Ransomware is a type of malicious software that encrypts its victim’s systems and data, and demands payment for their release. It typically spreads through phishing scams and system vulnerabilities.
In a ransomware attack, the hacker leaves a note, threatening to permanently delete sensitive information unless the victim gives in to the hacker’s demands. The note will even set brief deadlines and specific instructions on how to pay.
Over the years, ransomware has grown to become one of the most dangerous forms of malware, affecting businesses in Chicago, Tampa, and the rest of the world. Here’s a brief history of the evolution of ransomware.
The birth of ransomware
The first recorded instance of ransomware was the AIDS Trojan, which spread during the World Health Organization’s international AIDS conference in 1989. Joseph L. Popp, a Harvard-trained biologist, developed the ransomware and distributed it through 20,000 floppy disks disguised as conference-related materials.
When attendees inserted the infected disks into their computers, the AIDS Trojan would hide directories and encrypt file names. A message would then appear, mocking victims and demanding they send $189 to a PO box in Panama to regain access to their files.
Fortunately, authorities apprehended Popp and security experts developed decryption tools to help victims recover their files. Unfortunately, the techniques used in this incident would be replicated over the years to carry out more insidious forms of cyber extortion.
More complex encryption techniques
In 2006, the Archiveus Trojan emerged, boasting a more powerful encryption algorithm than the AIDS Trojan ransomware. Instead of merely encrypting file names, the Archiveus Trojan encrypted every file saved in a PC’s My Documents folder. The ransomware used RSA encryption to convert files into indecipherable code using a public key. Once the files are encrypted, they can only be decrypted with a private key, which is essentially a 30-digit alphanumeric password. To access the private keys that would unlock files, Archiveus victims were required to purchase items from an online pharmacy.
However, cybersecurity researchers from Sophos were able to crack Archiveus encryption algorithms, rendering the ransomware harmless. Users whose computers were infected didn’t need to pay the ransom — they could simply run decryption software to regain access to their files.
GPCode, another ransomware strain, was far more disruptive than the Archiveus Trojan, because it encrypted files beyond the My Documents folder. To maximize the damage, GPCode used RSA encryption to lock any file with a file extension, such as .doc, .jpg, .txt, and .xls. Kaspersky was able to decrypt the early versions of the GPCode ransomware, but this also pushed cybercriminals to improve their attacks. In November 2010, GPCode ransomware started using more complex 1024-bit RSA encryption, which would theoretically take computers millenia to decrypt. These advanced encryption algorithms would later on become the standard for modern ransomware.
Scareware: Exploiting panic to spread ransomware
Scareware is a program designed to induce panic in unwitting users, and it was one element that skyrocketed ransomware’s growth. Common scareware involved warning messages in unsecured websites that claimed that a system error has occurred. The scareware would then advise users to install specific software to resolve the problem in a ruse to get users to download ransomware onto their device.
Although web browsers today are able to detect such threats, panic-inducing messages are incorporated into social engineering scams and ransomware themselves. Scare tactics that pressure users into downloading ransomware-laced email attachments are the hallmark of today’s phishing attacks.
Ransomware goes mainstream
Ransomware cases became more prominent in 2010 for various reasons. For one, cryptocurrencies like Bitcoin were gaining a lot of attention and would inadvertently allow hackers to demand ransom in untraceable digital currency. That meant hackers could perform ransomware attacks and net a profit from victims with minimal chances of getting caught by authorities.
At the same time, cybercriminals set their sights on the healthcare industry. Healthcare organizations historically relied on outdated systems and require constant access to medical records. The combination of these traits makes healthcare a prime target for ransomware attacks. In fact, ransomware accounted for 28% of cyberattacks suffered by healthcare in 2020. According to experts, cybercriminals were often using COVID-19 relief efforts as a theme for their scams and ransomware attacks to catch healthcare institutions off guard.
The most significant event that solidified ransomware as a mainstream threat, however, was the WannaCry outbreak in 2017. New ransomware strains were constantly being developed (e.g., CryptoLocker), but they were usually distributed to the masses using malicious ads, websites, and emails. Alternatively, the WannaCry ransomware spread by exploiting a critical networking vulnerability in operating systems like Windows XP, 7, Server 2003, and Server 2008. This vulnerability would essentially enable WannaCry to self-propagate from one device to another as long as the devices were all connected to the same network.
This new strain of ransomware ultimately infected over 230,000 computers across 150 countries. What’s worse is that ever since this outbreak, new ransomware strains like the Petya ransomware began using similar techniques.
Inception of Ransomware-as-a-Service
By the late 2010s, ransomware had become a commodity on the black market. Skilled hacker groups began selling ransomware to criminal affiliates who lacked the time or expertise to develop one for themselves. In addition to customizing ransomware for specific targets, hacker groups set up streamlined payment methods, manage the infrastructure, and update the malware for as low as $39 per month and a percentage of any ransom paid by victims. This makes ransomware readily available to anyone — from online troublemakers to notorious criminal organizations. Plus, since the media exposure around WannaCry has made ransomware mainstream, more financially motivated cybercriminals are jumping on the Ransomware-as-a-Service bandwagon.
Modern ransomware variants
Ransomware is more threatening than ever, with modern variants now using advanced encryption standards that would theoretically take 300 trillion years to decrypt. Some strains of ransomware also siphon files from infected devices before the encryption process to give cybercriminals leverage over those they’re extorting. These techniques were employed by ransomware like Maze and Sodinokibi in 2020.
How can businesses defend themselves against ransomware?
Ransomware will undoubtedly continue to evolve over the years, but there are several things you can do to protect your business from it:
- Routinely update software and operating systems to defend against the latest ransomware strains.
- Avoid inserting unknown USB drives into company-managed computers as these may be infected with ransomware.
- Implement advanced threat prevention and anti-malware software to prevent ransomware from infiltrating your systems.
- Schedule regular backups to adhere to your company’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO) so you still have access to clean copies of your data in case your systems are infected with ransomware.
- Train users to have a healthy suspicion of emails, websites, and unsolicited links.
Related reading: Learn when to outsource your cybersecurity to an expert
Defending against ever-evolving ransomware threats can be a complicated process, but you don’t have to do it alone. Dynamic Solutions Group provides top-notch cybersecurity services that will help your business fend off ransomware attacks. From best-in-class security solutions to in-depth security awareness training, we’ll provide everything you need to build a strong security framework. Call us now to get started.