By December 2024 has the dubious distinction of being both the 35th anniversary of the first ransomware and the 20th anniversary of the first use of modern criminal ransomware. Since the late 1980’s ransomware has evolved and innovated into a major criminal enterprise, so it only seems apt to reflect on the changes and innovations that we’ve seen in ransomware over the past three decades.
The first use of ransomware was identified in December 1989; an individual physically mailed out floppy disks purporting to contain software to help judge if an individual was at risk of developing AIDS, hence the malware being named the AIDS Trojan. Once installed, the software waited until the computer had been rebooted 90 time before proceeding to hide directories, encrypt file names and display a ransom note requesting a cashier’s cheque to be sent to a PO Box in Panama for a license that would restore files and directories.
The individual responsible was identified but found unfit to stand trial. Ultimately, the difficulty in distributing the malware and collecting payment in a pre-internet world meant that the attempt was unsuccessful. However, technology advanced; computers increasingly became connected to networks and new opportunities arose to distribute ransomware.
The risk of a “cryptovirus” that could use encryption to launch extortion based attacks on victims requiring payment to supply a decryption key, was recognized by researchers in 1996. As were the defenses necessary to defeat the threat: effective antivirus software and system backups.
Technical Lead, Security Research – EMEA at Cisco Talos.
Reaping the rewards of ransomware
In December 2004 evidence of the first use of criminal ransomware, GPCode was uncovered. This attack was targeted at users in Russia, delivered as an email attachment purporting to be a job solicitation. Once opened, the attachment downloaded and installed the malware on the victim’s machine which scanned the file system encrypting files of targeted types. Early samples applied a custom encryption routine that was easily defeated, before the attacker adopted secure public-key encryption algorithms that were much more difficult to crack.
Clearly, this attack sparked the imagination of criminals, with a variety of different ransomware variants being released soon after. However these early attacks were hampered by a lack of easily accessible means to collect the ransom payment without disclosing the attacker’s identity. Providing instructions for payments to be wired to specific bank accounts left the attacker vulnerable to legal investigation to “follow the money”. Attackers got increasingly creative requesting victims to call premium rate phone numbers or even buy items from an online pharmacy and supply the receipt to receive decryption instructions.
Virtual currencies and gold trading platforms offered a means of transferring payment outside of the regulated banking systems and became widely adopted by ransomware operators as a straight forwards mechanism to receive payment, while maintaining their anonymity. However, ultimately these payment services proved vulnerable to action by regulatory authorities curtailing their use.
The emergence of crypto currencies, such as bitcoin, offered an effective way for criminals to collect ransoms anonymously within a framework that was resistant to disruption by regulatory authorities or law enforcement. Consequently, crypto currency payments were enthusiastically embraced by ransomware operators with the successful CryptoLocker ransomware of late 2013 being one of the first adopters.
Diversifying the ransomware operations portfolio
With the adoption of crypto currencies as an effective means of receiving payment, ransomware operators were able to focus on expanding their operations. The ransomware ecosystem began to professionalize with specialist providers offering their services to share some of the tasks involved in conducting attacks.
In the early 2010s ransomware operators tended to adopt their own preferred means of distributing their malware such as sending spam messages, subverting websites or partnering with botnet operators who could install malware on large number compromised systems. By developing a partner ecosystem, ransomware writers could focus on developing better ransomware and leave the distribution of the malware to less technically skilled operators who could focus on distribution and social engineering techniques.
Criminals developed sophisticated portals for their affiliates to measure their success and access new features to facilitate their attacks and collection of ransom payments. Initially these attacks adopted a mass-market style distribution of malware attempting to infect as many users as possible to maximize ransom payments without regard to the profile of the victims.
In 2016, a new variant of ransomware, SamSam was identified which was distributed according to a different model. Instead of prioritizing the quantity of infections, hitting large numbers of users for relatively small ransoms, the distributors of SamSam targeted specific institutions and demanded large sums for their ransom. The gang combined hacking techniques with ransomware, seeking to penetrate organizations’ systems. Then identifying and installing ransomware on key computer systems in order to maximise disruption to the entire organization.
This innovation changed the ransomware market. Ransomware operators discovered that it was more profitable to target institutions, disrupting entire organizations and bringing their operations to a halt which allowed them to demand much higher ransoms, than encrypting the end-point devices of individuals.
Quickly, criminals prioritized certain industrial sectors; the healthcare industry became a frequent target. Presumably because ransomware affected key operational systems, seriously disrupting the operation of the healthcare facility, putting lives at risk and as a result adding pressure on senior management to pay the ransom to quickly restore functions.
Modern day ransomware is born
In November 2019, the innovation of double extortion was first used by attackers delivering the Maze ransomware. In these attacks, the attacker steals confidential data from systems before encrypting it. In doing so the attacker is able to apply two levers of pressure on business leaders to pay the ransom; the removal of access to data, and the threat of public disclosure of confidential data with consequent reputational and regulatory consequences.
Over the years a number of imitators of ransomware have appeared. We’ve seen fake-ransomware that simply presents a ransom note without bothering to encrypt any data; hoping that victims will pay no matter what.
WannaCry was a self-propagating malware that spread around the world in May 2017. Although the malware did encrypt data, the small number of common bitcoin wallets to which ransoms were requested to be paid meant that there was little opportunity for the attacker to know which victims had paid the ransom and to whom decryption keys should be released.
The NotPetya malware of June 2017, purported to be ransomware, spreading autonomously through networks. While it encrypted files and displayed a ransom note, it was a destructive attack. The unique ID in the note was irrelevant to the encryption process, and the malware wiped as well as encrypted critical data, rendering it unrecoverable even with the correct decryption key.
Ransomware is not just a financial crime. It impacts those who are affected by the disruption to essential services. People unable to access vital data or work are left feeling anxious and stressed, while IT departments working to resolve the situation suffer additional stress and risk burnout. On a human level, inevitably some people lose irreplaceable data such as photos of loved ones or projects to which they have devoted many months or years of work.
Lessons for businesses and industry
The IT landscape in 2024 is very different from that of 1989 or 2004. Improved software engineering and patch management mean that it’s more difficult for ransomware to infect systems through unpatched web browser vulnerabilities. Conversely, the number of password breaches over the years, making available potentially reused or easily guessable passwords to criminals, means that increasingly the human user is the point of ingress.
We should not feel powerless in the face of ransomware. Law enforcement activity has arrested and charged many ransomware operators. Others who have evaded arrest have been subjected to international sanctions. Infrastructure used to coordinate attacks and crypto-currency wallets have been seized. Anti-virus detection has also advanced over the years, whilst some malware may slip past detection, modern endpoint protection software constantly searches for evidence of unknown programs attempting to encrypt files without permission.
The Achilles heel of ransomware are back-ups. Data that is backed-up and stored off-line can be used to restore files that have otherwise been corrupted and lost, thus negating any need to pay the ransom to retrieve the files. The success of ransomware over the past 35 years is also the story of the failure of widespread adoption of back-up devices to restore files.
Looking to the future, it is unlikely that we will see the end of ransomware. Its profitability for criminals means that it is likely to continue to plague us for many years to come. It is also unlikely that it will stay the same. Criminals have proved remarkably inventive in devising new techniques and methods to improve the business model and evade detection of both them and their malware.
However, the cybersecurity industry is equally innovative, constantly developing new tools and strategies to combat these threats. By staying informed, adopting robust security measures, and collaborating globally, we can mitigate the risks and build a more resilient digital future.
We’ve compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
