The key to slowing down ransomware attack groups is “money flow”. However, not enough information is available on this subject. I would like to introduce the investment activities of ransomware attack groups that I have learned through my monitoring activities.

(1) Investment in continuous improvement of ransomware code

They try to infiltrate the target system, spread laterally, identify and encrypt important files in order to make them pay the ransom. However, due to the recent sophistication of security countermeasure technology, it often fails due to detection and neutralization. Therefore, they entrust highly specialized and technical engineers to improve the code and encryption processes that frequently change features called polymorphic, which makes it difficult to detect.

（2） Investment in subscription infrastructure for affiliates who attack targets

Operators that provide ransomware functionality offer subscription services called RaaS. In order to grow the criminal business of ransomware attacks, it is necessary to improve and enhance the subscription infrastructure that new affiliates can use without stress.

(3) Investment in social engineering research

Common cybercriminals use what is known as large-scale spray-and-play tactics, such as “attacking on the fly with automatic weapons, etc., in an attempt to inflict fatal damage on someone.” Malware distribution and phishing scams. In addition to technical trials, ransomware attack groups have been researching methods to illegally acquire authentication information by taking advantage of human psychological gaps and behavioral mistakes, and are gradually achieving success.

(4) Investment in development of attack technology for devices other than personal computers

They primarily target Windows systems, but are developing attack techniques for other devices and platforms that are becoming more prevalent. In particular, we are looking for engineers to pursue intrusion technology for hijacking IoT and industrial control system devices.
Sustainably successful attacks like this require huge amounts of money. This is their Achilles heel.