Welcome to the VB2021 conference!

Ransomware: a correlation between infection vectors and victims

Doina Cosovan (Security Scorecard), Cătălin Liță (Security Scorecard), Jue Mo (Security Scorecard) & Ryan Sherstobitoff (Security Scorecard)
partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

Ransomware attacks have increased exponentially recently. Some companies have even started to buy insurance against ransomware attacks.

Unlike in the past, nowadays it is not as easy to hide the fact that you’ve been breached, especially if the breach is a result of a ransomware infection or leads to a ransomware infection.

This happens because the attackers of more than 20 different ransomware families started to threaten to publicly expose the data belonging to companies unwilling to pay the ransom. Most of the attackers use Tor domains to disclose the identity of the companies they’ve infected as well as to upload files they’ve stolen before starting the encryption process.

In this paper we analyse the techniques that get companies infected with ransomware in an attempt to find a way to figure out if an entity is a potential future ransomware victim and what can it do to minimize the chances of getting hit.

Ransomware infects systems through other malware families or exploit kits, vulnerable services, spam campaigns, and so on. By correlating the victims of these malware families and exploit kits, the entities running these vulnerable services, as well as the entities that have poor email hygiene with the victims of ransomware attacks, we can estimate the risk those exposures added to the probability of ransomware infection.

There are two ways of collecting victims of ransomware attacks. Non-paying victims can be collected by crawling Tor websites maintained by the attackers while both paying and non-paying victims can be collected by sinkholing ransomware families which use multiple command-and-control domains and don’t register all of them.

For the ransomware families for which we can gather both paying and non-paying victims as a result of having information from both the attacker’s website and our sinkholes, we can derive the percentage of paying victims.

And even if a company doesn’t get infected with ransomware, a third-party entity, such as a supplier of that company, can get infected with ransomware, thus allowing the attackers access to the same data the company shared with the third party. The initial company can later be blackmailed against making that data public to competitors – as happened with Apple recently. Therefore, it is also important for a company to monitor its third-party entities for how vulnerable they are in order to protect themselves.

Got a question about this presentation? To get in touch with the speakers, contact them by email on [email protected], [email protected], [email protected] and [email protected].
Doina Cosovan
Security Scorecard

Doina spent five years as a malware researcher at Bitdefender, learning about malware and security. During that period, she reverse engineered, analysed, added detection for malware and collaborated with the communications team to publish over 50 blog posts about her findings on Hot for Security and Bitdefender Labs. Doina is now a malware researcher at Security Scorecard, a global cybersecurity ratings firm that continuously monitors the security posture of millions of companies. Her role is focused on implementing proof of concepts and creating ways of non-intrusively gathering malware-related signals. She researches cybersecurity topics like malware packers, command-and-control communication protocols, analysis of malware families, web injects, adware, and machine learning for malware detection. Doina is a frequent speaker at cyber industry conferences like Virus Bulletin, CARO and AVAR. She has also published papers in the Journal of Computer Virology and Hacking Techniques and International Conference on Artificial Neural Networks.

Cătălin Liță
Security Scorecard

Cătălin Valeriu Liță received a Bachelor's degree in computer science from the Technical University Gheorghe Asachi, Romania, Iasi, Faculty of Automatics and Computer Science. He has a Master's degree in information security from the Alexandru Ioan Cuza University of Iași, Faculty of Computer Science, a Master's degree in business administration from the Alexandru Ioan Cuza University of Iași, Faculty of Economics and Business Administration, and a Ph.D. in computer science from the Faculty of Computer Science. He has presented at CARO and Virus Bulletin conferences. Prior to joining Security Scorecard he worked for nine years in Bitdefender's anti-malware team.

Jue Mo
Security Scorecard

Jue Mo earned a Ph.D. degree in biomedical engineering from the University of Florida. She entered the data science world to explore her passion for pattern recognition and statistical analysis. She joined Security Scorecard in 2016 as a data scientist. Her role is focused on evaluating data accuracy/quality and building risk models on security observations.

Ryan Sherstobitoff
Security Scorecard

Ryan specializes in threat intelligence in the Asia Pacific Region, where he conducts cutting-edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly led intelligence teams at McAfee, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country.