Ransomware has grown to become a potential threat for all organizations, sparing no industry or size bracket in its goal to capture files and other company assets. Where theres data, theres an opening for threat actors to hold this sensitive information ransom and demand payment for its release.
Its imperative for all organizations to have a plan for how to prevent and respond to ransomware attacks. But in order to understand how to prepare today, its also necessary to understand how ransomware has evolved to reach its current state.
The first ransomware attack is generally regarded as the AIDS trojan. It is named for the 1989 World Health Organization (WHO) AIDS conference, at which biologist Joseph Popp handed out 20,000 infected floppy discs to event participants. After a user had booted up ninety times, the names of the users files would be encrypted and the below message would appear, asking victims to send US$189 to a PO box in Panama. The ransomware was relatively easy to remove using online decryptor tools.
After this first event, no notable developments in the field of ransomware took place until 2005, when ransomware reemergedthis time using secure asymmetric encryption. The Archiveus trojan and GPcode were the most notable of these early ransomwares. GPcode attacked Windows operating systems, first using symmetric encryption and later, in 2010, using the more secure RSA-1024 to encrypt documents with specific file extensions.
The Archiveus trojan, the first ransomware to use RSA, encrypted all files in the My Documents folder. They could be decrypted with a thirty-digit password provided by the threat actor after the ransom was paid.
Despite the effectiveness of these encryption algorithms, early ransomware variants had relatively simple code, which allowed antivirus companies to identify and analyze them. The Archiveus password was cracked in May 2006, when it was found in the source code of the virus. Similarly, until GPcode switched to RSA, file recovery was often possible without a password, leading cybercriminals to prefer hacking, phishing, and other threat vectors.
In 2009, the Vundo virus emerged, which encrypted computers and sold decryptors. Vundo exploited vulnerabilities in browser plugins written in Java, or downloaded itself when users clicked on malicious email attachments. Once installed, Vundo attacked or suppressed antimalware programs such as Windows Defender and Malwarebytes.
Shortly after, in 2010, the WinLock trojan emerged. Ten cybercriminals in Moscow used the software to lock victims computers and to display pornography until the victims sent them roughly $10 in rubles. The group was arrested in August the same yearthough the scheme first garnered US$16 million.
In 2011, the software was upgraded to pretend to be the Windows Product Activation system. The malware seemed to be requiring a reinstall of the software due to fraudulent use, and ultimately extorted data from victims.
Reveton ransomware, which emerged in 2012, was a type of scareware that displayed messages to its victims claiming that it was US law enforcement and that the user had been detected viewing illegal pornography. In some cases, it activated the users camera to imply that the user had been recorded. It also demanded that the victim pay in order to avoid prosecution.
A variant of this ransomware also emerged for Mac, although it was not cryptographic. It was made up of 150 identical iframes that each had to be closed, so the browser appeared to be locked.
As more ransomware variants emerged, the number of recorded ransomware attacks increased nearly fourfold from 2011 to 2012.
In the second half of 2013, CryptoLocker emerged. CryptoLocker was a pioneer in several ways: It was the first ransomware to be spread by botnetin this case the Gameover Zeus botnetthough it also used more traditional tactics, such as phishing. Also notable was that CryptoLocker used 2048-bit RSA public and private key encryptions, rendering it especially difficult to crack. CryptoLocker was not stopped until its associated botnet, Gameover Zeus, was taken down in 2014.
The first true ransomware for Mac, FileCoder, was also discovered in 2014, although it was later found to have originated as early as 2012. The malware was never finished, as, although it encrypted files and demanded payment, the only files it encrypted were its own.
Other noncryptographic attacks on Mac infrastructure were more successful that year. 2014 also saw the Oleg Pliss attack, in which a threat actor used stolen Apple account credentials to log in to accounts and then used those accounts to remotely lock iPhones, using the find my iPhone feature. They then demanded a ransom for the phone to be unlocked.
Just as Oleg Pliss targeted iPhones, 2014 also saw the first cryptographic attack on mobile devices, with Spyeng targeting Android. Spyeng also sent messages to everyone in the victims contacts list with a download link to the ransomware.
The first successful cryptographic ransomware attack on Mac was in 2016, and was known as KeRanger. Tied to version 2.90 of the torrenting client Transmission, the ransomware locked a victims computer until 1 bitcoin (US$400 at the time) was paid to threat actors.
Another ransomware for Mac, Patcher, aka filezip, emerged in February 2017. It also infected users via torrenting, in this case by pretending to be a cracker for popular software programs such as Office 2016 or Adobe Premiere CC 2017. Notably, due to flaws in its design, Patcher could not be decrypted, whether the ransom was paid or not.
The success of CryptoLocker led to a significant increase in ransomware varieties. CryptoWall emerged as a successor to CryptoLocker, becoming known in 2014, although it had actually been circulating since at least November 2013. Spread largely through spam phishing emails, by March 2014 CryptoWall had become the leading ransomware threat. CryptoWall proved especially tenacious, and some reports suggest that by 2018 it had caused US$325 million of damage.
By 2016 ransomware variants were becoming increasingly frequent. The first ransomware- as-a-service (RaaS) variants emergedpartnerships in which one group writes the ransomware code and collaborates with hackers, who find vulnerabilities in systems. Some of the better-known were Ransom32 (the first ransomware to be written in JavaScript), shark (which was hosted on a public WordPress site and made available on the basis of an 80/20 split, distributors favor), and Stampado (which was available for just $39).
2016 also saw the emergence of the well-known Petya ransomware. Initially the ransomware was less successful than CryptoWall, but on June 17, 2017, a new variant emerged, dubbed notPetya by Kaspersky to differentiate it from the original version. It began in Ukraine and quickly spread worldwide via the EternalBlue Windows vulnerability discovered by the NSA. According to the White House, NotPetya was responsible for US$10 billion in damage. The governments of the United States, United Kingdom, and Australia blame Russia for the malware.
LeakerLocker, a mobile ransomware for Android, also emerged in 2017. Unlike more traditional ransomware, LeakerLocker did not actually encrypt any files. Embedded in malicious applications on the Play Store that requested elevated permissions, LeakerLocker displayed sample data from the users phone and claimed it would send the users entire phone contents to every person in their contacts list if a ransom was not paid.
WannaCry ransomware, one of the best-known crypto ransomwares, also emerged in 2017. Like notPetya, WannaCry spread via the EternalBlue exploit. After emerging in May 2017 it infected about 230,000 computers in 150 countries, causing $4 billion in damage. Although Microsoft had already released a patch for this exploit two months before the emergence of WannaCry, many users had not updated their systems, so the ransomware was able to spread.
Related Reading: Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
The ransomware would likely have been far more damaging had it not been halted a few days after the attack began by the efforts of Marcus Hutchins, who discovered that the ransomware had a built-in kill switch that could be activated. Despite Hutchins role in stopping the global outbreak of WannaCry, he was subsequently arrested and imprisoned by the FBI for unrelated hacking charges. Several major governments attributed WannaCry to North Korea.
January 2018 was a watershed moment for ransomware, marking the emergence of GandCrab. Although GandCrab by itself was not particularly unusual, the developers continued to release more and more advanced versions and eventually integrated it with the Vidar information-stealing malware, producing a ransomware that both stole and locked a victims files. GandCrab quickly became the most popular RaaS, and the most active strain of ransomware between 2018 and 2019.
Team Snatch, a team of threat actors that emerged in 2018, was a partner of GandCrab, and ushered in the new trend of publishing victim data in order to extort payment. Team Snatch began to publish victim data in April 2019. Snatch was formed by threat actor Truniger, who operated on Exploit. On April 28, 2019, Truniger posted on Exploit that Citycomp, one of their victims, had refused to pay a ransom and would therefore have their data publicly posted.
However, GandCrab ransomware is now no longer used after the developers announced they would be retiring on June 1, 2019, and the FBI released decryption keys for the ransomware in July 2019.
Although Team Snatch disappeared in 2019 following a dispute on the Exploit forum, their actions set the stage for Maze ransomware and the rise of the leaks sites.
In November 2019, the Maze ransomware group leaked 700 MB worth of documents stolen from Allied Universal in an attempt to pressure them and future victims into paying the ransom. This set off a trend of ransomware groups establishing leaks sites to pressure their victims. By publishing stolen data, ransomware operators expose a victim to additional financial loss if, for example, sensitive financial data, customer personally identifiable information (PII), or trade secrets are exposed.
This additional leverage can be especially effective if a victim has backed up their dataand therefore lacks an incentive to pay extortionists for a decryption key alone. The new technique ultimately means that backing up data no longer mitigates the threat of ransomware attacks.
This new technique has vastly increased the visibility of ransomware, and appears to have increased its popularity as well. In 2020 the NetWalker group alone made over $25 million.
Since Maze ransomware began posting victim data, other ransomware groups have posted their own sites. Several of these ransomware families emerged out of prior partnerships, with adverts gaining experience collaborating with a ransomware group before setting up their own. The increased visibility has also led to cooperation between the ransomware groups, with Maze forming a cartel of ransomware groups that share tactics, techniques, and procedures (TTPs) and resources.The Sodinokibi ransomware family has been another notable actor in this space. Sodinokibi emerged to fill the space that was left when the GandCrab threat actors retired. Run by the REvil collective, it has become one of the most damaging ransomware groups, with more victims posted than any provider other than Maze.
Today, ransomware continues to threaten organizations and accounted for over $42.9 million in losses in 2021 according to the FBIs 2021 Internet Crime Report. Beyond the headlines, it is something companies of every size and in every sector must be aware ofdedicated and well-researched protocols for what to do in the event of an attack have become a mission part of every organizations security and defense arsenal.
Recommended Reading: Top 10 Ransomware Trends: Board Responsibilities, Tracking Ransomware, and Mitigating Risk in 2022
The rise of ransomware was a gradual process spanning more than thirty years. Its popularity was influenced both by the technologies supporting it, such as encryption methodologies and malware integration, and the technologies around it, such as Bitcoin and the anonymous Tor network, that allowed it to grow from a tool used by a single hacker or group into one run by a collective.
Although ransomware has not replaced other forms of malware per se, it has become an increasingly popular choice for threat actors as the barrier to entry becomes lower. Whereas a ransomware attack used to require years of development, cryptography, and penetration testing experience to execute, and would yield only a moderate profit, RaaS programs now proliferate on illicit and underground web forums, allowing threat actors to partner with ransomware authors easily and cheaply. Furthermore, these RaaS programs are highly developed, with user dashboards, guides, and technical support.
Finally, the payoff is getting bigger. As tools such as Cobalt Strike and Metasploit automate advanced penetration testing, and illicit communities such as Genesis Market offer increasingly advanced access to corporate networks, access to corporations is becoming more available, and ransomware demands bigger and more profitable. The integration of ransomware with data exfiltration allows for even higher ransoms, by threatening legal action for the victim corporation. For all these reasons, ransomware continues to grow in both its influence and destructive capacity.
Your organizations data, infrastructure, and personnel are valuabledont let threat actors take advantage of them. Sign up for a free trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).
Original post:
The Evolution of Ransomware: Understanding Its Past, Present, and Future - Security Boulevard
- Nexus Of Mathematics, Cryptography, Blockchain Will Redefine Technological Innovation Expert - New Telegraph Newspaper - May 15th, 2024
- What is the purpose of post-quantum cryptography? - Security Boulevard - March 21st, 2024
- Quantum Computing and Networking Poised to Revolutionize Cryptography - BroadbandBreakfast.com - March 21st, 2024
- TM Technologies and Quantum Resistant Cryptography Team Up to Increase Speed and Security of 5G/6G, Satellite ... - Yahoo Finance UK - March 5th, 2024
- Cryptology | Definition, Examples, History, & Facts | Britannica - February 1st, 2024
- What Is Moore's Law, And How Does It Impact Cryptography? - Blockchain Magazine - January 24th, 2024
- Cryptography 101: Key Principles, Major Types, Use Cases ... - Splunk - December 11th, 2023
- Federal agencies take 'most important' first step with inventorying cryptography ahead of quantum migration, OMB ... - FedScoop - December 11th, 2023
- What is Cryptography? - Cryptography Explained - AWS - January 30th, 2023
- What is Cryptography? Definition, Importance, Types | Fortinet - January 22nd, 2023
- What is cryptography? How algorithms keep information secret and ... - CSO - January 22nd, 2023
- What is Cryptography? Definition from SearchSecurity - January 22nd, 2023
- System.Security.Cryptography.CryptographicException: The payload was ... - December 28th, 2022
- NIST Action Will Heat Up Post-Quantum Cryptography Market: Report - TechNewsWorld - December 12th, 2022
- Global Encryption Day: Why quantum-safe cryptography is the future of cybersecurity - World Economic Forum - October 23rd, 2022
- Post-Quantum Cryptography: Anticipating Threats and Preparing the Future - ENISA - October 23rd, 2022
- Cracking the code of cryptography and life The Irish Times - The Irish Times - October 15th, 2022
- Dutch influence standards for post-quantum cryptography - ComputerWeekly.com - October 15th, 2022
- Castle Shield Holdings, LLC Updates the Post-Quantum Cryptography (PQC) Algorithms for Its Data-in-Motion Aeolus VPN Solution - Business Wire - October 15th, 2022
- Yale increases investment in blockchain research - Yale Daily News - October 15th, 2022
- OPPO joins the FIDO Alliance, accelerating the arrival of a new era of passwordless sign-ins - Yahoo Finance - October 15th, 2022
- It's Time To Trust Crypto. Here's Why. - Entrepreneur - October 15th, 2022
- Algorand (ALGO) on its journey to breach the $0.4 mark! - CryptoNewsZ - October 15th, 2022
- Crypto Hackers Gross Over $3 Billion From 125 Hacks so Far This Year Featured Bitcoin News - Bitcoin News - October 15th, 2022
- Bitt and IDEMIA: Winners of the G20 Central Bank Digital Currency TechSprint 2022 - Yahoo Finance - October 15th, 2022
- White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets - Lexology - October 15th, 2022
- The Web3 Foundation taps edX for free courses on blockchain and Polkadot - Cointelegraph - October 15th, 2022
- CoinGeek Weekly Livestream: Jad Wahab and Marcin Zarakowski discuss honest nodes and their role in Bitcoin - CoinGeek - October 15th, 2022
- What Is Cryptography? Definition & How It Works | Okta - October 7th, 2022
- What Is Cryptography in Cyber Security: Types, Examples & More - October 7th, 2022
- Decentralized Identifiers (DIDs) is Officially an Internet Standard, Says The World Wide Web Consortium (W3C) - bitcoinke.io - October 7th, 2022
- Cloudflares post-quantum cryptography protects almost a fifth of the internet - VentureBeat - October 7th, 2022
- Nobel Prize in Physics goes to scientists who paved the way for quantum computing - Space.com - October 7th, 2022
- The 2nd Annual Encryption Consulting Conference is Back! - PR Newswire - October 7th, 2022
- Quantum Computing And The Threat Posed To Bitcoin - The Dales Report - October 7th, 2022
- Cryptocurrency users with gambling affinity are more involved mentally and financially than non-gambling users - PsyPost - October 7th, 2022
- Cardano (ADA) and Algorand (ALGO) Are Two Blockchains To Watch Next Bull Cycle, Says Coin Bureau Here?... - The Daily Hodl - October 7th, 2022
- The Guardian view on the Rosetta Stone: a monument to code-breaking - The Guardian - October 7th, 2022
- Still think everything is awful? Here are three reasons for hope - Colorado Newsline - October 7th, 2022
- Sleep Disorders And Quantum Cryptography Win Big At The Breakthrough Prizes 2023 - IFLScience - September 29th, 2022
- Lecturer in Cryptography job with KINGS COLLEGE LONDON | 310005 - Times Higher Education - September 29th, 2022
- Microsoft venture fund M12 invests millions in advancing cryptography and 'smart contracts' - OnMSFT.com - September 29th, 2022
- Sectigo's Chief Strategy Officer and CISO Advisor David Mahdi Accepted To Fast Company Executive Board - StreetInsider.com - September 29th, 2022
- Fundamental Cryptography in Theory and Python - iProgrammer - September 21st, 2022
- Web Crypto API - Web APIs | MDN - Mozilla - September 21st, 2022
- Cryptomathic appoints Laurent Lafargue as CEO of the pioneer in cryptography - FinanceFeeds - September 21st, 2022
- Blockchain and POW are the leading technology behind Bitcoin. - Deadline News - September 21st, 2022
- NTT Research Names Takashi Goto Head of the Technology Promotion Team - Business Wire - September 21st, 2022
- Investigating the Use of Blockchain to Authenticate Data from the Statistics Canada Website - Statistique Canada - September 21st, 2022
- 6 Technological Innovations in the New York Sports Betting Industry - Qrius - September 21st, 2022
- EMVCo reports on the future of contactless payments - NFC World - September 13th, 2022
- Quantum eMotion to Present at the H.C. Wainwright 24th Annual Global Investment Conference in New York - Digital Journal - September 13th, 2022
- The emerging role of cybersecurity in the automotive sector - The Financial Express - September 13th, 2022
- Jack Dorseys Web5 is a solution to a problem thats already been solved - VentureBeat - September 5th, 2022
- What is Cryptography in security? What are the different types of ... - September 5th, 2022
- RKVST Launches RKVST Free and RKVST Team SaaS Supply Chain Integrity, Transparency and Trust Solution - Business Wire - September 5th, 2022
- The United States Is Behind the Curve on Blockchain - War on the Rocks - September 5th, 2022
- $3.7 Billion Worldwide Blockchain in Retail Industry to 2027 - Featuring Cognizant, Infosys and Oracle Among Others - ResearchAndMarkets.com -... - September 5th, 2022
- Research Fellow in Applied Cryptography And Data Security job with UNIVERSITY OF SURREY | 306274 - Times Higher Education - August 28th, 2022
- ASPG, Inc. Announces Release of CryptoZ, Innovative New z/OS Cryptography Reporting and Administration Sy - Benzinga - August 28th, 2022
- UN: monitoring the use of cryptography can make the Internet safer - The Cryptonomist - August 20th, 2022
- Keyfactor Named to the 2022 Inc. 5000 List for Third Consecutive Year and Recognized as the Fastest Growing PKI and Cryptography Leader in America -... - August 20th, 2022
- Cryptography 101: Giving a framework to the brimming blockchain businesses of India - Times of India - August 20th, 2022
- Godfather of Crypto expresses concerns over current state of blockchain privacy - CryptoSlate - August 20th, 2022
- Nine Benefits of FIDO Authentication | HYPR - Security Boulevard - August 20th, 2022
- Now That Authorities Have Sanctioned Tornado Cash, Is Bitcoin Next? - Bitcoin Magazine - August 20th, 2022
- Meet the world's first carbon-negative blockchain - wknd. - August 20th, 2022
- 'FutureFi': Crypto is transforming the green finance universe | Greenbiz - GreenBiz - August 20th, 2022
- Philippine Regulator Warns the Public of Engaging With Foreign Crypto Service Providers Regulation Bitcoin News - Bitcoin News - August 20th, 2022
- What Is Cryptography: Definition and Common Cryptography Techniques - August 12th, 2022
- What is Cryptography? Types of Algorithms & How Does It Work? - August 12th, 2022
- What is Cryptography? - Kaspersky - August 12th, 2022
- Former Google CEO: Bitcoin is a remarkable achievement of cryptography - The Cryptonomist - August 12th, 2022
- Protect your privacy with cybersecurity and cryptography - Geeky Gadgets - August 12th, 2022
- Saving Private Keys From The Courts - Bitcoin Magazine - August 12th, 2022
- NTT Research and NTT Corporation Engage in Breakthrough Research at Crypto 2022 - Business Wire - August 12th, 2022
- Can WhatsApp messages be secure and encryptedbut traceable at the same time? - EurekAlert - August 12th, 2022
- Why 2023 is the year of passwordless authentication - TechTarget - August 12th, 2022
- Sony unveils a new way to protect images from theft, manipulation - Popular Photography - August 12th, 2022
- Cameron Whitehead wins again, taking top honors in the CyberForce Program's Conquer the Hill Reign Edition Competition - EurekAlert - August 12th, 2022