December 2024 has the dubious distinction of being both the 35th anniversary of the first ransomware and the 20th anniversary of the first use of modern criminal ransomware. Since the late 1980s, ransomware has evolved and innovated into a major criminal enterprise, so it only seems appropriate to reflect the changes and innovations we have seen in ransomware over the past three decades.
The first use of ransomware was identified in December 1989; an individual physically mailed floppy disks purporting to contain software to help judge whether an individual was at risk of developing AIDS, hence the malware was called the AIDS Trojan. Once installed, the software waited until the computer was rebooted 90 times before proceeding to hide directories, encrypt file names, and display a ransom note requesting that a cashier’s check be sent to a post office box in Panama to obtain a license. which would restore files and directories. .
The person responsible was identified but declared unfit to stand trial. Ultimately, the difficulty of distributing the malware and collecting payment in a pre-Internet world made the attempt unsuccessful. However, technology advanced; Computers became increasingly connected to networks and new opportunities emerged to distribute ransomware.
Researchers recognized in 1996 the risk of a “cryptovirus” that could use encryption to launch extortion-based attacks on victims demanding payment to provide a decryption key. As are the defenses necessary to defeat the threat: effective antivirus software and system backups.
Technical Lead, Security Research – EMEA at Cisco Talos.
Reaping the fruits of ransomware
In December 2004, evidence of the first use of criminal ransomware, GPCode, was discovered. This attack targeted users in Russia and was delivered as an email attachment purporting to be a job application. Once opened, the attachment downloaded and installed the malware on the victim’s machine which scanned the file system encrypting files of specific types. Early samples applied a custom encryption routine that was easily defeated, before the attacker adopted secure public-key encryption algorithms that were much more difficult to crack.
Clearly, this attack sparked the imagination of criminals, and a variety of different ransomware variants were released soon after. However, these early attacks were hampered by the lack of easily accessible means to collect ransom payment without revealing the identity of the attacker. Providing instructions for payments to be transferred to specific bank accounts left the attacker vulnerable to a legal investigation to “follow the money.” The attackers became increasingly creative by asking victims to call premium rate phone numbers or even purchase items from an online pharmacy and provide the receipt for decryption instructions.
Virtual currencies and gold trading platforms offered a means to transfer payments outside of regulated banking systems and were widely adopted by ransomware operators as a simple mechanism to receive payments while maintaining their anonymity. However, these payment services ultimately proved vulnerable to measures by regulatory authorities that restricted their use.
The emergence of cryptocurrencies, such as bitcoin, offered criminals an effective way to collect ransoms anonymously within a framework resistant to tampering by regulatory authorities or law enforcement. Consequently, ransomware operators eagerly adopted cryptocurrency payments, with the successful CryptoLocker ransomware of late 2013 being one of the first to adopt it.
Diversify ransomware operations portfolio
With the adoption of cryptocurrencies as an effective means of receiving payments, ransomware operators were able to focus on expanding their operations. The ransomware ecosystem began to professionalize with specialized providers offering their services to share some of the tasks involved in carrying out attacks.
In the early 2010s, ransomware operators tended to adopt their own preferred means of distributing their malware, such as sending spam messages, subverting websites, or partnering with botnet operators who could install malware on large numbers of compromised systems. . By developing an ecosystem of partners, ransomware creators could focus on developing better ransomware and leave malware distribution to less technically skilled operators who could focus on social engineering and distribution techniques.
Criminals developed sophisticated portals for their affiliates to measure their success and access new features to facilitate their attacks and collection of ransom payments. Initially, these attacks adopted a mass-market-style malware distribution that attempted to infect as many users as possible to maximize ransom payments without taking into account the victims’ profile.
In 2016, a new ransomware variant, SamSam, was identified that was distributed according to a different model. Instead of prioritizing the number of infections, affecting a large number of users in exchange for relatively small ransoms, SamSam distributors targeted specific institutions and demanded large sums of ransom money. The gang combined hacking techniques with ransomware, seeking to penetrate organizations’ systems. Then, identify and install ransomware on key computer systems to maximize disruption across the organization.
This innovation changed the ransomware market. Ransomware operators discovered that it was more profitable to target institutions, disrupting entire organizations and halting their operations, allowing them to demand much higher ransoms than encrypting individuals’ end devices.
Criminals quickly prioritized certain industrial sectors; The healthcare industry became a frequent target. Presumably because the ransomware affected key operating systems, severely disrupting the operation of the healthcare facility, putting lives at risk and, as a result, increasing pressure on senior management to pay the ransom to quickly restore functions.
Modern ransomware is born
In November 2019, attackers delivering the Maze ransomware first used the double extortion innovation. In these attacks, the attacker steals sensitive data from systems before encrypting it. By doing so, the attacker can apply two levers of pressure on business leaders to make them pay the ransom; the elimination of data access and the threat of public disclosure of sensitive data with subsequent regulatory and reputational consequences.
Several ransomware imitators have appeared over the years. We have seen fake ransomware that simply presents a ransom note without bothering to encrypt any data; expecting victims to pay no matter what.
WannaCry was a self-propagating malware that spread around the world in May 2017. Although the malware encrypted data, the small number of common bitcoin wallets being asked to pay ransoms meant the attacker had little chance of knowing which one. The victims had paid the ransom and to whom the decryption keys should be given.
The June 2017 NotPetya malware was supposedly a ransomware that spread autonomously across networks. While it encrypted files and displayed a ransom note, it was a destructive attack. The unique ID on the note was irrelevant to the encryption process, and the malware deleted and encrypted critical data, making it unrecoverable even with the correct decryption key.
Ransomware is not just a financial crime. It affects those who are affected by the interruption of essential services. People who cannot access vital data or work feel anxious and stressed, while IT departments working to resolve the situation suffer additional stress and risk burnout. On a human level, some people inevitably lose irreplaceable data such as photographs of their loved ones or projects to which they have dedicated many months or years of work.
Lessons for business and industry
The IT landscape in 2024 is very different from that of 1989 or 2004. Improved software engineering and patch management mean it is more difficult for ransomware to infect systems through unpatched web browser vulnerabilities. In contrast, the number of password breaches over the years, which make potentially reused or easy-to-guess passwords available to criminals, means that increasingly the human user is the entry point.
We should not feel helpless against ransomware. Law enforcement has arrested and charged many ransomware operators. Others who have evaded arrest have been subjected to international sanctions. Infrastructure used to coordinate attacks and cryptocurrency wallets have been seized. Antivirus detection has also advanced over the years, although some malicious programs can go undetected, modern endpoint protection software is constantly looking for evidence of unknown programs attempting to encrypt files without permission.
The Achilles heel of ransomware is backups. Data that is backed up and stored offline can be used to restore files that would otherwise have been corrupted and lost, thus eliminating any need to pay the ransom to recover the files. The success of ransomware over the past 35 years is also the story of the failure of widespread adoption of backup devices to restore files.
Looking ahead, it is unlikely that we will see the end of ransomware. Its profitability for criminals means it is likely to continue to haunt us for many years to come. It is also unlikely to stay the same. Criminals have proven to be remarkably inventive in devising new techniques and methods to improve the business model and evade detection of both themselves and their malware.
However, the cybersecurity industry is equally innovative and constantly developing new tools and strategies to combat these threats. By staying informed, adopting strong security measures, and collaborating globally, we can mitigate risks and build a more resilient digital future.
We’ve compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
