Horizon Security

The growing threat of Ransomware

Over the past few years the cybercrime landscape is becoming more and more sophisticated, a successful phishing attack can pave the way to advanced persistent threats (APT). Cybercrime is dynamic and innovative and one of the most profitable fields for cybercriminals in 2021 seems to be Ransom malware or Ransomware.

Ransomwares are malicious software that prevents users from accessing their system or their files and demands a ransom payment in order to regain access.

Typically designed to spread across the company network, these strain of malwares generally works by encrypting valuable files on as many targets as possible. They target databases, file servers, employee's laptops and possibly any appliance that makes use of a filesystem.

Medium and large companies of all kinds are the main targets of these cyberattacks and a successful infection can quickly paralyze an entire organization. Ransom malware has become an awful popular weapon in the hands of malicious actors who try to harm governments, businesses and individuals on a daily basis.

Furthermore, some Ransomware authors sell the service to others, this business model is known as Ransomware-as-a-Service (RaaS).
Malware developers lease Ransomware variants in the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch Ransomware attacks just by signing up for a service.
Horizon Security offers tailored Ransomware simulation service, organizations can simulate real-world attacks and measure their preventive and detective ransomware security controls against tactics, techniques, and procedures (TTPs) used by multi-stage Ransomware families.

Latest news highlights the growing threat of Ransomware around the world in 2021.

According to the Identity Theft Resource Center, there were 878 cyberattacks in 2020, 18% of which were recorded as Ransomware.

This is not surprising since Ransomware is a lucrative business. The average ransom paid by organizations in the US, Canada, and Europe increased from $115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase.

Analysis from NCC Group's Research Intelligence and Fusion Team (RIFT) shows an increase of 288% in Ransomware attacks in H1 2021.

Attack Lifecycle

A Ransomware attack can be described with a series of phases commonly called lifecycle, where each one is designed to bring the needed requirements for the following phase.

The goal of a Ransomware attack is therefore to exfiltrate private data and held hostage files or even entire devices, using encryption, until the victim pays a ransom in exchange for a decryption key.

Using this strategy cyber-criminal put pressure to victims which are more likely incline to pay if critical asset were targeted during the attack. Furthermore, if strategic data was stolen during an attack, a criminal organization could decide to silently sell the recovered information on the dark web.

Ransomware Simulation Service

With Horizon Security Ransomware Simulation Service, it is possible to understand how a Ransomware may break into your organization, simulating real-life attacks and evaluate preventive and detective Ransomware security controls against the tactics, techniques, and procedures (TTPs) used by real-world ransomware operators.

Horizon Security red team has thoroughly analyzed and tested in laboratory the TTPs used in last years and designed a safe ransomware simulated service which consists of three phases:

  • Initial compromise is focused on exploiting public-facing services and applications, recovering stolen passwords in third party data breach or via spear-phishing and vishing.

  • After the initial breach and the persistence setup, the team performs privilege escalation techniques and lateral movement to extend the compromise on most valuable corporate assets.

  • Optionally, a data exfiltration test and an encryption simulation on real or ad-hoc created data can be performed to evaluate the detection and prevention capabilities offered by DLP, EPP and EDR solutions against an unknown threat.

Horizon Security Ransomware Simulation Services outcomes allow companies to identify security gaps towards multiple initial compromise and lateral movement techniques abused by cybercrime to perform ransomware attacks. The remediation plan is focused on improving ransomware detection and prevention capabilities, via fine-tuning configuration of existing solutions or supporting in the evaluation of missing security technologies.


Malware that gains access to files or systems and blocks user access. Then, all files, or even entire devices, are held hostage using encryption until the victim pays a ransom in exchange for a decryption key.

Most of Ransomware attacks leverage social engineering techniques to cause shock, induce anxiety or the perception of a threat in order to manipulate victims into paying the ransom.


1989 - AIDS Trojan (first Ransomware attack)
2005 - Archievus (first Ransomware using asymmetric encrypton)
2012 - Reveton
2013 - CryptoLocker (Locky)
2014 - SimpLocker and Sypeng, first mobile ransomware
2015 - LockerPin
2016 - KeRanger (first MAC ransomware)
2016 - Petya (use dropbox to propagate)
2016 - Jigsaw
2016 - San Francisco Municipal Transportation Agency fell victim to a ransomware attack
2017 - Wannacry (EternalBlue exploit)
2017 - NotPetya
2017 - DoppelPaymer
2019 - Sodinokibi (REvil)
2019 - Ryuk
2019 - Netwalker
2020 - Ransomware incident increase during Covid19 pandemic
2020 - Conti
2020 - Darkside
2021 - DarkMatter, DearCry (Proxylogon Microsoft Exchange)