In this article, Security Awareness Advocate Erich Kron shares his perspective on the evolution of ransomware and how organizations can protect against the modern attack.

As any cybersecurity professional knows, ransomware has evolved in recent years. Security Awareness Advocate Erich Kron has seen the shift organizations have had to make to protect themselves from modern cyber-attacks that capitalize on current events like the pandemic. The evolution has elevated ransomware to a much more sinister, harmful threat than when it first emerged.

The human aspect of ransomware and protecting against it has been largely overlooked for many years. Recently, industries are beginning to understand the importance of the human element and a person’s ability to defend themselves against security threats. According to Sophos, the average ransom paid during an attack is more than $170,000 with total costs to the organization climbing to nearly $2 million. As attackers expand their ability to monetize with ‘Ransomware as a Service’ models, empowering individuals with the knowledge to recognize and stop a ransomware attack will be critical to protecting your business.

History of Ransomware

Ransomware first emerged in 1989 and after its initial introduction, largely disappeared for many years. Fundamentally, ransomware attackers launch some type of malware that takes an organizations data and encrypts it. The attackers then charge a monetary amount to get the decryption key that enables retention of the data and files. Essentially your data is taken hostage, and you have to pay a ransom to get it back.

This model has become particularly valuable to attackers in recent years because even if your data is not important to anyone else, or profitable to sell, it is likely very important to you and your business. Modern cyber criminals know that data is key to business continuity. In the medical field, no doctor or surgeon is able to move forward with treating patients without access to their charts and medical history. If a manufacturing company is unable to access their files, plants and production lines all grind to a halt. Every organization has individualized data and tools that are critical to their success.

The explosion of cryptocurrencies in recent years has sparked a massive resurgence in ransomware attacks. Because crypto can be broken down and extremely difficult to trace, its development has introduced a new layer of anonymity. The biggest risk in any ransom situation is the exchange point, and cryptocurrencies have provided a nonphysical, anonymous transfer process that makes it very difficult for perpetrators to be caught. This new normal in ransomware attacks has led to not only traditional encryption, but also exfiltrating data of target organizations. Attackers now often threaten to publicly release or post organizations’ data, which can be catastrophic to certain business models. These key changes have raised the stakes, fundamentally altering how organizations need to protect against potential ransomware attacks.

Understanding the Psychology Behind Ransomware

The two most common methods for spreading ransomware are through phishing emails and remote desk protocol (RDP). When the pandemic forced major businesses to shift to a remote work from home model, RDP usage skyrocketed as IT departments scrambled to get employees working from home quickly. The innately poor security of remote desktop applications left organizations open and vulnerable to attack, and cyber criminals jumped at the opportunity to capitalize.

Similarly, phishing attacks have been on the rise in recent years. Ransomware attackers tend to take advantage of major events, such as the pandemic or sociopolitical unrest. They carry out scams related to these events, whether it be pretending to raise money for natural disasters or crafting misleading phishing emails about COVID-19. One group recently posed as the Canadian government rolling out a coronavirus tracing application, tricking people into installing the app on their phones and encrypting their files. For large organizations, mergers and acquisitions discussions can similarly result in becoming a target.

The explosion of cryptocurrencies has sparked a massive resurgence in ransomware attacks... fundamentally altering how organizations need to protect against potential attacks.

Protecting Your Organization with a Layered Defense

According to Kron, if you aren’t actively preparing for a ransomware attack you are setting yourself up for disaster. Since attackers have recognized that data does not have to be valuable to anyone but the business, the size or type of organization is no longer relevant. Every company needs to be vigilant in protecting their files and data.

To effectively protect yourself against ransomware, implement a layered defense to ward off attempted attacks. There is no one ‘silver bullet’ one-stop solution that will guarantee safety. Instead, create a foundation of protection that starts with building training and awareness within the organization. Perhaps the most critical, effective way to protect against cyber-attacks is to teach employees to recognize them. Implementing an email and spam gateway tool should stop the majority of attempted attacks, but five to ten percent will still get through. Empower your workforce to recognize, report, and mitigate the small percentage that break through your security technology.

Next, take your remote desktop protocol (RDP) off of the internet where it remains vulnerable. Instead, implement a VPN connection and prioritize its security. Similarly, data loss prevention (DLP) is no longer optional. We tend to concentrate heavily on what comes into the network when considering security, but less so on what goes out. Be discerning about File Transfer Protocol (FTP) and who has access to what pieces of your data. Limit opportunities for attackers to capitalize on vulnerabilities.

Lastly, implement what Kron refers to as ‘weapons grade backups.’ Consider the ‘three-two-one’ method, meaning you make three copies of your data; two different types of media, and one of them offline where no one can access it. One of the first things cyber attackers target are your backups, because they know that without access to them, you are more likely to pay their ransom. Minimize the leverage an attacker may have against you with an offline copy of this data.

How to Implement Effective Training and Awareness

The evolution of ransomware is forcing IT departments to rethink their approach to cybersecurity, resulting in a renewed focus on the role of people. Because attacks often seek to illicit an emotional response, training programs that focus on the human element of prevention are key. Attackers often target an emotional response in the hope that victims will lose their ability to think critically, and thus make a poor decision that compromises their data. Thinking within the context of emotional responses on the individual level, organizations need to educate their teams on how to recognize and react to attempted attacks.

Kron suggests implementing structured programs that deliver short, frequent training sessions that consistently reinforce the messaging to keep it fresh in the minds of employees. Teach teams the basics around creating stronger passwords, recognizing attacks, and encourage them to communicate concerns with IT departments regularly. Reinforce this message with timely reminders, such as heightened security around holidays when online shopping is most popular, and attacks ramp up.

Then, test employees with simulated phishing attempts. Give them the opportunity to retain what they have learned in training and apply it in a fail-safe environment. This exercise will help to further reinforce what they learned, and also make users a bit more heightened to potential threats. Lastly, analyze the results. Provide remedial training for those who fell for the simulated phishing attempts and provide positive reinforcement as they become more aware. Look for trends within your data and if people tend to fall for certain types of scams, tailor future trainings to address those weak areas.


Ransomware has harnessed the anonymity afforded by cryptocurrencies to wage more advanced, damaging attacks in recent years. As security professionals learn more about attackers’ tendencies to take advantage of current events and illicit emotional responses, organizations can proactively protect themselves by preparing employees to recognize, report, and avoid suspicious activity. Learn more about Erich Kron and the history of ransomware in our Toolbox Talk The Ransomware Evolution: New Tricks from an Old Trade.


Contributing Author 

Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army's 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in Information Security.