Table of Contents
Ransomware has evolved into a sophisticated cyber threat. Today, ransomware operations are a thriving industry. Understanding the progression of ransomware can help businesses defend themselves against future ransomware incidents.
The Early Days of Ransomware
The history of ransomware is relatively short. The first ransomware case dates back to 1989, when early cybercriminals began experimenting with basic encryption methods to extort money.
The First Known Ransomware Attack: The AIDS Trojan
The AIDS Trojan occurred in 1989. It was a rudimentary ransomware attack that laid the groundwork for future cybercriminal tactics. AIDS researcher Joseph Popp created it and distributed it to AIDS researchers in over 90 countries via 20,000 floppy disks.
It worked by irrevocably changing and encrypting the names of all the directories on the C: drive, rendering the system unusable. Then, it asked the user to make a payment to “renew the license.”
Early Encryption Methods
These primitive attacks featured basic early encryption methods. Algorithms were often based on predictable patterns, and encryption keys were typically simpler and easier to unlock. They were much easier to decrypt compared to modern ransomware.
Creators typically assumed that victims would not have the resources or knowledge to decrypt them. This meant they could often be cracked by exploiting basic flaws in the encryption methods or using basic decryption tools.
The Rise of Modern Ransomware
Ransomware evolved significantly in the mid-2000s. Advances in technology led to adversaries having to shift their tactics, and encryption became a more complex tool.
The Emergence of Cryptolocker
The 2013 Cryptolocker attack was one of the first-ever instances of ransomware that used strong encryption to make files inaccessible. It revolutionized ransomware by making a recovery without paying almost impossible.
Cryptolocker infected systems through phishing emails. It used a strong encryption method, making it impossible for victims to decrypt the files without the private key. Attackers stored this key on their servers. They would only provide a decryption key once victims had paid the ransom.
Notable Attacks from the 2010s
WannaCry, Petya, and NotPetya were notable attacks from the 2010s. In May 2017, WannaCry exploited a zero-day vulnerability using the leaked EternalBlue exploit in Windows to infect hundreds of thousands of computers across over 150 countries. It affected many high-profile victims, including the National Health Service (NHS) in the UK.
Only a month later, in June 2017, Petya and NotPetya—two separate but related ransomware attacks—exploited Windows vulnerabilities. The NotPeta attack was particularly destructive, as it was wiper malware that destroyed data, even if the ransom was paid. It caused global disruption and affected critical infrastructure, including banks, government systems, and the electricity system in Ukraine.
The Adoption of Cryptocurrencies for Ransomware Payments
Since the early 2010s, cybercriminals have also begun adopting cryptocurrencies for ransomware payments. Cryptocurrencies such as Bitcoin and Monero allow a higher level of anonymity, and it is significantly more difficult to trace crypto transactions compared to traditional transactions.
Cryptocurrency can also be transferred anywhere in the world without requiring intermediaries, which is useful for criminals targeting victims in other parts of the world.
Finally, there is no centralized oversight. This means it is very difficult to reverse a ransom payment once it has been transferred. These features have made it much easier for criminals to demand much higher ransom payments.
The Changing Tactics of Cybercriminals
Cybercriminals have significantly changed their tactics over the years. Attackers can now precisely target businesses and critical infrastructure.
The Rise of Ransomware-as-a-Service (RaaS)
Ransomware has become a booming business model. Many ransomware creators offer their tools in exchange for a commission or subscription fee from the user.
In Q2 2024, just five groups were responsible for almost 40% of the overall volume of attacks. Dispossessor, the group responsible for most of the attacks, was found to be operating a thriving RaaS model. Meanwhile, Lockbit, the group responsible for most of the attacks in Q1 2024, was also found to be operating through a RaaS model.
This has made these attacks significantly more accessible. Criminals can now launch successful ransomware campaigns. Dark web vendors handle the sale of stolen data, while ransomware operators handle the exchange of funds, ransoming, and communication with the victim. RaaS providers often offer customer support to affiliates and provide regular updates on malware. This means they are more effective at bypassing new security defenses, which increases the likelihood of success.
Alongside RaaS, Initial Access Brokers (IAB) have also grown significantly. This further complements the ransomware and data exfiltration ecosystem These criminals provide attackers with initial access to an organization’s network in exchange for a fee. They use a variety of methods to gain access, including exploiting unpatched vulnerabilities and launching phishing campaigns. Together, RaaS and IAB have contributed to the explosive growth of cybercrime by helping criminals carry out successful campaigns even without much technical experience.
Assessing Ransom Payment Capacity
As ransomware attacks have become more sophisticated, so have criminals’ methods of extorting money from organizations. Before launching an attack, many attackers take the time to carefully assess an organization’s financial situation. This helps to align their demands with what the organization can afford.
Many attackers exfiltrate sensitive data from their victims, such as financial records and tax filings, before they encrypt their data. In many cases, information about public companies is freely available online. Data marketplaces are also available on the dark web, which can provide attackers with detailed financial information about organizations.
Targeting Healthcare, Education, and Government
Increasingly, cybercriminals are targeting industries that access sensitive data, such as healthcare, education, and government organizations. The risk of increased downtime for these important establishments increases the likelihood of ransom payments.
Between 2022 and 2023, worldwide ransomware attacks against the healthcare sector nearly doubled, according to a 2024 report by the Office of the Director of National Intelligence. The report states, “US hospitals have delayed medical procedures, disrupted patient care because of multiweek outages, diverted patients to other facilities, rescheduled medical appointments, and strained acute care provisioning and capacity as a result of ransomware attacks.”
Conti Leaks: A Key Insight into how Ransomware Groups Operate
Between late 2019 and early 2020, the notorious ransomware group, Conti, became prominent and carried out several large-scale attacks. It typically demanded millions of dollars in ransom from its victims. Its Ransomware as a Service (RaaS) operation played a significant role in the commercialization of ransomware.
In 2022, a disgruntled Conti affiliate leaked documents related to Conti’s internal tools, as well as guides describing how to use them, and how to conduct attacks. There were two significant leaks: the first occurred in February, and the second occurred only a few months later in May. The leaked data included communications, ransomware tools, financial transactions, and operational details. This incident, known as ‘Conti Leaks,’ significantly disrupted the group, and it soon disbanded.
Even more importantly, it provided the biggest-ever insight into how ransomware groups operate. For example, it showed how the group organized and coordinated itself, along with the tactics it used to gain access to the networks. It also revealed how the group collaborated with other groups to exchange information and recruit new members. It also helped law enforcement track down some of the group’s members.
Defending Against Ransomware: Past and Present
Ransomware defenses have had to advance quickly in response to changing attack methods, and it’s more important than ever that businesses are prepared.
Early Defense Strategies
In the early days of ransomware, simple backups and rudimentary encryption-breaking tools were effective.
Before cybercriminals began using encryption to lock files, victims could simply wipe the affected machines and restore data from backups. This allowed them to quickly return to normal operations. Many organizations began using automated backups to recover from attacks more quickly.
Even in the early days of encryption, algorithms were typically weak and flawed. This allowed victims to use simple brute-force attacks or pattern recognition to unlock files. Many strains of ransomware had known vulnerabilities that allowed victims to bypass the encryption.
Modern Defenses
These early defenses are no longer sufficient to protect against modern, sophisticated threats. Today, many organizations are turning to advanced technology. Endpoint Detection and Response (EDR) monitors behaviors across endpoints, such as laptops, desktops, and servers, and uses analytics to detect abnormal activities.
Extended Detection and Response (XDR) provides an even more comprehensive security overview and extends the scope of its detection to include other layers of an organization’s security stack, such as Internet of Things (IoT) devices and applications.
Many organizations are also adopting a zero-trust approach to security, which means trust is never automatically assumed. Every request must be treated as suspicious, as there is a chance it could come from a compromised source.
This often means explicitly verifying users via multi-factor authentication (MFA) to mitigate the risk of compromised passwords. It can also involve segmenting the network to minimize the potential damage if a breach occurs and make it more difficult for attackers to move laterally.
Future Trends in Ransomware
The history of ransomware has been marked by rapid evolution, and businesses must remain on high alert for future attacks.
Changing Targets
Backup servers are typically the final line of defense for organizations recovering from cyberattacks. Increasingly, attackers are targeting backup servers in an attempt to cause as much damage as possible. This hinders the organization’s ability to restore its data and makes it much harder for them to recover from attacks.
The Shift to Double Extortion
Attackers have evolved from simply encrypting data to stealing it before the encryption occurs, creating a dual threat. Attackers are under no obligation to give the data back to the victim after they have paid the ransom.
In some cases, attackers have released the data even after the ransom has been paid. For organizations, this can lead to severe reputational damage, regulatory penalties for compliance breaches, and legal consequences.
Attackers may even leak the information to the organization’s competitors. This can reveal the organization’s sensitive business strategies and customer acquisition strategies, resulting in a significant revenue loss and severely damaging its competitive advantage.
Lessons Learned from the History of Ransomware
The history of ransomware offers us critical lessons that we must learn from, and the industry is continuing to evolve at breakneck speed.
By understanding the evolution of ransomware and tapping into cybercrime trends, businesses can take proactive steps to protect against future ransomware incidents.