Home Biologist salary A brief history of the evolution of ransomware

A brief history of the evolution of ransomware


Wondering where the scourge of ransomware attacks currently lies? In a recent report titled Ransomware: The True Cost to Business, we noted that ransomware attacks occur approximately every 11 seconds. This rate translates to approximately 3 million ransomware attacks in a year.

Let it in. We’re not talking about the number of encrypted files or organizations affected, it’s 3 million unique ransomware attacks against organizations.

Cybereason recently released a follow-up research report, titled Organizations at Risk: Ransomware Attackers Don’t Take Vacation, which focuses on the threat that ransomware attacks on weekends and holidays pose to organizations. as the holiday season approaches.

A threat for 30 years

The majority of organizations that have experienced a ransomware attack have experienced a significant impact on the business, including loss of revenue, damage to the organization’s brand, unplanned downsizing, and even the complete shutdown of the business. ‘business.

So far, more than 200 ransomware attacks have made headlines in 2021, and it is only the ransomware attacks that have been publicly acknowledged. To understand how we got here, we need to look at how the threat has evolved over the years:

1989: the birth of ransomware

Let’s go back to 1989 when the first documented case of ransomware emerged. In December of that year, Harvard-trained evolutionary biologist Dr. Joseph Popp sent 20,000 computer virus-infected floppy disks to people who attended the World Health Organization’s International AIDS Conference. in Stockholm.

Once loaded onto a computer, the virus hid file directories, locked file names, and informed victims that they could only restore access to their files by sending $ 189 to a PO Box in Panama. .

Dr Popp eventually caught the attention of authorities while at Schipol airport around two weeks after the attack. Afterwards, law enforcement arrested the evolutionary biologist at his parents’ home and extradited him to the UK. There, he faced 10 counts of blackmail and criminal damage for distributing what is now called the “AIDS Trojan”.

2007: The first variants of Locker ransomware appear

Almost 20 years later, after the AIDS Trojan incident (check out the Malicious Life podcast on the subject here), the first variants of locker ransomware appeared on the threat landscape. These early versions targeted users in Russia by “locking down” victims’ machines and preventing them from using basic computer functions like keyboard and mouse, as researchers at the University of Kennesaw State.

After displaying an “adult image” on infected computers, the ransomware instructed victims to call a premium-rate phone number or send an SMS to respond to ransom demands from attackers.

2013 – CryptoLocker ushers in modern crypto-ransomware

In 2013, Naked Security learned that a new ransomware threat called “CryptoLocker” had installed itself in the “Documents and Settings” folder of Windows victims and added to the registry list (check out the Malicious Life podcast at the subject here).

After connecting to one of its hard-coded Command and Control (C&C) servers, the threat downloaded a small file to identify its victim and used that file to generate a public-private key pair. He then used the public key to encrypt the victims’ documents, spreadsheets, images, and other files before displaying his ransom note. This message informed the victim that she had 72 hours to pay a $ 300 ransom demand – not even pennies on the dollar compared to current ransom demands which run into the tens of millions.

Attacks involving CryptoLocker became more frequent in the years that followed. According to researchers at Kennesaw State University, the FBI estimated that victims had paid CryptoLocker operators $ 27 million by the end of 2015.

2018 – Ransomware players embrace big game hunting

Starting in 2018, the FBI observed a drop in indiscriminate ransomware attacks. Its analysts have seen these campaigns give way to operations targeting businesses, particularly state and local governments, healthcare entities, industrial companies and transportation organizations.

Ars Technica reported that many ransomware groups have gone “big game hunting” so they can encrypt high-value organizations’ data, undermine the operations of victims, and thus demand an even higher ransom payment. The Ransomware: The True Cost to Business report mentioned above highlights some of the impacts these attacks can have on organizations, including:

    • Loss of business revenue: 66% of organizations reported significant revenue loss as a result of a ransomware attack
    • Brand and Reputation Damage: 53% of organizations reported that their brand and reputation were damaged as a result of a successful attack.
    • Loss of C-level talent: 32% of organizations reported losing C-level talent due to ransomware attacks.
    • Employee layoffs: 29% said they were forced to lay off employees due to financial pressures following a ransomware attack.

2019 – Maze Ransomware Gang invents double extortion

Towards the end of November, Bleeping Computer received a message from a known email address used by the Maze ransomware gang. The post informed the IT self-help website that the Maze Group had successfully raped a security personnel company by stealing its information in the clear before encrypting its files. To prove their claim, the attackers sent a sample of stolen files to the company and disclosed 700MB of data online shortly after.

Other ransomware groups adopted this “double extortion” technique in the months that followed. In doing so, they have given themselves an advantage over organizations with a data backup strategy. They knew that victims could use their copies of data to restore infected computers, but they couldn’t turn the tide of data theft.

Thus, the attackers demanded two ransom payments from their victims, one for the decryption of their data and the other for the removal of their information from the servers of their operation.

The rise of complex RansomOps

In a recent blog post, we discussed how today’s more complex RansomOps attacks are more akin to APT-like stealth operations than older “spray and pray” mass email spam campaigns like those listed above. The article also discussed the larger ransomware economy at work, each with their own specializations.

These players include Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving sideways to maximize the potential impact, and Ransomware-as-a-Service operators ( RaaS) which provide attack infrastructure to affiliates. who carry out the attacks.

This level of compromise puts RansomOps attackers in a position where they can demand even greater ransoms, and RansomOps techniques also typically involve multiple extortion techniques like the double extortion tactic discussed above.

Some groups have gone further. In mid-September, for example, Bleeping Computer reported that the Grief ransomware gang began threatening to remove a victim’s decryption key if they chose to hire someone to help them negotiate the ransom demand. This follows threats from the RagnarLocker group to release a victim’s data if they notify the FBI or local law enforcement of an infection, according to Threatpost.

Defending against ransomware and RansomOps

It is possible for organizations to defend against ransomware and RansomOps from the early stages of an attack. Keep in mind that the actual ransomware payload is the very last end of a RansomOps attack, so there are weeks or even months of detectable activity before the payload is delivered where an attack can be thwarted beforehand. that there is a serious impact on the targeted organization.

The key to ending ransomware attacks is to minimize the period of time between when a RansomOps attack first enters your environment and when the security team can detect and stop it.

Cybereason Predictive Ransomware Protection is able to detect the first signs of a ransomware operation and perform automated prevention in milliseconds. With the ability to block hidden ransomware, along with the addition of artificial intelligence on every endpoint, encryption prevention, recoverability, and kernel-to-cloud visibility, Cybereason’s predictive ransomware protection represents the most powerful ransomware defense available on the market.

That’s why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer against threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted the packaging giant. Meat JBS and IT service provider Kaseya, the LockBit Ransomware that hit Accenture and all the other ransomware families.

Predictive Protection means Cybereason terminates ransomware with the highest degree of confidence based on the subtle behaviors and activity of the attackers. We see what the others are missing and deduce the attacker’s next move without manual intervention from the defenders.

Cybereason is committed to teaming up with advocates to stop ransomware attacks at the endpoint, across the enterprise, wherever the battle is. Learn more about Cybereason Predictive Ransomware Protection, browse our ransomware defense resources, or schedule a demo today to see how your organization can benefit from an operations-centric approach to security.