The Frightening Trajectory Of Ransomware

The Frightening Trajectory Of Ransomware


by Rob Cheng, CEO of PC Matic

Ransomware, the malicious software that encrypts user data then demands a ransom in exchange for a decryption key, has taken the nation by storm.  As the American economy begins to reopen, the frequency of ransomware attacks will once again skyrocket.  It’s time to do something.

During a recent meeting with the  FBI’s ransomware team, one of their ransomware analysts pushed over a report about a new threat. In addition to encrypting files, and demanding payment in crypto currency, the virus copies the files to a foreign server. If the ransom is not paid, the virus leaks the stolen data to the dark web for sale to cyber criminals.

The virus, known as Sodinokibi, infected Travelex, one of world’s largest foreign exchange banks, and the New York airport system with this ominous note:

“This is a small part of what we have. If there are no movements, we will sell the remaining, more important and interesting commercial and personal data to third parties including financial details.”

But the worst part?  Sodinokibi was just the beginning.  Since it’s release earlier this year, new ransomware threats like Maze have copied the model of infiltrate, encrypt, steal, and extort.  These attacks are successful in targeting businesses small and large, including its latest victim, multinational corporation, Cognizant.

sodinokibi virus

The FBI, perhaps not strongly enough, recommends that ransom payments be avoided at all costs with the rationale that the more ransoms paid, the greater the future attacks. The reality is that many individuals and organizations ignore the FBI warnings and fork over hundreds of thousands of dollars if not millions to expediently restore operations and avoid embarrassment and public scrutiny.

And there is that ugly word, embarrassment, which drives more of our behavior than we care to admit. The new ransomware model threatens our privacy and safety with a clock ticking to make immediate payment to faceless cyber criminals. Even with the FBI’s advice ringing in our heads, as a society, people are going to pay. If embarrassment was driving behavior before Sodinokibi, the cyber criminals have hit the mother load, and ransom payments will flow out of the country like a river.

The latest ransomware model changes the economics of ransomware. Prior to Sodinokibi, the data was inaccessible, but the victim was still the owner of the information. Now, the victim has lost control of the security and dissemination of the information. The anonymous, never- to-be-known, cyber criminals have automated stealing and breaching our most important and private data sets.

The trajectory of ransomware is frightening

In 2019 we saw an acceleration in infections in cities, counties, police departments and public schools. These are the public infections. More concerning are the infections that don’t make the news where the ransoms are paid quickly and quietly. The suits at publicly traded companies embarrass more easily than the rest of us, and a few million dollar extortion is a burp on their quarterly profit and loss statement. Wall Street won’t blink an eye.

Sodinokibi, Maze, and similar ransomware variants have begun pouring accelerant onto an already escalating ransomware fire. America’s aggregate response to the growing danger of ransomware has been lackadaisical at best.

Since the dawn of the personal computer, there has been a silent war waged between malware makers and the antivirus software designed to protect from malicious programs. Over the last four decades, a technical gap continues to grow between the technologies used to infect and those to protect. Sodinokibi has been viewed as an important technical advancement for the enemy.


Behind each successful ransomware infection is a failed antivirus. The stunning ascent of ransomware indicates an unacceptable level of substandard antiviruses incapable of consistently identifying and blocking modern threats. 

In order to make smart security decisions, the public requires objective data, not marketing buzzwords. For example, the city of New Orleans has repeatedly been a target of cyber attacks.  What antivirus allowed these cyber crimes to execute? 60 Minutes covered the post infection debris of ransomware infections at the Cleveland airport and city of Atlanta, but there was no discussion of what failed.

After an airplane crash, the NTSB investigates the factors that contributed to the crash including weather, pilot error, faulty airplane, improper maintenance and the black box. The information is made public so we can learn and avoid future crashes. Similar investigations occur to promote vehicle safety. There is an investigation and the government mandates that certain models of cars be removed from the road because the vehicles are unsafe and a public safety threat. This needs to happen for ransomware infections.

American cities, counties, K-12 and law enforcement, are most frequently tagged with ransomware. Following the NTSB’s playbook, after an infection, a report is generated that details the victim’s security practices including cyber security products. This information will be stored in a database, categorized, tagged and published for public consumption. This critical information allows the nation to learn from each infection, objectively purchase cyber security products and progressively improve the nation’s cyber security.

The primary motivation behind the ransomware infections is financial. The cyber criminals are creatively monetizing security holes in the nation’s security. As IT and government administrators purchase security products based on objective data rather than buzzwords, infection rates will decline, resulting in lower ransom payments. As the trajectory decelerates and plateaus, it will ultimately hit the cyber criminals’ bottom line.

It bears repeating. For each ransomware infection, there is a failed antivirus. By sharing the individual stories of which antivirus failed, everyone wins. The superior antiviruses will rise to the top, and the inferior drop off the map. Up to this point, the natural selection process has failed due to opacity and a lack of information sharing. We together can shine a light to discover the best and worst antivirus solutions.

If you are an overworked and underpaid city and county administrator, after a ransomware attack, willingly share the information so we jointly learn and improve from each attack.

If you are a legislator and politician, draft and pass legislation for each state and the nation to close the holes in Freedom of Information to allow the easy and quick dissemination of information after a ransomware attack. There are numerous bills in each state and in the US Congress to allocate more funds to address many symptoms and ramifications of the ransomware crisis. Money doesn’t hurt but it may not help. With ransomware threats not only looming but advancing, we must find the most expedient solution not the most expensive.

If you are in the media, in a TV station, on the radio, a journalist, or a blogger, dig deeper. People prefer to learn how to avoid a ransomware attack, as opposed to the frustration and societal damages of the aftermath. You will get more ears and eyeballs, and your boss will like you a little more.

If you are one of the few that are making IT purchase decisions, as the data becomes available, use the data. Objectivity is key. If your organization or company gets infected, share your data willingly. Don’t be embarrassed.

And for the rest of us that are saddened by the lack of progress in halting the path of ransomware. Who wishes they could do something, but don’t know how. We all can do something. First, protect your devices. Pay attention to the data as it surfaces, and make an objective virus selection for your personal devices. If your city, county, school or police department gets infected, demand to know their antivirus solution. If you hit a wall, talk to your neighbors. Talk to your congressman. Don’t give up.

Lastly, be proud, be strong, and don’t be embarrassed. The least embarrassed never won anything, ever.

About the Author

rob cheng authorA passionate cybersecurity advocate, Rob Cheng is the CEO and Founder of PC Matic – the world’s only American-made antivirus software. Rob is a graduate of Cornell University, where he received a Bachelor’s of Science in Engineering; and a graduate of the University of Texas, where he received his Master’s in Business Administration (MBA).

Shortly after graduating from Cornell University, and while a student at the University of Texas, Rob began his career with Texas Instruments. Here, he quickly garnered the respect of the company’s senior leadership and assumed responsibility for the company’s Latin American territory.

This advancement in his career lead to him accepting a job at Gateway Computers in 1991. Here, Rob became Vice President of Sales, Consumer Support, and Marketing, and went on to help Gateway become the dominant PC company for much of the 1990’s.

After nearly 10 years with Gateway, and after feeling a personal decline from what he was gaining from his work, Rob made the decision to depart the company. Shortly after, Rob founded PC Pitstop, a free computer diagnostic web site.

By 2009, PC Pitstop had grown, and PC Matic was launched as a comprehensive tool to care for the maintenance and security of personal computers. In 2010, Rob’s wife and father were running PC Matic and both got infected with the FBI virus, an early form of ransomware, which lead Rob to develop his own version of antivirus software – using whitelist technology.

Since the development of the whitelist antivirus software, the sky has been the limit. PC Pitstop was re-branded to PC Matic, and PC Matic has since developed countless branches, including PC Matic Home, Pro, and MSP. PC Matic employees over 80 employees across 10 different states, and all are engaged in defending America’s cyber-world.

Rob can be reached online via Twitter at @ChengRob2 or online at

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.