal’s original intent, with the ransomware being deployed as smokescreen.
Showcase Skills, for fun or for testing purposes
Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more particularly to showcase their coding skills: “Ransomware? I/We can do that too!”, or just “because”.
Another example may be to send ransomware ‘as a joke’ or for fun to your friends, and giving them a bad time. Please don’t.
Some cybercriminals may be testing the waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own programming skills, or the lack thereof.
Smokescreen
A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario… except for the ransomware itself.
This may happen more than you think and begs the question – what is the real purpose here? Ransomware is obvious: files are encrypted, warning or extortion messages are scattered, and users as well as companies are unable to proceed working for days, depending on backup and recovery strategy.
Once you’re hit by ransomware, more than 1 alarm bell should start ringing – you are royally compromised and, as such, should take appropriate measures immediately. There may be more than meets the eye. There’s an article on Carnal0wnage, describing one of these events:
Another possible angle that goes hand in hand with the classic extortion scheme – deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose.
A notorious example of this is the Jigsaw ransomware: https://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/
Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled.
Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware.
Another possibility is a disgruntled employee, leaving ransomware as a ‘present’ before leaving the company.
This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation.
The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost. This could be in an attempt to mislead auditors, perform insurance fraud, …
Another possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.
Again, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to ‘deployed as a smokescreen’.
Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose.
This is a very good idea for any organisation or business in general. Are your users aware of the dangers that lie in, and beyond, ransomware?
Means of Disruption and/or Destruction
Last but not least – while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.
Again, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale.
In a way, this also falls back to the frustration, and cover-up scenario’s.
Closing thoughts
As we’ve seen, ransomware can serve a plethora of purposes; whether it is deployed by a nation-state actor, the more common cybercriminal, or your neighbor disgruntled at your tree hanging over their wall, one thing is for sure: you are, and have been compromised!
In more recent years, targeted ransomware has become a common phenomenon, this means ransomware either tailored to your environment, or manually installed – the latter often via hacked RDP or VNC services.
The most famous example is no doubt Samas, also known as SamSam:
Other examples include: CrySiS and derivatives, RSAutil and PetrWrap.
While targeted ransomware attacks are occurring as early as 2013, in most recent years, they have become more fearful, due to the ransomware also encrypting files.
Conclusion: ransomware is and will always be ransomware – but it may have a twist and an additional purpose.