The recent ransomware attacks on Texas and Louisiana schools shed some light on how vulnerable government is to cyber threats. At the 2nd Annual Cybersecurity Summit on September 18, Christopher Krebs – Director of the Cybersecurity and Infrastructure Security Agency, said that the recent ransomware attacks are pretty close to what experts would call a “large scale” cyberattack. The attack on Texas, for instance, compromised the data of 22 cities across the state with encryption, demanding millions of dollars to reclaim the data.

Krebs said he had some sleepless nights this summer. The biggest ransomware attack can still happen and the potential for disastrous consequences cannot be overstated. He recommended that Federal agencies need to take action and establish “doctrines” to deal with ransomware cyberattacks.

This article gives a background on ransomware, explains the importance of knowing the impacts of ransomware, and describes how threat modeling is a viable activity for understanding and mitigating related threats. Related to this topic, Alex Bauert, Senior Director of Threat Research at ThreatModeler, spoke on the Tech Accord panel, which took place on September 20 2019 at the 2nd Annual Cybersecurity Summit.

How Ransomware Attacks Work

Hackers insert malicious programs into an information system, wherever data is stored. Examples include hard disc drives, data servers, files, folders, Android phones and other persistent storage devices. Once inside, the ransomware virus can make data recovery impossible. Bad actors can deny the organization the data altogether or release sensitive information to the public.

There are two types of ransomware – crypto and locker. Crypto-ransomware targets files and encrypts them to deny users access without an encryption key. Locker ransomware simply locks users out of their devices. The targets can be anything from individuals, to mom and pop grocery stores, to large banking institutions.

Brief History of Ransomware

The first ransomware attack occurred in 1989. It was called the AIDS Trojan and was distributed by Joseph L. Popp, a Harvard-trained evolutionary biologist. Since 2005, ransomware attacks have become one of the most persistent, invasive cyber threats.

Several strains along, in 2013 “Cryptolocker” was unleashed – a new form of social engineering ransomware. It was the first ever cryptographic ransomware that lured victims to download corrupt files from websites or email attachments – the primary source of ransomware delivery.  In recent years, there were three major ransomware attacks:


In May 2017, WannaCry became the biggest ransomware cyberattack. Hackers targeted devices running the Microsoft Windows operating system. Hackers, purportedly from North Korea, demanded cryptocurrency ransom. The WannaCry attack used a strain of EternalBlue, a cyberattack exploit created by the National Security Agency (NSA).


Petya became widely used by hackers in 2016. It was spread via phishing emails containing DropBox links to corrupt files. Petya became one of the more invasive ransomware strains due to its complexity. Petya is considered a worm, so it is self-propagating. It builds an entire strategic list of IP addresses to invade. Once inside, Petya wrote right over the Master Boot Record (MBR) to block file access across entire networks. In June 2017, a new Petya strain, dubbed NotPetya, like WannzaCryused EternalBlue, targeted Ukraine organizations.

Bad Rabbit

this ransomware attack targeted Russia and Eastern Europe. It was based on Petya/ NotPetya and used social engineering tactics involving compromised websites displaying fake Flash update notifications. Bad Rabbit’s SMB component enabled it to move laterally across networks. Bad Rabbit did not use the EternalBlue exploit.

Hackers Use Social Engineering in Ransomware Attacks to Compromise Data

Cyber criminals apply social engineering tactics to deploy ransomware. Social engineering exploits one of the first barriers that a hacker encounters – the human barrier. The act of social engineering involves soliciting a predictable response from humans to generate activity that is not the norm.

A social engineering example is phishing, a common vehicle for ransomware hackers. Cybercriminals send communications via email, telephone or text message – disguised as coming from a trusted source – to lure targets to click on a website link or download an attachment onto their computer. Phishing hackers may also convince victims to input username and password information on a fake login portal, compromising credential privacy.

Another example of social engineering is when a hacker goes to an organization’s headquarters during a busy time and requests access to a restricted area. Once permission is granted, the bad actor can tamper with servers, devices, even IoT embedded devices. The infiltrator can do anything in their power to invade an IT infrastructure attack path, and compromise sensitive or confidential information assets.

Who Is Targeted by Ransomware Attacks?

Hackers may be discriminate or indiscriminate in their exploits. Spearphishing is a tactic that targets a particular group that fits their end goal. Spearphishing can be indirect, in that the hacker will send large volumes of emails, for example, hundreds of thousands. At this rate, a 1% response is still enough to do damage.

Cybercriminals are not only motivated by monetary reward and ransomware is not always for the money. In targeted, discriminate ransomware hacks, bad actors can act solo or in organized groups to plan out the attack. The target can be a controversial person, such as a political figure or executive.

A ransomware attack can also be an act of hacktivism, to stop certain acts from occurring. For example, a hacktivist may target a pharmaceutical company for creating genetically modified products for human consumption. Ransomware actors may choose to publish it or hold it for ransom

The impact of a ransomware attack can be severe. The impact, e.g. of extortion, is different for each individual or organization. Motivation to target an enterprise determines the target and the impact.

Why Ransomware Attacks Happen

Bad actors partake in acts of ransomware for various reasons and target sensitive information processed by an organization. Within typical ransomware scenarios, extortion is a primary objective. Bad actors will find a way to infiltrate a server and encrypt it with a ransomware virus, which denies IT users of data or services by locking down the machine. Once blocked, the hacker will demand some kind of ransom to return the data.

Previously, victims made payments via regular currency. More often, with recent ransomware attacks, hackers request cryptocurrency for ransom. Cryptocurrency adds to the ransom exchange’s level of anonymity.

Denial of service is one way to disrupt an organization’s productivity and render them defenseless. Cybercriminals do not guarantee the safe retrieval of data. They may release the data outright, such as on the Dark Web disclosure. Ransomware hackers also make it difficult to reverse engineer your machine to reclaim the data unless you pay a ransom.

How to Protect Your Organization Against Ransomware

Ransomware involves sequential compromises and attacks to information assets that lead to encryption. Therefore, it is in an organization’s best interest to understand their attack surface. ThreatModeler enables security teams to conduct an analysis of potential attack vectors. An attack vector is the path a cyber threat takes to potentially targetable information assets.

A detailed understanding of the attack surface will help an organization the potential impact a data exposure threat can have on business and operations. Architects can then prioritize risk mitigation based on their risk appetite.

Threatmodeler Is an Automated Platform That Helps to Secure the Entire It Stack

ThreatModeler’s automation helps organizations to detect, identify and predict threats. From servers, to web, to mobile to IoT embedded systems, ThreatModeler keeps updated to the latest threat intelligence. It helps security teams to conduct a holistic risk analysis, as early as the planning stages. Shifting security left is a best practice for DevSecOps teams.

ThreatModeler provides repeatability, another key benefit. Users can store application and system threat models in Libraries, and build upon them for scalability. ThreatModeler is collaborative, allowing authorized teams to review and update threat models as needed. ThreatModeler integrates with the cloud, e.g. with AWS, and reduces the probability for human error in setting up a threat model.

Know the Impact of Ransomware On Your Business Operations

Ransomware motivation and actor matter. If your enterprise doesn’t have the context, it won’t understand the business impact. The sophistication of security controls that an organization has in place for cybersecurity can vary. Threat modeling for ransomware will determine the level of sophistication involved and the level is security controls needed.

If your organization was also the victim of a cyberattack, there are still measures you can take. One key question is, how was the bad actor able to drop software onto a critical system to encrypt a disc? Additional questions security leaders can make are:

  • What did we miss in infrastructure design?
  • Which access points to the back area did the hacker use?
  • What vulnerabilities existed?
  • Which updates were available that were not deployed?

ThreatModeler will help to address each of these questions. The platform can point out attack paths to the back end. From all the threat intelligence gathering, security teams can build requirements to adjust gaps.

In its worst form, cybercriminals look at ransomware not as random acts of cyber disruption, but as complicated project plans. If you are leading security teams, don’t underestimate the adversary’s level of technical skill, sophistication or capabilities. To learn more about how ThreatModeler can help security teams to reduce the likelihood of a ransomware attack, book a demo to speak to a ThreatModeler expert today.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >