The Rise in Ransomware During COVID-19

We spoke with Steph S from Terbium Labs on “The Rise in Ransomware: What Steps to Take to Reduce Risk and Respond to an Attack” on May 7, 2020. Thanks to those who attended! And for those that didn’t, the recording is available on the Terbium Labs’ website.

During the webinar, I spent some time discussing “affiliate” models for groups such as Sodinokibi, wherein exploiting different vulnerabilities, RDP, and phishing are conducted by different actor groups while using the same malware and payment infrastructure. The day after the webinar, FireEye/Mandiant released an outstanding blog on the Maze Ransomware group detailing how this subdivision is going even further among their affiliates:

Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement-each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.

This professionalization is a sobering indication of how lucrative this activity is to the criminal ecosystem conducting these targeted ransomware attacks. It also mirrors the subdivision and specialization seen among many nation-state advanced persistent threat (APT) groups. As discussed during the webinar, this makes targeted ransomware scenarios a worthwhile scenario to model security controls around, including tabletop or training scenarios which can aid in preparation for an incident.

All this said, these attackers understand that return-on-investment is paramount. Being “brilliant at the basics” does not make an organization invincible, but being a harder target significantly reduces their susceptibility to ransomware events.

Here are our top recommendations:

  • Know and monitor your digital attack surface — both underground and IT infrastructure.
  • Employ Secure Email Gateways and ensure users are trained on reporting procedures.
  • Implement Multifactor Authentication.
  • Patch Systems Regularly.
  • Ensure backups are available, not network-connected, and are able to be restored from.
  • Consider a standalone cyber insurance policy, know the coverage it offers, and take advantage of the relationships with professional and technical services it may offer.

Originally published at on May 11, 2020.




Making organizations cybersecure by providing them the tools, guidance, and solutions to insure and secure their data.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Information Security: Going full Triangle

Twitter Hackers Shifting Money in Bitcoin Wallets Leave Trail

Gnosis Safe Spending Limits

CYBR Receives National Security Agency Award!

1MIL Claim Instruction + BSC staking

How we survived the Log4J vulnerability sofar and what to expect in…

Filter bubbles: algorithms as information gatekeepers

Jeff Bezos’ iPhone X hacked: Another case of WhatsApp security failure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Making organizations cybersecure by providing them the tools, guidance, and solutions to insure and secure their data.

More from Medium

Best foot forward

Fisher of Fishermen

Bold predictions for the Eagles dynamic duo at receiver (that are too early)-Inside the Iggles

5 reasons why cybercrime (aka yahoo) is thriving in our nation today