SMB ransomware extortion: Identifying pieces of the puzzle

2020 saw a new trend emerge: ransomware victims who were unwilling or unable to pay the ransom were faced with the threat of their sensitive information being exposed. Ponying up the ransom used to be the scariest part of ransomware, but now it’s the humiliation that has companies running scared.

SMB ransomware extortion

As we enter 2021, many businesses are struggling to keep the lights on and likely wouldn’t be able to survive a ransomware attack. Not just because they’re afraid of the ransom cost itself, but because damage to the brand from public knowledge of a breach could result in a financial hit that can’t be overcome.

Ransomware gangs’ attack methods evolve at an alarming speed. The average ransom payment is now over $230,000. If the victim does not pay or publicly disclose the breach, they risk the aforementioned public humiliation or fines for violating the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). These fines are hefty: starting at $50 per customer, per record and increasing up to flat percentages of revenue.

The first step in protecting SMBs from ransomware in the year ahead is to understand the threats facing them and how different malware work together to pull off a successful ransomware attack. The biggest ransomware attacks that take place nowadays are often orchestrated by using different pieces of malware, developed by different teams.

Below are the top malware offenders with context illustrating how they fit together:


Emotet is not a ransomware payload, but a botnet responsible for the most ransomware infections. It’s usually the first piece of the larger ransomware puzzle, providing the attackers with a foothold in an enterprise network. Emotet usually gets delivered to target machines via macros, and the gang has partnered with other malware groups because they are so effective at delivering malware-carrying emails into inboxes.


Trickbot is the second puzzle piece and it allows criminals to move laterally within a network and to create a backdoor, which allows criminals to analyze data and grab sensitive information. Once they have the required credentials, they will attempt to gain access to other parts of the network. As it spreads throughout a network, TrickBot creates many copies of itself in directories where it won’t be found.

Once it has access to the network’s Domain Controller, the attackers orchestrating the attack can bypass nearly every security protocol on the network. Antivirus can be turned off, backups deleted, and the ransomware payload (usually Ryuk, aka Conti) can be easily dropped onto every computer in the network.

Ryuk (Conti)

Ryuk is the last remaining piece of the ransomware puzzle. When Ryuk is dropped and activated across the computer network it performs two actions: all available data is encrypted and a message appears informing users they’ve been hit with ransomware and a demand for a ransom payment is made. That ransom message will also include basic instructions on how to acquire cryptocurrency, the receiving crypto wallet address, and perhaps a contact e-mail to negotiate payment.

As we head into 2021, the best defense for SMBs is to develop and invest in a multi-layered cyber resilience strategy.

Antivirus and backup work together to form a comprehensive data protection cyber resilience strategy and cybersecurity awareness training can be implemented to help all employees defend against potential threats. Staff training is essential for defending against cyber-attacks, but employees need to know what to look out for. Training materials need to be updated continuously to reflect the latest threat trends, and regular simulations should be run to ensure that the training has the desired effect.

Don't miss