SamSam and GandCrab Illustrate Evolution of Ransomware

2018 has seen a major divergence in the operation of ransomware: targeted versus ransomware as a service (RaaS). Two particular malware families have dominated each branch: SamSam (targeted) and GandCrab (RaaS). Targeted seeks high ransoms from relatively few victims, while RaaS seeks relatively small ransoms from a large number of victims. The reason for the divergence is improving defenses against ransomware. The original spray-gun method of infection is no longer as effective as it used to be. User defenses against the malware are more effective, while decryptors are rapidly developed and made available to victims via the NoMoreRansom website and from other security firms. RaaS emerged as a model to allow the malware developers to concentrate on software development and staying ahead of the defenders while selling or renting their product to multiple distributors -- regardless of the distributors' level of technical capability. By maintaining continuous improvement, the RaaS model ensures that the spray gun approach continues to be viable for the criminals.