“I rob banks because that is where the money is”, is a famous quote attributed to (in)famous bank robber Willie Sutton[1]. It is also known as Sutton’s Law. Suttons law still holds true for many things, including modern (cyber)crime. If you want to earn money from your crimes, focus on what people value most.

Ransomware is an example of just this. Criminals target what is most valuable to organisations and individuals, their data or memories.

The break-in: infection

Most ransomware targets are targets of opportunity, targeting commonly used and/or poorly protected channels like, private, email accounts and malicious advertisements on legitimate websites are popular venues of attack.

Email is convenient because it offers a cheap way to send a malicious attachment or link along with a message that can be used to social engineer people into opening the link or attachment. Advertisements used to be popular too, because they offered attackers a relatively cheap way to embed malicious content on sites that are visited by a lot of people. However, they are more expensive then email attacks and require more skills to avoid detection and execute as soon as the attacker views the ad.

The grab: encryption

Once the attacker is in the position where he can read and write to files, the encryption begins. Some ransomware will encrypt entire hard-drives, others will target specific files (word documents, pdfs, excel sheets and pictures) and others ill just pretend to have taken your computer hostage by blocking your browser.

The getaway: extortion

Why do they do it? To get the money. Often the attacks will leave you with clear instructions on how to pay them money in order to regain access to your files. It is important to remember that getting you money is the goal of the attackers, there is no guarantee that paying the ransom will actually restore your files.


A good defence against ransomware needs to tackle all three phases of the attack.

Obviously “prevention is better than cure”. Preventing the actual infection is the best, however this isn’t easy. While a computer without anti-virus solution is easier to infect, it is obvious that anti-virus alone is not enough. Personal email is preferred by attackers over business email, because it often has less protective measures. Companies that allow employees to receive personal email need to make sure workstations are well protected.

Reducing the harm from these attacks is another important part of prevention. If workstations are the biggest point of infection it makes sense to make it as hard as possible for workstation processes to encrypt really critical data, without hampering users normal work. This is much easier for critical server based processes then office like processes.

Another goal of prevention is to ensure that there is no need to pay the money. If restoring the files that were encrypted is cheap and painless, the impact of the attack is minimised and the incentive for further attacks is reduced.


[1] Even though he later denied having actually said this.


Bron: Blog Frank Breedijk

post author image

Over admin

Matthijs is director bij PwC’s Forensic Technology Solutions. Zijn specialismen zijn threat intelligence en incident response. Daarnaast creëert hij cybersecurity awareness bij bedrijven door het inzetten van de Game of Threats die door PwC is...

Meer over admin

    Leave A Comment