Ransomware detection – Targeted vs. random attacks

When it comes to ransomware detection, targeted ransomware attacks are very difficult to identify through classic anti-virus technology. Although such attacks are less frequent than their random, mass, counterparts, they are far more devastating and expensive mainly because they have a higher chance of succeeding in encrypting the files. Let’s look at some important differences between targeted and random attacks.

1. The scope

Targeted attacks are carried out against a single, particular company or institution. Usually, the victim is a corporation relying heavily on IT and using files as part of their internal processes. Such companies are more likely to need access to files as soon as possible and thus, more likely to pay a ransom.
Random attacks are fired across the internet without specific targets, in an attempt to infect as many machines as possible.

2. The technology

Perhaps the most significant difference between regular, mass ransomware attacks and the targeted ones lies in the technology being used. While both have the technology to elude standard antivirus engines, targeted attacks also use customized ransomware variants never used before, for which there are no signatures recorded and which are impossible to detect via traditional security solutions. The rule of thumb that guarantees a high rate of success is one variant per valuable target.
On the other hand, the mass ransomware attacks generally use known ransomware variants or samples used in other attacks as well. Classic signature-based solutions are more likely to detect such attacks because the payloads are known.

3. Distribution

Targeted attacks use advanced social engineering techniques to deliver the malicious payloads into the network of particular victims. Usually, they spread via email, but the campaigns are targeted, more complex and carried out manually.
Mass ransomware attacks use email campaigns, malicious websites or software exploits to proliferate and are usually performed automatically via SPAM campaigns or via ransomware-as-a-service platforms running in the TOR anonymity network. In general, they are carried out unattended.

4. Monetization

Targeted ransomware attacks demand far higher ransom. Most ask for thousands of dollars for a single computer, and the price goes up to hundreds of thousands or even millions, for more machines. Usually, the ransom is hard-coded in the ransomware itself and does not change. The high ransom demand is based on the fact that such companies are in urgent need of files and can also afford the price.
Mass attacks require far less ransom – a few hundred dollars to begin with, based on the fact that the victims are mostly small companies and consumers who do not afford more and because of a lower reliance on IT, they may be willing to lose the files and not pay the ransom.

5. Ransomware detection

Mass ransomware attacks may be detected by classic, signature based techniques, provided that the anti-virus is up to date and the vendor is aware of the ransomware variant. However, we must not forget that in many cases, mass ransomware attacks may use zero day ransomware variants which elude detection. Targeted ransomware attacks are very likely to evade detection of most traditional security tools. To accurately detect targeted attacks using custom, never-seen-before variants, companies need specialized anti-ransomware solutions that are able to detect ransomware based on advanced file-access patterns. Such detection technology delivers the best ransomware detection and outperforms signature-based solutions. Find out why specialized anti-ransomware does way better than anti-virus technology here.


Ransomware attacks support an extended and elaborate cybercrime system that generates massive profits at the expense of legitimate companies and institutions. Clearly bypassing traditional malware in the effectiveness of monetization and with far easier exploitation than other cybercriminal activities like data exfiltration, ransomware is likely to remain the number one threat for the next years. Targeted ransomware attacks finance and support the development of criminal organizations in need of specialized attackers, with their own employment and training system to support more complex, effective and devastating attacks. The Register writes about targeted attacks and how they support cybercriminal organizations here.

How we can help

TEMASOFT Ranstop is an anti-ransomware software that can detect both types of attacks, providing critical assistance especially when dealing with the custom variants in the targeted attacks, and with the zero-day variants in the mass, random attacks. By combining detection features with real-time file protection functionality, Ranstop protects against ransomware incidents and delivers next-to-zero downtime and no important file loss.
For more information, follow us on social media and subscribe to our newsletter.

2 replies
  1. Edd23
    Edd23 says:

    Interesting post, thank you.
    To summarize, large companies should worry about targeted attacks, and not smaller companies, who cannot afford to pay big $$$ as ransom. Is this assumption correct?

    • Calin Ghibu
      Calin Ghibu says:

      Hi Edd,
      Not necessarily. Cyber-criminals will go for high IT reliance and companies where files are critical for business continuity. If these companies are smaller, they will adjust their ransom claims to fit a budget that the attackers believe affordable.
      And then, we should not forget about zero-day mass ransomware attacks which are at least similarly effective in terms of damage. Indeed, the ransom claims may be significantly smaller, but the total cost of the incident may be harsh, as it includes costs with downtime, data recovering, reporting (if the case), reputation, etc.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply