Why is it so difficult to combat ransomware?

Written by Wilfried Kirschenmann, on 11 May 2021

The Tech Intelligence series explores various topics in tech: cloud computing, cybersecurity, blockchain, and more. Today, let's shed light on the fight against ransomware.

In 2020, the French National Cybersecurity Agency (ANSSI) recorded 192 incidents of ransomware, four times more than in 2019.

These attacks, known as ransomware, aim to encrypt a company's data and then demand a ransom under the threat of publishing the stolen information. This global piracy affects all countries and all types of companies or institutions.

Although the phenomenon is global, France is among the most affected countries. Why? According to magistrate Johanna Brousse, who heads section J3 dedicated to combating cybercrime, "[...] France is one of the most attacked countries [...] because we pay too easily."

Why and how to fight against ransomware?

The origin of ransomware

It was in the late 1980s that the first ransomware appeared. Their goal was simple: a malware would block access to either the operating system or the browser until the user paid a ransom. The amount was paid via SMS codes or money transfers to electronic wallets. But this type of extortion quickly evolved. Indeed, it was too risky as it was enough to trace the money flows to track down the attacker.

Since then, times have changed, encryption has evolved, and bitcoin has appeared.

In addition to blocking access to the system, the data is now encrypted on hard drives. At a time when data exploitation is at the heart of the activity of many companies, they find themselves completely paralyzed. Indeed, it is now very difficult to decrypt data encrypted by algorithms such as ChaCha20 or RSA 2048 bits used in the majority of attacks.

Payment methods have also evolved. Ransoms are now demanded through cryptocurrency transfers, mainly bitcoin. The attacker uses blockchain technology to make tracing the payment almost impossible and preserve their anonymity.

Ransomware has therefore undergone profound evolutions mainly enabled by the evolution of technology. The offensives are more effective and more secure for their instigators. However, another variable helps to understand why ransomware spreads on a large scale.

Spreading ransomware on a large scale, the mission of "cyber gangs"

"Egregor, REvil, Netwalker" or more recently "Darkside," many are the cybercriminal organizations behind these attacks.

These organizations are actually the creators of encryption malwares and also their intermediaries. Take the example of Emotet, a botnet (a large network of computers controlled by the same individual) created by the Egregor group, which has just been shut down at the beginning of this year by a coalition of different countries, including France.

Cyber gangs: how do these systems work?

The modus operandi of cybercriminal organizations

The first step is to infiltrate the information system. The attacker sends a fraudulent email containing either a link contaminated by Emotet or an attachment also infected. The attacker therefore exploits a human flaw. This can be a lack of vigilance or the activation of cognitive biases. For example, simulating an emergency situation to force the reader to click without taking a step back.

The second step once Emotet is well installed on the machine is to lift the restrictions. The attacker will grant rights to move freely within the operating system. This lifting of restrictions will subsequently allow the installation of other malwares to steal and encrypt data. One of the most used malwares is Ryuk. This one was designed to target Windows systems and once infiltrated, it self-propagates.

The operation of "Ransomware-as-a-service"

The goal of the Egregor organization is to infect as many machines as possible with Emotet and then sell these access points to other groups that want to install ransomware like the one described above. This is called "Ransomware-as-a-service." The group provides its network and outsources the attack and ransom demand. The group's goal is not to be directly involved while still getting a percentage of the ransom.

Emotet was particularly virulent because it used more than a hundred servers worldwide. It was thus able to act on many areas.

Since then, this botnet has been almost completely shut down. The main servers that the Egregor group used for Emotet have been confiscated, and some of its members have been arrested.

Faced with this threat taken very seriously by companies and public institutions, it is normal for some victims to give in to blackmail. In France, the enforcement services alert the affected companies and encourage them not to act without reflection.

Do French companies give in too easily to ransomware?

Magistrate Johanna Brousse in charge of centralizing files at the national level complained to the Senate that French companies give in too easily to ransomware threats. Guillaume Poupard, Director of ANSSI, also echoed these remarks. According to him, some companies play "a murky game." He nevertheless reminds us that for some companies, it is preferable to pay the ransom rather than suffer greater damage. For example, publicly traded companies prefer to pay the ransom to keep information confidential. If they refuse, their data will be disclosed, which could send a negative signal to investors.

It is also interesting to note that without collective resistance, ransomers will always find victims. The wave of attacks in 2020 hit American hospitals, which, in an emergency situation caused by the pandemic and thanks to their financial capabilities, were largely victims of ransomware and took part in paying the ransoms. This sent a signal to the attackers who replicated their attacks on European healthcare facilities that do not have the same resources. However, Commissioner Eric Francelet of the BL2C points out that it is now "[...] observed that authors take the time to map out the environment of the future victim, notably to encrypt their backups and adjust the ransom amount to their supposed financial capabilities." This may make ransom payments more affordable and thus increase the number of attacks.

Some insurers have seized the opportunity and act as negotiators with ransomers to reduce the amount demanded. This service is then billed to the company.

How to effectively fight against ransomware?

In France, three agencies are responsible for studying and preventing this type of threat: the C3N, the BL2C, and the OCLCTIC. Their main limitation today is their compartmentalization. Indeed, sharing information between these three entities is not systematic and does not allow to precisely map the different attacks.

This cooperation problem is also found between judicial services and intelligence services. It is currently impossible in France for the two services to officially communicate their information to each other, thereby hindering their ability to act.

Finally, another constraint weighs on the agencies responsible for combating cybercrime: most ransomware comes from foreign countries to that of the victim. Thus, authorities wishing to prosecute cybercriminals normally have to request permission from the "host" country to intervene on its territory. International cooperation sometimes works. This was the case in 2021 where a coalition of 8 countries (Netherlands, Germany, France, Lithuania, Canada, United States, United Kingdom, and Ukraine) led to the arrest of members linked to Emotet.


International cooperation has thus made it possible to put a stop to the activities of the cyber gang Egregor with the shutdown of Emotet, its armed wing. However, Egregor is not the only cyber gang weighing on the security of companies and institutions. The rival REvil, a Russian group, after revealing the identity of its rival Egregor, is now demanding nearly 20 million euros from the company Apple. The threat posed by cybercrime spares no company. The fight against cybercrime requires the establishment of cooperation on an international scale, support for targeted companies and organizations, and better coordination between French agencies. Without this, the fight cannot be truly effective.


Romanian duo arrested for running malware encryption service to bypass antivirus software | Europol (europa.eu)

World’s most dangerous malware EMOTET disrupted through global action | Europol (europa.eu)

De la BEFTI à la Brigade de lutte contre la cybercriminalité de la Préfecture de Police...  - SDBR News -             Le Blog - Security Defense Business Review - Blog

Ransomware : Egregor, la relève cybercriminelle - ZDNet

Ransomwares : les entreprises cèderaient trop facilement | ITespresso.fr

Après une vague d'arrestations, Egregor devra recruter de nouveaux hackers - Cyberguerre (numerama.com)

Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders | CISA