Photo by Mikael Kristenson on Unsplash
Dr. Joseph Popp is known as the person who received the first ransom with the help of an attack on a computer. It happened back in 1989.
He mailed a floppy disk to more than 20,000 medical institutions worldwide which claimed to contain information about AIDS.
Each disk contained a survey that assessed the risk of contracting this disease. During the survey, the first-ever extortionist program, the “AIDS Trojan” encrypted files on a users’ computers after restarting a certain number of times.
Then, printers connected to the infected computers printed out instructions for sending a bank transfer or a check in the amount of $189 to a mailbox in Panama.
This is how the history of ransomware begins.
Today, we’ll talk about what ransomware is, how it has transformed, and what the future holds for it.
Evolution of Ransomware
The 2000s were remembered for an impressive database of schemes of using ransomware everywhere.
This happened due to three important aspects:
- The emergence of the internet, which united people around the world.
- Open access to file encryption tools.
- The appearance of an online payment system that opened the possibility for anonymous and secure payment: that is, Bitcoin.
The combination of these aspects has spread ransomware. In addition, several important milestones also affected this:
2006: Archiveus used RSA-1024 to encrypt files, so that it was impossible to decrypt them. The victims of the extortionist had to buy goods in an online pharmacy to get the decryption password.
2008: The invention of Bitcoin. With this cryptocurrency, it was possible to create unique payment addresses intended for each new victim.
2011: The further development of Bitcoin and, at the same time, the number of online attacks approximately doubling every year.
2012: Reveton ransomware takes its inspiration from the Vundo virus and adds intimidation. A popup pretended to be a message from a law enforcement agency informing the victim about a crime they committed, for example downloading pirated software, and demands payment.
At the same time, Citadel appears as a toolkit for developing and distributing malicious software and botnet management, distributing ransomware using programs with a paid installation.
2013-2015: The emergence of hiding a combination of 2048-bit RSA encryption, a public key, and C&C servers in the Tor network and the use of the Gameover Zeus botnet. This allowed CryptoLocker to become the most dangerous ransomware.
2014: Svpeng mobile trojan, originally intended to steal payment card information, evolved into ransomware. It blocked the phones of the victims and sent a message to their mail with accusations of viewing child pornography.
2015: The introduction of the Ransomware-as-a-Service (RaaS) system, in which the operators of RaaS services received 20% of each ransom paid in bitcoins.
2016: The appearance of Ransom32, fully developed in Javascript, HTML and CSS, is the first “multi-platform” ransomware capable of infecting devices with Windows, Linux and macOS.
Locky is a virus that spread through phishing attacks on Microsoft Word documents. At the peak of its spread, it infected up to 100,000 devices per day.
KeRanger is the first ransomware that targets Mac files and the Mac recovery system, disabling the system recovery function that allowed you to roll back to the previous unencrypted state.
2017: WannaCry and Petya turned their attention to ransomware again. WannaCry is a crypto service with semi-automatic reproduction and automatic distribution through targeted system vulnerabilities.
At the beginning of 2017, WannaCry infected more than 250,000 devices. It was the largest attack in history, with losses of about $4 billion.
NotPetya (a variation of Petya in 2016) is another crypto service that exploited the same vulnerabilities as WannaCry, despite the release of security patches.
Both versions of ransomware highlighted the dangers of working on unsupported systems and the need to install security patches.
In addition, the anonymity of Bitcoin has ceased to be guaranteed and cybercriminals have begun to migrate to other cryptocurrencies.
2019: Crypto ransomware began using two-stage attacks: first malicious software for data collection, then ransomware.
Later, IT specialists proved that virtual machines were used for the attack, which masked the ransomware encryption and virus recognition processes.
Ransomware Tactics Evolution
Global technological trends are pushing scammers to create more inventive ways to pay the ransom.
Criminals focus on infrastructure and corporations.
So in 2016, there were several major attacks on hospitals.
In each case, hospital devices were blocked, and all files were encrypted. Several patients used reliable copying and data recovery methods, so they were lucky. However, the rest still paid a ransom for restoring access to personal information.
The Evolution of Ransomware
In 2018, a real ransomware boom occurred in Atlanta: Many online services were disabled. However, the scammers did not receive a ransom, and the government spent more than $2 million on data recovery.
Then two years later in 2021, ransomware DarkSide stopped the work of an important structure that supplied about half of the gasoline for 13 U.S. states. As a result, a ransom of more than $4 million was paid for the restoration of the database.
In addition, scammers often use the popular “encrypt and extract data” technique. As it turned out, vulnerable and less secure places on networks help to infect and steal data.
For example, the Finnish psychotherapy clinic Vastaamo with 40,000 patients became a victim of the newest tactics of “triple extortion.” Not only was the clinic’s data stolen here, but also the data of patients. Shortly after the incident, the company declared bankruptcy and closed the existing clinics.
Ransomware’s Future
Cybersecurity Ventures said that already in 2021, ransomware-type attacks have increased by about 50%, while the damage from them in 2020 amounted to about $20 million. And judging by the statistics, this figure is growing every year.
In addition, attacks are becoming more and more aimed at pre-selected victims. As a rule, various public and private organizations in the field of healthcare, insurance, and utilities become a target for criminals. According to criminals, such organizations are more willing to pay a ransom for lost data.
About half of all ransomware committed use the technique of double or triple extortion.
In addition, the REvil RaaS group offers its partners (who carry out the attacks themselves) free services of DDoS attacks and VoIP calls with scrambling to put pressure on victims to pay a ransom in the right time period.
The Growth of Ransomware Attacks
First, it should be understood that the sphere of online attacks is very profitable, even though there are not so many really successful ransomware attacks. Here are some statistics about this:
CWT Global — the payment amounted to $4.5 million.
Colonial Pipeline — the payment was $4.4 million.
Brenntag North American Division — the payment was $4.4 million.
Travelex — the payment amounted to $2.3 million.
University of California at San Francisco — the payment was $1.14 million.
But this represents only about a 5% success rate, out of all such attacks. So here, as everywhere, everything depends on fortune.
In addition, the sharp jump in the popularity of ransomware attacks is also affected by the constant expansion of the scope of the attacks.
Recently, experts have been extremely concerned about the situation that is developing around ransomware, namely the increased popularity. Most likely in the future, such an attack will be aimed at Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).
In addition, newcomers also have a great influence — a new generation of hackers inspired by TV series like “Mr. Robot.” The new generation can really compete with previous criminals, and cause even greater damage to the chosen victims.
Ransomware is located in the center of a complex and actively developing economy with all the signs of real commercial activity. After all, by transferring our data to various service providers and relying on technology to perform our daily tasks, we unintentionally allow extortionists to steal information and hold us hostage.
Therefore, it is not surprising that the number and quality of online attacks increase every year.
Learn more how hackers use cookies for online attacks.
Negative Impact of Ransomware
The hacking of the Colonial Pipeline showed the weaknesses of modern society. This attack provoked a general panic and shortages of food and fuel in many cities.
In addition, it is difficult to assess the real damage caused by this attack by only taking into account the amount of the ransom. Here we need to also talk about the various costs of investigating this crime, restoring damaged systems, and much more.
Moreover, cases of online attacks on hospitals can lead to devastating health consequences, including the death of patients. Therefore, the problem of ransomware cannot be denied and ignored.
Therefore, in 2020, a coalition of more than 60 participants was assembled and the Ransomware Task Force (RTF) was launched. All participants are representatives of various social sectors, medical and government agencies, cybersecurity specialists, as well as law enforcement.
During the year of operation, the program released a report “Combating Ransomware: A Comprehensive Framework for Action” with a description of 48 priority recommendations for combating ransomware.
In addition, the coalition was able to investigate several attacks and withdraw about 63 bitcoins, or more than $2 million, paid after the attack on the Colonial Pipeline.
In 2021, the Emotet botnet also stopped working.
Of course, this is only a small part of what can be done to prevent online attacks around the world. However, something else is important here — the world community has paid attention to the increased threat of online attacks and has begun to take measures to prevent them.
First published here.