As we know, in the cyberworld, there are cyberthreats and one such threat is to use ransomware. It is a form of malware which encrypts the files of the organisation being attacked. The attackers then demand ransom from the victim to restore access to the data upon payment of a certain amount. The victim is instructed after paying fee to get the decryption key.

Ransonware ecosystem has many players. There are developers, botmasters, access sellers and ransomware operators. They supply services to each other through dark web marketplaces. There are forums on the dark web where they interact. There are open ads for services and partnerships. Some big timers are REVil. They target organisations. They make their offers known, using affiliate programmes. There is a partnership between the ransomware group operator and the affiliate, say with shares of 20-40 % for the operator and 60-80 % for the affiliate.

People infecting the victim’s software and those operating the ransomware are different. The infected companies could be low hanging fruit — the ones which are easily accessible. Attack is conducted by botnet owners, and these sell access to the victim’s hardware in bulk. They access sellers in search of known vulnerabilities in internet facing software (e.g. VPN appliances or email gateways}. These are used to infiltrate the systems.

It is a complex system with diverse interests. It is a fluid market with a number of players, both opportunistic and advanced. They may choose any organisation as long as there is access.

However, some simple security measures can protect an organisation from such attacks. There should be regular updates and isolated backups.