December 2024 has the dubious distinction of being both the 35th anniversary of the first ransomware and the 20th anniversary of the first use of modern criminal ransomware. Since the late 1980s, ransomware has evolved and innovated into a major criminal enterprise, so it seems only fitting to reflect on the changes and innovations that we have seen in ransomware over the past three decades.
The first use of ransomware was identified in December 1989; someone physically sent out floppy disks that purported to contain software to help assess whether a person was at risk of developing AIDS, which is why the malware was called the AIDS Trojan. Once installed, the software waited until the computer had been restarted 90 times before proceeding to hide folders, encrypt file names, and display a ransom note requesting that a cashier’s check be mailed to a post office box in Panama for a license that would restore files and folders.
The person responsible was identified but found unfit to stand trial. Ultimately, the difficulty of distributing the malware and collecting payment in a pre-internet world meant that the attempt failed. But the technology is advanced; computers were increasingly connected to networks, and new opportunities to distribute ransomware emerged.
The risk of a “cryptovirus” that could use encryption to launch extortion-based attacks on victims demanding payment to provide a decryption key was recognized by researchers in 1996. Just as defenses were needed to defeat the threat: effective anti-virus software and system backups.
Technical Lead, Security Research – EMEA at Cisco Talos.
Reaping the rewards of ransomware
In December 2004, evidence of the first use of criminal ransomware was revealed, GPCode. This attack targeted users in Russia, delivered as an email attachment pretending to be a job solicitation. Once opened, the attachment downloaded and installed the malware on the victim’s machine, which scanned the file system by encrypting files of targeted types. Early samples used a custom encryption routine that was easily defeated before the attacker adopted secure public-key encryption algorithms, which were much harder to crack.
Obviously, this attack fired the imagination of criminals, and a number of different ransomware variants were released soon after. However, these early attacks were hampered by a lack of readily available means of collecting the ransom without revealing the identity of the attacker. Providing instructions for payments to be transferred to specific bank accounts left the attacker vulnerable to legal investigations to “follow the money”. Attackers became increasingly creative, requesting victims to call high-priced phone numbers or even purchase items from an online pharmacy and provide the receipt to receive decryption instructions.
Virtual currencies and gold trading platforms offered a means to transfer payments outside the regulated banking systems and were widely adopted by ransomware operators as a direct mechanism to receive payment while maintaining their anonymity. However, these payment services ultimately proved vulnerable to action by regulators that restricted their use.
The rise of cryptocurrencies, such as bitcoin, offered criminals an efficient way to collect ransoms anonymously within a framework that was resistant to interference by regulatory authorities or law enforcement. As a result, cryptocurrency payments were enthusiastically embraced by ransomware operators, and the successful CryptoLocker ransomware from late 2013 was one of the first adopters.
Diversifying the ransomware operating portfolio
With the adoption of cryptocurrencies as an effective means of receiving payment, ransomware operators were able to focus on expanding their operations. The ransomware ecosystem began to professionalize with specialized providers offering their services to share some of the tasks involved in carrying out attacks.
In the early 2010s, ransomware operators tended to use their own preferred methods to distribute their malware, such as sending spam messages, subverting websites, or collaborating with botnet operators who could install malware on a large number of compromised systems. By developing a partner ecosystem, ransomware writers could focus on developing better ransomware and leave the distribution of the malware to less technically skilled operators who could focus on distribution and social engineering techniques.
Criminals developed sophisticated portals for their affiliates to measure their success and access new features to facilitate their attacks and ransom collection. Initially, these attacks adopted a mass-market distribution of malware that sought to infect as many users as possible to maximize ransom payments, regardless of the victims’ profile.
In 2016, a new variant of ransomware, SamSam, was identified, which was distributed according to a different model. Instead of prioritizing the volume of infections, hitting a large number of users for relatively small ransoms, the distributors of SamSam targeted specific institutions and demanded large sums for their ransom. The gang combined hacking techniques with ransomware and attempted to penetrate organizations’ systems. Then identify and install ransomware on key computer systems to maximize disruption to the entire organization.
This innovation changed the ransomware market. Ransomware operators discovered that it was more profitable to target institutions, disrupting entire organizations and bringing their operations to a halt, allowing them to demand much higher ransoms than encrypting individual endpoint devices.
Criminals quickly prioritized certain industry sectors; the healthcare industry became a frequent target. Presumably because the ransomware affected key operational systems, severely disrupted the operation of the healthcare facility, put lives at risk and, as a result, added pressure on top management to pay the ransom to quickly restore functions.
Modern ransomware is born
In November 2019, the innovation of double extortion was first used by attackers who delivered the Maze ransomware. In these attacks, the attacker steals confidential data from systems before encrypting it. By doing so, the attacker is able to put two pressures on business executives to pay the ransom; removing access to data and the threat of public disclosure of confidential data with consequent reputational and regulatory consequences.
Over the years, a number of ransomware imitators have emerged. We’ve seen fake ransomware that simply presents a ransom note without bothering to encrypt any data; hoping the victims will pay no matter what.
WannaCry was a self-propagating malware that spread worldwide in May 2017. Although the malware encrypted data, the small number of common bitcoin wallets that were requested to be paid for meant that there was little opportunity for the attacker to know which victims had paid the ransom and to whom decryption keys were to be released.
The NotPetya malware from June 2017 pretended to be ransomware that spread autonomously through networks. While it encrypted files and displayed a ransom note, it was a destructive attack. The unique ID in the note was irrelevant to the encryption process, and the malware deleted as well as encrypted critical data, making it unrecoverable even with the correct decryption key.
Ransomware is not just a financial crime. It affects those affected by the disruption of essential services. People unable to access vital data or work feel anxious and stressed, while IT departments working to resolve the situation suffer additional stress and risk burnout. On a human level, some people lose irreplaceable data such as photos of their loved ones or projects to which they have devoted many months or years of work.
Lessons for companies and industry
The IT landscape of 2024 is very different from that of 1989 or 2004. Improved software development and patch management mean that it is more difficult for ransomware to infect systems through unpatched web browser vulnerabilities. Conversely, the number of password breaches over the years, making potentially reused or easily guessable passwords available to criminals, means that the human user is increasingly the point of intrusion.
We shouldn’t feel powerless in the face of ransomware. Law enforcement activity has arrested and charged many ransomware operators. Others who have evaded arrest have been subject to international sanctions. Infrastructure used to coordinate attacks and crypto-currency wallets have been seized. Antivirus detection has also evolved over the years, while some malware can slip past detection, modern endpoint protection software is constantly looking for evidence of unknown programs trying to encrypt files without permission.
The Achilles heel of ransomware is backups. Data backed up and stored offline can be used to recover files that have otherwise been damaged and lost, thus eliminating any need to pay ransom to retrieve the files. The success of ransomware over the last 35 years is also the story of the lack of widespread use of backup devices to restore files.
Looking to the future, it is unlikely that we will see the end of ransomware. Its profitability for criminals means it will likely continue to plague us for many years to come. Nor is it likely to remain the same. Criminals have proven remarkably inventive in devising new techniques and methods to improve the business model and avoid detection of both them and their malware.
However, the cybersecurity industry is just as innovative, constantly developing new tools and strategies to combat these threats. By staying informed, adopting robust security measures and collaborating globally, we can reduce risks and build a more resilient digital future.
We have compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
