Everything You Need to Know About Ransomware in 2022

With origins way back in the 1980s, ransomware is a lucrative business – and cybercriminals are cashing in.

Ransomware can be described as malicious software that infects a system, encrypts its data, and holds it hostage until a ransom is paid in return for a decryption key. Today, ransomware attacks are pretty much always in the headlines. Global cybersecurity company Trend Micro has published research revealing that 84% of US organisations experienced phishing and ransomware threats from July 2020 to July 2021. Many companies do end up paying the ransom, with the average ransom payment being in excess of $500,000. Paying the ransom, however, doesn’t guarantee receiving the decryption key, and law enforcement officials are vehemently against doing so for fear of encouraging cybercriminals.

Arguably the first example of ransomware was created by a medical researcher, Joseph Popp, back in 1989. Popp’s virus, known as the AIDS Trojan or PC Cyborg Virus, was hidden on 20,000 floppy disks, lying dormant and only activating after they were inserted more than 90 times. Unsuspecting victims would then receive a message asking for $189 to be sent to a PO Box in Panama in return for access to their data. This rudimentary virus is often cited as the first ransomware virus, but it wasn’t until the 2000s and 2010s that ransomware became a big threat. The PGPCoder ransomware, which encrypted files and demanded a small sum to be sent to an e-gold or Liberty Reserve account, emerged in 2005. 2010 saw a different approach with the WinLock Trojan, which displayed pornographic images across the victim’s screen, demanding a ransom payment for their removal. In May 2017, exploiting a weakness in Windows XP, the WannaCry ransomware hit around 230,000 computers, with a third of NHS trusts in the UK affected, leading to widespread disruption, and thousands of cancelled appointments.

In recent years, in response to companies having strict backup policies, and therefore the ability to restore their data, cybercriminals have issued threats to leak confidential material. Known as doxware or leakware, these ransomware attacks can result in higher ransoms being demanded, as leaks can have even bigger financial implications for businesses. In late 2019, the Twisted Spider gang deployed the Maze ransomware on the network of a security company employing more than 200,000 people. The hackers stole the data and stored it on a server under their control, before encrypting the original files on the network. They announced they would begin publishing the data online unless the company met their ransom demand. This two-pronged “double extortion” model is on the rise.

Something to look out for in 2022 is ransomware as a service, which essentially involves ransomware kits being sold on the dark web. The platform and infrastructure are provided for a fee, essentially allowing anyone to get a slice of the pie. Ransomware gangs include Twisted Spider (creators of the Maze ransomware), Viking Spider (creators of Ragnar Locker) Wizard Spider (creators of Ryuk) and the Lockbit Gang. Worryingly, these gangs have begun to work together like a cartel, sharing infrastructure and swapping tactics.