The Evolution of Ransomware

First appearing in the 1980s, ransomware attacks have evolved over the years, as cybercriminals seek new ways to expand the scope and profitability of their operations.

What is ransomware?
Ransomware is a malicious software that infects and gains access to a system, holding the data hostage via encryption until the victim pays a ransom in exchange for a decryption key; recent attacks also threaten to leak confidential or sensitive information as an added threat. Today, ransomware attacks are never far from the headlines, with the frequency increasing alongside more innovative distribution methods.

Early ransomware
But ransomware is far from a new phenomenon. The AIDS Trojan, or PC Cyborg virus, infected systems via floppy disk back in 1989, with victims needing to send $189 to a PO Box in Panama to restore their data. Joseph Popp, an AIDS researcher, sent out 20,000 floppy disks to fellow researchers, lying dormant in computers and only activating after they were powered on 90 times. This rudimentary malware is often cited as the first example of ransomware. 2005 saw the emergence of PGPCoder, which encrypted certain file types such as .doc, .html, .jpg and .zip, demanding between $100-$200 sent to an e-gold or Liberty Reserve account. The WinLock Trojan, emerging from Russia in 2010, didn’t use encryption, instead opting to display pornographic images across the victims screen, demanding a ransom for them to be removed.

Ransomware becomes widespread
However, ransomware attacks didn’t become widespread until the 2010s, alongside the emergence of cryptocurrencies like Bitcoin, providing an easy, untraceable method, outside of the traditional financial institutions, to receive ransom payments. From around 2012, there was a substantial proliferation of ransomware. 2013 saw the emergence of CryptoLocker, which usesdan RSA 2048-bit key to encrypt the host’s files, renaming them by adding extensions such as .encrypted, .cryptolocker, or sometimes a string of seven random characters. Spread via infected email attachments and a Gameover ZeuS botnet, CryptoLocker would encrypt files and display a message offering to decrypt the files on receipt of a ransom payment, threatening to delete the private key by a deadline, ramping up pressure to pay. In May 2014, Operation Tovar, a coordinated international effort, saw CryptoLocker isolated, with the database of private keys obtained; an decryption tool was then released for victims to get their files back without paying the ransom. It is believed that a total of $3 million was extorted by CryptoLocker operators. In the months and years that followed, more examples of ransomware continued to appear, including SynoLocker, CryptoWall, Cryptoblocker, and Chimera. The latter is significant, as it saw hackers threatening to publish stolen data online if the victim doesn’t pay.

WannaCry causes widespread disruption
In May 2017, cybercriminals took advantage of a weakness in Windows, using a hack allegedly developed by the US National Security Agency, known as EternaBlue. While Microsoft released a security patch several months before the attack, many individuals and organisations didn’t install the update, and were left exposed to the ransomware attack. The WannaCry ransomware attack hit around 230,000 computers worldwide, with thousands of NHS hospital and surgeries in the UK hit. A third of NHS trusts were affected, which cause large amounts of disruption, including ambulances needing to be rerouted, and thousands of appointments cancelled.

Ransomware targets smartphones, Macs and Linux
Ransomware gangs began to target a wider range of devices in the years that followed. Jnuary 2015 saw the emergence of the Fusob ransomware, which targets Android devices. Spread via pop-ups once the Trojan is executed, the device displays a fake screen accusing the owner of wrongdoing, and demanding a small “fine” of between $100 and $200. The Fusob ransomware. In 2016, KeRanger became the first ransomware to target Macs, and is remotely executed from a compromised Transmission installer, a BitTorrent client, downloaded from the official website. Hidden within the .dmg installer. Ransom32, first appearing in 2016, is a Javascript-based ransomware, and is capable of infecting Windows, Mac and Linux systems; it is a ransomware-as-a-service, being sold on the dark web, with the authors getting a 25% cut of the ransom payments.

Ransomware evolves further: doxware/leakware
In recent years, ransomware operators started to notice that fewer victims were paying up. This could be down to increased awareness of the dangers of ransomware within companies, or more effective data backup solutions being in place; ransoms needn’t be paid if encrypted data can be restored from a recent backup. In response, cybercriminals have taken to stealing data as well as encrypting it, threatening to leak it if the ransom isn’t paid. This is known as doxware, or leakware. These ransomware attacks can result in higher ransoms being demanded, as leaked data can be damaging to the reputation of a business, not to mention opening up the possibility of lawsuits if personal data from clients is made public. Some ransomware gangs, such as Maze, operate on a “double-extortion” model, where they demand a ransom payment in exchange for the decryption key, and threaten to publish the data on the dark web if the payment isn’t made before a certain date.

Ransomware-as-a-service (RaaS)
As option of the software-as-a-service (SaaS) model, ransomware-as-a-service (RaaS) is a subscription-based model, that allows affiliates to use existing ransomware tools to execute attacks, earning a percentage of each ransom payment made. Now, coding knowhow is no longer a prerequisite for a ransomware cybercriminal, with ransomware tools now effectively available to anyone “off the shelf”. Researchers at cybersecurity company Group-IB found that in 2020, almost two thirds of ransomware attacks were operated on the ransomware-as-a-service model. Mirroring software-as-a-service, ransomware-as-a-service affiliates sign up with a one-off fee or a monthly subscription, and are supported by operators in launching successful attacks. Affiliates typically present potential victims with a phishing email, directing them to an exploit site if clicked, allowing the ransomware to be clandestinely downloaded. The Covid-19 pandemic has seen a huge increase in the number of phishing emails, attempting to trick users with details relating to things like vaccines.

The future of ransomware
Ransomware shows no sign of disappearing or slowing down, and will likely grow as a threat as it becomes more and more profitable; 2020 saw the highest ever ransom demand on record, a whopping $30 million. Additionally, the average ransom paid increased from $115,123 in 2019 to $312,493. It’s likely that ransoms will continue to grow in size, particularly as cybercriminals target larger companies. Over the course of the Covid-19 pandemic, ransomware attacks against certain sectors have increased dramatically, such as retail (365%), healthcare (123%), and government (21%). Attackers are even targeting vaccine manufacturers – in October 2020, a clinical trial software manufacturer involved in Covid vaccine testing was targeted by a ransomware attack. The pandemic has provided a perfect opportunity  for cybercriminals, as businesses are adapting to the “new normal” and potentially letting their guard down to threats like ransomware.