Cybercriminals have been using ransomware to infect computers for decades. The first documented ransomware attack occurred as early as 1989. In the earliest attacks, the ransomware encrypted the data on the hard drive, and the malicious software alerted the user to pay a ransom for the decryption key. The frequency and sophistication of ransomware attacks have increased a great deal since the early days. Now that cybercriminals can demand Bitcoin, which is anonymous and untraceable, the threat is likely to grow exponentially.
Where did ransomware begin?
In 1989 Joseph Popp, an evolutionary biologist, sent out floppy disks infected with the ‘AIDS Trojan’ to 20,000 people attending an international AIDS conference. The infected disks claimed to contain AIDS information in the form of a questionnaire to help users find out what their risks were of contracting AIDS. After 90 reboots, the people who used the disks received a ransom demand to send $189 to a post box in Panama. After this attack, ransomware evolution was fairly slow for the rest of the 1900s.
Ransomware attacks may have been quite basic to begin with, but they have become increasingly complex and virtually impossible to trace. Today they are a very profitable way to make money used by many cybercriminal groups. You must look for solutions to prevent ransomware attacks and be one step ahead in your efforts to ensure optimum cybersecurity. An advanced email security software can help to prevent email-borne threats, including ransomware attacks.
Asymmetric encryption methods
It wasn’t until the mid-200s that the deployment of ransomware became more common. The weak symmetric encryption methods that could be broken gradually developed into asymmetric methods that were almost impossible to break.
In about 2006, cybercriminal groups started using asymmetric RSA encryption. For example, the GPCode ransomware attack at around that time was in the form of an email attachment disguised as a job application.
Larger scale attacks
The scale of attacks increased in the 2000s, but many of them lacked control. They did not disrupt compromised networks as much as expected and victims often didn’t comply with demands. The ransom demands were also quite low compared with demands made today.
Threat groups sponsored by governments also began to use ransomware in the late 2000s. The scale of the North Korean cyber operation ‘WannaCry’ in 2017 infected over 200,000 computers globally and spread to 150 countries. The attack caused billions of dollars in damages.
The NotPetya incident in the same year was another destructive attack that made international headlines. It was subsequently attributed to Russia, which was using ransomware as a way to undermine the national infrastructure of Ukraine.
Targeting multiple victims in one attack
Attackers began to focus on targets that offer more return on investment, such as managed service providers. The Kaseya attack in 2021 affected a wide range of managed service provider customers. Breaking into one network to steal data from many victims is much more profitable than targeting a single victim.
The CyberPeace Institute did an analysis of data on more than 235 cyberattacks in the healthcare sector of 33 countries. They did not include data breaches. It found that ransomware attacks dominated the widening range of threats.
Healthcare companies need to take a hard look at cybersecurity in healthcare. They need to protect information and assets from unauthorized access and use. They also need to ensure continuity of care by reducing any disruptions that can negatively affect clinical outcomes.
Double extortion
Organizations began to find more ways to protect their information and deal with ransomware attacks. Cybercriminals realized that exposing sensitive data could be more destructive to them – especially those in hospitality, ecommerce or insurance – than just encrypting their data.
With double extortion, attackers can exfiltrate data to a separate location and publish sensitive data if ransomware demands are not fulfilled. Statistics reveal that over 1,000 companies had their data leaked after not giving in to ransomware demands in 2020.
Ransomware-as-a-service (RaaS)
The RaaS model became popular as it enables operators to attack more victims with less effort. It is offered the opportunity to those with limited technical skills to benefit from using ransomware.
The RaaS model is often used by ransomware operators who need access to networks to deploy and position ransomware and steal data. The operators don’t gain access to victims’ networks themselves to deploy ransomware but outsource to affiliates.
The affiliates are individuals or small teams who partner with the operators. Affiliates then obtain access to networks in various ways, such as exploiting any network vulnerabilities, conducting phishing attacks or buying credential-based access on the dark web.
If operators can build robust ransomware that’s compatible across multiple platforms, they have the potential to target a great many victims, which increases their profitability. Most groups require Bitcoin as currency to pay their demands today as this limits the chance of detection.
Victims of ransomware attacks may be chosen based on how easy it is to gain and maintain access to a network. The perceived extent of security controls and the annual income of a victim are other factors that affect choice.
Exponential growth
The amount of organizations impacted by ransomware attacks all over the world continues to grow exponentially and increased by 102% in 2021. The speed and complexity of modern threats cannot be stopped by humans alone. Artificial intelligence (AI) is starting to play an ever-increasing role in stopping ransomware attacks as it enables quick, informed security decision-making.
By understanding more about the tactics and techniques ransomware groups use, organizations can implement preventative controls to reduce their attack surface and frustrate opportunistic attacks. They need to apply layered security controls and test them against ransomware attack scenarios. Quick detection and response during any intrusion are also necessary to prevent as much damage as possible.
Conclusion
Competition keeps driving the evolution of ransomware, and traditional antivirus technology can’t keep up with the speed and sophistication of current ransomware attacks. Just as cybercriminals keep improving their attacks, organizations must evolve their protection and security against such attacks.
