Ransomware: Past, Present, and Future

Ransomware is one of the few cyber security threats that have become part of common vocabulary.

A day doesn’t go by when we don’t read news about a ransomware attack preventing an organization from operating. But it wasn’t always like this.

Ransomware is a relatively young threat and understanding how it evolved to become a dominant type of malware over the last decade can help us understand it.

A Brief History of Ransomware

Ransomware is defined as a type of malware designed to block access to a computer system until a sum of money is paid. The first malicious software was created in 1989 by Harvard-taught evolutionary biologist Dr Joseph Popp.

Popp’s ransomware is commonly referred to as the AIDS Trojan because it was distributed on floppy disks titled “AIDS Information Introductory Diskette.”. Popp distributed his malicious software by sending the floppy disks to addresses obtained from a mailing list.

After infection, AIDS would sit dormant until the infected computer was booted for the 90th time since the initial infection.

It would then hide directories and encrypt the names of all files on the main system drive, rendering the computer unusable.

Finally, the ransomware would display a message with payment instructions, requesting the victim to send $189 to a post office box in Panama.

Because the AIDS Trojan only encrypted file names, not files themselves, it can be described as proto-ransomware. The first malicious software utilizing proper encryption algorithms to make files inaccessible started to appear in the wild in 2005.

One notable example is PGPCoder (GPCode), which successfully implemented RSA 1024-bit encryption to render brute force decryption attempts useless. The victims of PGPCoder were asked to pay a ransom of $100–200 to an e-gold or Liberty Reserve account to regain access to their data.

While effective, the reach of PGPCoder and other early ransomware strains was limited. That changed with Reveton in 2012. Its widespread distribution network, and the fact that it exploited commonly used web browser plugins, allowed it to successfully target a large number of victims, many of whom decided that paying the ransom is better than the alternative.

Later versions of Reveton switched from MoneyPak to then-emerging peer-to-peer payment technology called Bitcoin. Other ransomware creators quickly realized the benefits of using the somewhat anonymous decentralized digital currency to receive ransom payments, and modern crypto-ransomware was born, with CryptoLocker being the most prominent example for that era.

Trend Micro and other cyber security software companies that monitor the evolving threat landscape often state that 2016 was the year of ransomware because the number of discovered ransomware families climbed to 247, an increase of 752 percent compared with 2015.

5 Ransomware Attacks that Made History

Here’s a short list of some of the most noteworthy ransomware attacks discovered between 2016 and now:

• Petya (2016): The primary target of the Petya ransomware attack was Ukraine, with Germany being the second hardest hit. Instead of encrypting individual files, Petya encrypts the file tables that store information about the location of files and directories on the infected storage device.
• WannaCry (2017): It’s estimated that the WannaCry ransomware attack infected as many as 300,000 computers internationally in over 150 countries. The included ransom notice demanding a payment of $300 in bitcoin was even translated into 20 different languages.
• SamSam (2018): Many ransomware strains are distributed using low-skill techniques like phishing, but not SamSam. This ransomware attack spread by exploiting vulnerabilities on poorly secured servers running JBoss (now WildFly), an application server that’s currently developed by Red Hat.
• RobbinHood (2019): The RobbinHood ransomware is single-handedly responsible for the Baltimore ransomware attack of May 2019, which prevented more than 500,000 residents from performing many routine tasks, including pulling home titles to complete real estate sales.
• DarkSide (2021): By bypassing User Account Control (UAC) in Windows, DarkSide ransomware was able to shut down Colonial Pipeline, the 5,500 miles long pipeline that carries 45 percent of the fuel used on the East Coast of the United States.

What all these ransomware attacks have in common is the high cost of recovery, which is one reason why ransomware is now widely considered to be one of the most dangerous cyber threats out there.

The Current State of Ransomware

The steep growth of ransomware recovery costs is driven by two main factors:

• Continued digital transformation of organizations of all sizes: The pandemic has accelerated digital transformation across most industries as consumers moved toward online channels, forcing organizations to take advantage of available IT solutions. It’s estimated that organizations worldwide now use on average 110 Software as a Service (SaaS) applications. Together with Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) solutions, they give organizations the agility they need to embrace new hybrid work arrangements and flexibly adjust infrastructure as needed.
• Increasing sophistication of ransomware attacks: Long gone are the days of the AIDS Trojan and its fairly primitive approach to file name encryption. Ransomware creators today use a combination of sophisticated tactics to make the malicious software they produce harder to detect and more capable of causing real damage. In fact, ransomware attacks have become so sophisticated that more than half of IT decision-makers surveyed by Sophos believe they are now too advanced for their IT team to handle on their own.

Although the sky-high cost of ransomware recovery may seem to suggest that ransomware attacks affect mostly large enterprises, government organizations, and critical infrastructure providers, the fact is that small and medium-sized business (SMBs) are now under attack as much as everyone else.

Ransomware Isn’t Going Away Anytime Soon

Because of how profitable ransomware continues to be for its creators, we can’t reasonably expect this cyber threat to go away anytime soon.

Cyber security Ventures estimates that there will be a new ransomware attack every two seconds by 2031, with ransomware damages costing the world as much as $265 billion.

To avoid becoming its victims, all organizations must strengthen their defences and, at the very least, implement the following basic precautions:

• Employee education: Most ransomware attacks start with a phishing email containing a seemingly innocent hyperlink or attachment. When employees are aware of the risk of phishing and know how to tell phishing emails apart from legitimate ones, the risk of an organization-wide data breach becomes much lower.
• Backup and recovery: So many victims decide to pay ransoms only because they don’t have up-to-date backups that they could use to recover encrypted data. To avoid ending up in the same unfortunate situation, organizations should have at least one backup at an off-site location that can’t be reached by a ransomware attack spreading from one device to the next across the main enterprise network.
• Access control: Most employees follow predictable patterns when completing day-to-day tasks, using the same applications and transferring data across the same storage devices. With techniques such as application whitelisting and gradual storage control, it’s possible to render even the most sophisticated strains of malware infective by explicitly allowing only certain software applications to access specific storage devices in specific ways.
• Behaviour monitoring: The differences between individual strains of malware can indeed be huge, but they all fundamentally do the same thing: encrypt important files to make them inaccessible. When behaviour monitoring software is used to detect behaviours that suggest ransomware activity, noticing that something fishy is going on and reacting in a timely manner to prevent further spread of the attack becomes much easier.
• Patch management: Unpatched software may contain security vulnerabilities that can be exploited by ransomware creators to gain access to protected resources, so patching it as soon as possible is critically important. In environments where employees can’t be reasonably expected to keep their devices up to date on their own, patch management tools can be used to help IT teams install patches remotely.

Because the implementation of even these basic ransomware precautions can be a substantial challenge for small and medium-sized organizations with limited or no in-house IT staff, the managed security services (MSS) market is projected to nearly double in size from 2021 to 2026.

MSSPs make it possible for organizations to borrow cyber security expertise and experience as needed. That way, they can protect themselves using the same best-in-class strategies and technologies as large enterprises without losing focus on core business. With the right MSSP, the looming threat of ransomware can be easier to defend against, but it’s still present and won’t go away anytime soon.

Summary of Ransomware’s Future

Ransomware has been a major threat for well over a decade now. Since its early days, ransomware has evolved almost beyond recognition, and the most sophisticated attacks detected in the wild today employ all kinds of clever tricks and techniques to get past cyber security defences undetected and encrypt as many important files as possible.

The damage caused by a ransomware attack goes well beyond the immediate cost of losing documents and other data. It also often includes reputation costs and various penalties associated with regulatory fines. Ransomware will certainly remain a serious threat even in the foreseeable future, so organizations of all sizes must up their cyber security game to increase their chances of surviving a close encounter with it.

Schedule a call with our team to discuss ransomware risks at your business!