Ransomware is one of the few cyber security threats that have become part of common vocabulary.
A day doesn’t go by when we don’t read news about a ransomware attack preventing an organisation from operating. But it wasnt always like this.
Ransomware is a relatively young threat, and understanding how it evolved to become a dominant type of malware over the last decade can help us understand it.
A Brief History of Ransomware
Popp distributed his malicious software by sending the floppy disks to addresses obtained from a mailing list.
What Is Ransomware?
Ransomware is a type of malware that blocks access to a computer system until the victim pays a ransom. The first known ransomware attack dates back to 1989, when Harvard-trained evolutionary biologist Dr Joseph Popp created a malicious program now known as the AIDS Trojan. He distributed it via floppy disks labelled AIDS Information Introductory Diskette, targeting attendees of a global AIDS conference.
How the AIDS Trojan Operated
Delayed Activation of the AIDS Trojan
Once it infects a system, the Trojan stays hidden until the computer has been restarted 90 times. On the 90th boot, it activated and locked access, demanding payment to restore functionality. On the 90th start-up, the malware activated, locking access and demanding payment to restore functionality.
Computer unusable.
It would then hide directories and encrypt the names of all files on the main system drive, rendering the computer unusable.
Finally, the ransomware would display a message with payment instructions, requesting the victim to send $189 to a post office box in Panama.
The first malicious software utilising proper encryption algorithms to make files inaccessible started to appear in the wild in 2005.
One notable example is PGPCoder (GPCode), which successfully implemented RSA 1024-bit encryption to render brute force decryption attempts useless. PGPCoder’s Ransom Demands
The attackers demanded payment via e-gold or Liberty Reserve accounts, both of which were popular among cybercriminals for their anonymity.
PGPCoder
The reach of PGPCoder and other early ransomware changed with Reveton in 2012. Its widespread distribution network and the fact that it exploited commonly used web browser plugins allowed it to successfully target a large number of victims, many of whom decided that paying the ransom was better than the alternative.
Later versions of Reveton switched from MoneyPak to then-emerging peer-to-peer payment technology called Bitcoin. Other ransomware creators quickly realized the benefits of using the somewhat anonymous decentralized digital currency to receive ransom payments, and modern crypto-ransomware was born, with CryptoLocker being the most prominent example for that era.
Trend Micro and other cyber security software companies that monitor the evolving threat landscape often state that 2016 was the year of ransomware because the number of discovered ransomware families climbed to 247, an increase of 752 percent compared with 2015.
5 Ransomware Attacks that Made History
Here’s a short list of some of the most noteworthy ransomware attacks discovered between 2016 and now:
- Petya’s Geographic Impact
In 2016, the Petya ransomware attack primarily targeted Ukraine, with Germany experiencing the second-highest number of infections. This geographic focus highlighted the strategic nature of the attack and its potential geopolitical implications. Instead of encrypting individual files, Petya encrypts the file tables that store information about the location of files and directories on the infected storage device. - WannaCry (2017): Its estimated that the WannaCry ransomware attack infected as many as 300,000 computers internationally in over 150 countries. WannaCry’s Global Reach
- The WannaCry attack demanded $300 in Bitcoin in 20 different languages, underscoring its global targeting and scale.
- SamSam’s Targeted Exploits
- Unlike many ransomware strains that rely on low-skill tactics like phishing, SamSam took a more advanced approach. In 2018, attackers used it to exploit vulnerabilities in poorly secured servers running JBoss (now WildFly), an application server maintained by Red Hat. This method allowed SamSam to spread without user interaction, making it especially dangerous.
- RobbinHood (2019): The RobbinHood ransomware is single-handedly responsible for the Baltimore ransomware attack of May 2019, which prevented more than 500,000 residents from performing many routine tasks, including pulling home titles to complete real estate sales.
- DarkSide (2021): By bypassing User Account Control (UAC) in Windows, DarkSide ransomware was able to shut down Colonial Pipeline, the 5,500 miles long pipeline that carries 45 percent of the fuel used on the East Coast of the United States.
The High Cost of Ransomware Recovery
Despite their differences, ransomware attacks share one costly consequence: recovery is expensive.
The Current State of Ransomware
The steep growth of ransomware.
- Continued digital transformation of organisations of all sizes: The pandemic has accelerated digital transformation across most industries as consumers moved toward online channels, forcing organisations to take advantage of available IT solutions. SaaS Usage Is on the Rise
Organisations around the world now rely on an average of 110 Software as a Service (SaaS) applications. This growing dependence on cloud-based tools highlights the importance of securing SaaS environments against ransomware and other cyber threats. Together with Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) solutions, they give organisations the agility they need to embrace new hybrid work arrangements and flexibly adjust infrastructure as needed. - Increasing sophistication of ransomware attacks: Long gone are the days of the AIDS Trojan and its fairly primitive approach to file name encryption. Ransomware creators today use a combination of sophisticated tactics to make the malicious software they produce harder to detect and more capable of causing real damage.
Although the sky-high cost of ransomware recovery may seem to suggest that ransomware attacks affect mostly large enterprises, government organizations, and critical infrastructure providers, the fact is that small and medium-sized business (SMBs) are now under attack as much as everyone else.
Ransomware Sophistication Is Outpacing IT Teams
Ransomware attacks have grown so advanced that over half of IT decision-makers surveyed by Sophos believe their teams can no longer handle them alone. This rising complexity highlights the urgent need for external support and specialised security solutions.
Ransomware Isn’t Going Away Anytime Soon
Because of how profitable ransomware continues to be for its creators, we can’t reasonably expect this cyber threat to go away anytime soon.
Cyber security Ventures estimates that there will be a new ransomware attack every two seconds by 2031, with ransomware damages costing the world as much as $265 billion.
To avoid becoming its victims, all organizations must strengthen their defences and, at the very least, implement the following basic precautions:
- Employee education: Most ransomware attacks start with a phishing email containing a seemingly innocent hyperlink or attachment. When employees are aware of the risk of phishing and know how to tell phishing emails apart from legitimate ones, the risk of an organization-wide data breach becomes much lower.
- Backup and recovery: So many victims decide to pay ransoms only because they don’t have up-to-date backups that they could use to recover encrypted data. To avoid ending up in the same unfortunate situation, organisations should proactively store at least one backup at an off-site location, ensuring it remains inaccessible to ransomware attacks that spread across the main enterprise network.
- Access control: Most employees follow predictable patterns when completing day-to-day tasks, using the same applications and transferring data across the same storage devices. With techniques such as application whitelisting and gradual storage control, it’s possible to render even the most sophisticated strains of malware infective by explicitly allowing only certain software applications to access specific storage devices in specific ways.
- Behaviour monitoring: The differences between individual strains of malware can indeed be huge, but they all fundamentally do the same thing: encrypt important files to make them inaccessible. Ransomware Detection with Behaviour Monitoring
- Using behaviour monitoring software helps IT teams quickly identify suspicious activity that may indicate a ransomware attack. By spotting these warning signs early, teams can respond swiftly to contain the threat and prevent it from spreading across the network.
- Patch Management for Ransomware Prevention
- Unpatched software often contains security vulnerabilities that ransomware attackers exploit to access protected systems. To reduce this risk, IT teams should apply patches promptly. In workplaces where employees can’t reliably update their own devices, patch management tools allow IT staff to deploy updates remotely and maintain strong security across the organisation.
Why Managed Security Services Are Growing
Small and medium-sized organisations often struggle to implement even basic ransomware protections due to limited or non-existent in-house IT support. As a result, many are turning to managed security services (MSS) for help. Ransomware Tactics Are Evolving Rapidly
Ransomware has transformed dramatically since its early days. Today’s most advanced attacks use sophisticated techniques to bypass cybersecurity defences and silently encrypt critical files. These evolving tactics make early detection and strong prevention strategies more important than ever.
MSSPs make it possible for organisations to borrow cyber security expertise and experience as needed. That way, they can protect themselves using the same best-in-class strategies and technologies as large enterprises without losing focus on their core business. With the right MSSP, the looming threat of ransomware can be easier to defend against, but it’s still present and won’t go away anytime soon.
Summary of Ransomwares Future
Ransomware has been a major threat for well over a decade now.
The damage caused by a ransomware attack goes well beyond the immediate cost of losing documents and other data. It also often includes reputation costs and various penalties associated with regulatory fines. Ransomware will certainly remain a serious threat even in the foreseeable future, so organizations of all sizes must up their cyber security game to increase their chances of surviving a close encounter with it.
Schedule a call with our team to discuss ransomware risks at your business!
