A Brief History of Ransomware Evolution

Wondering where the scourge of ransomware attacks currently stands? In a recent report titled Ransomware: The True Cost to Business, we noted research by Cybersecurity Ventures that estimated a ransomware attack occurs about every 11 seconds. That rate translates into about 3 million ransomware attacks over a year.

Let that sink in. We are not talking about the number of files encrypted or organizations affected - that’s 3 million unique ransomware attacks against organizations.

Cybereason recently released a follow-up research report, titled Organizations at Risk: Ransomware Attackers Don’t Take Holidays, that focuses on the threat that ransomware attacks during the weekends and holidays poses to organizations as we move into the holiday season.

A Threat 30 Years in the Making

The majority of organizations that have suffered a ransomware attack experienced significant impact to the business as a result, including loss of revenue, damage to the organization’s brand, unplanned workforce reductions, and even closure of the business altogether.

There have been over 200 ransomware attacks that have made headlines in 2021 so far—and those are just the ransomware attacks that have been acknowledged publicly. To understand how we got here, we need to look at how the threat has evolved over the years:

1989: The Birth of Ransomware

Let’s go all the way back to 1989 when the first documented case of ransomware emerged. In December of that year, Harvard-educated evolutionary biologist Dr. Joseph Popp sent 20,000 floppy disks infected with a computer virus to individuals who had attended the World Health Organization’s international AIDS Conference in Stockholm.

Once loaded onto a computer, the virus hid file directories, locked file names, and informed victims that they could only restore access to their files by sending $189 to a P.O. Box located in Panama.

Dr. Popp ended up attracting the attention of authorities while at Schipol airport about two weeks after the attack. Subsequently, law enforcement arrested the evolutionary biologist at his parents’ home and extradited him to the UK. There, he faced 10 charges of blackmail and criminal damage for distributing what’s now called the “AIDS Trojan.”

2007: The First Locker Ransomware Variants Emerge

Nearly 20 years later following the AIDS Trojan incident (check out the Malicious Life Podcast on the subject here), the first locker ransomware variants appeared on the threat landscape. These early versions targeted users in Russia by “locking” victims’ machines and preventing them from using their computers’ basic functions like the keyboard and mouse, as noted by researchers at Kennesaw State University.

After displaying an “adult image” on the infected computers, the ransomware instructed victims to either call a premium-rate phone number or send an SMS text message to meet the attackers’ ransom demands.

2013 – CryptoLocker Ushers in Modern Crypto-Ransomware

In 2013, Naked Security learned of a new ransomware threat called “CryptoLocker” that installed itself into Windows victims’ “Documents and Settings” folder as well as added itself to the registry list (check out the Malicious Life Podcast on the subject here).

After connecting to one of its hardcoded command and control (C&C) servers, the threat uploaded a small file to identify its victim and used that file to generate a public-private key pair. It then leveraged the public key to encrypt victims’ documents, spreadsheets, images, and other files before displaying its ransom note. That message informed the victim that they had 72 hours to pay a ransom demand of $300 - not even pennies on the dollar compared to today’s ransom demands that range into the tens-of-millions.

Attacks involving CryptoLocker became more prevalent in the years that followed. Per Kennesaw State University’s researchers, the FBI estimated that victims had paid $27 million to CryptoLocker’s operators by the end of 2015.

2018 – Ransomware Actors Embrace Big Game Hunting

Beginning in 2018, the FBI observed a decline in indiscriminate ransomware attacks. Its analysts saw those campaigns give way to operations targeting businesses—in particular, state and local governments, health care entities, industrial companies, and transportation organizations.

Ars Technica reported that many ransomware groups made this shift to “big game hunting” so that they could encrypt organizations’ high value data, undermine victims’ operations, and thereby demand an even higher ransom payment. The Ransomware: The True Cost to Business report mentioned above highlights some of the impact these attacks can have on organizations, including:

    • Loss of Business Revenue: 66 percent of organizations reported significant loss of revenue following a ransomware attack
    • Brand and Reputation Damage: 53 percent of organizations indicated that their brand and reputation were damaged as a result of a successful attack.
    • C-Level Talent Loss: 32 percent of organizations reported losing C-Level talent as a direct result of ransomware attacks.
    • Employee Layoffs: 29 percent reported being forced to layoff employees due to financial pressures following a ransomware attack.

2019 – Maze Ransomware Gang Invents Double Extortion

Near the end of November, Bleeping Computer received a message from a known email address used by the Maze ransomware gang. The message informed the computer self-help website that the Maze group had successfully breached a security staffing company by stealing its information in plaintext before encrypting its files. To prove its claim, the attackers sent along a sample of files stolen from the company and leaked 700 MB of data online soon thereafter.

Other ransomware groups embraced this “double extortion” technique in the months that followed. In doing so, they gave themselves an edge over organizations with a data backup strategy. They knew that victims could use their data copies to still restore infected computers but that they couldn’t reverse the course of data theft.

So, the attackers demanded two ransom payments from their victims, one for the decryption of their data and the other for the deletion of their information off their operation’s servers.

The Rise of Complex RansomOps

In a recent blog post we discussed how today’s more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaigns like the ones listed above. The article also discussed the larger Ransomware Economy at work, each with their own specializations.

These players include the Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving laterally to maximize the potential impact, and the Ransomware-as-a-Service (RaaS) operators who provide attack infrastructure to affiliates who carry out the attacks.

This level of compromise puts RansomOps attackers in a position where they can demand even bigger ransoms, and RansomOps techniques also commonly involve multiple extortion techniques like the double extortion tactic discussed above.

Some groups have taken things a step further. In mid-September, for instance, Bleeping Computer reported that the Grief ransomware gang had begun threatening to delete a victim’s decryption key if they elected to hire someone to help them negotiate the ransom demand down. This came on the heels of the RagnarLocker group threatening to publish a victim’s data if they notified the FBI or local law enforcement about an infection, per Threatpost.

Defending Against Ransomware and RansomOps

It’s possible for organizations to defend against ransomware and RansomOps from the earliest stages of an attack. Remember, the actual ransomware payload is the very tail end of a RansomOps attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be thwarted before there is any serious impact to the targeted organization.

The key to ending ransomware attacks is to minimize the period of time between the moment when a RansomOps attack first infiltrates your environment and the moment when the security team can detect and end it.

The Cybereason Predictive Ransomware Protection solution is capable of detecting the earliest signs of a ransomware operation and conducting automated prevention within milliseconds. With the ability to block obfuscated ransomware--plus the addition of artificial intelligence on every endpoint, encryption prevention, rollback capability, and visibility from the kernel to the cloud--the Cybereason Predictive Ransomware Protection represents the most capable ransomware defense available on the market.

This is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture and every other ransomware family.

Predictive protection means that Cybereason ends ransomware with the highest degree of confidence based on subtle behaviors and attacker activity. We see what others miss and infer the attacker’s next move without manual input from Defenders.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed