Headlines are often flooded with the newest ransomware attacks targeted at large and small businesses in each industry, that aim to steal victims’ data and company files, where exorbitant demands are then requested for its release.
First discovered in 1989, Ransomware rose to become one of the biggest threats to businesses today. Coming from humble beginnings as floppy disks, Ransomware has developed rapidly through the internet which took the world by storm.
Ransomware is a type of malicious software that employs the use of encryption against victims to restrict access to their computer systems and data. The threat actors then demands a ransom payment from the victim in exchange for providing decryption keys or restoring access to the system. They are often designed to spread rapidly across a network and target databases and file servers, key resources for a business to operate, and can thus quickly paralyze an entire organization.
Ransomware attacks can have severe consequences, as they can lead to data disclosure, data theft, business disruptions, financial losses, and compromise of sensitive information. These attacks often relies on exploiting vulnerabilities in software or using social engineering techniques like phishing attacks, to gain access to a victim’s system or network, and they have become a significant cybersecurity threat to individuals, businesses, and organizations.
In this Guide:
The Emergence Of Ransomware Attacks
Created by Joseph L. Popp, AIDS Trojan or PC Cyborg is the first ransomware attack documented. He mailed 20,000 floppy disks to the World Health Organization AIDS conference in 1989. The packaging was labeled in a way to convince attendees that the disk contained a questionnaire that could be used to determine the likelihood of someone contracting the disease HIV.
After making its way onto a victim’s system, the malware used a simple symmetric encryption to prevent users from accessing their files. It counted the number of times the computer was booted and once it reached 90, it would hide the directories and lock the names of the files on the C drive. A message demanding a payment of $189 to be sent to a P.O. box would then appear on their screen.
The author of the ransomware, a Harvard biologist, wanted to collect money to help advance AIDS research. However, due to its simplicity in the ransomware code, IT specialists were able to quickly discover a decryption key, allowing victims to regain access to their system resources.
Early Development Of Ransomware Attacks
After Popp’s AIDs trojan attack, it took almost 15 years for another ransomware attack to take place. Emerging in the early 2000s, two significant ransomware attacks came as the internet became more common in the household and individuals began to use email as a new method of communication.
In 2004, GPCode infected systems through malicious links on websites and phishing emails. It worked using a custom encryption algorithm to encrypt files on the Windows systems. The threat actors then requested $20 for the decryption key.
The Archeivus attack in 2006, was the first ransomware to use RSA to encrypt all files in the “My Documents” folder. The 30 digit decryption key would be provided by the threat actor after the ransom was paid. The password was however cracked that same year, as the code used for the attack was relatively simple and allowed antivirus companies and other researchers to identify and analyze them.
Ransomware then began to employ cryptography to enhance its efficiency. In 2011 WinLock trojan emerged as the first locker ransomware. Ten criminals in Moscow used ransomware to lock victims out of their devices. The non encrypting malware infected users through malicious websites. It then displayed pornographic images until the victims sent $10 rubles. This scheme garnered over $15 million USD.
The Rise of Police-Themed Ransomware Attacks
Ransomware groups then began to employ the use of police-themed attacks, which utilizes aggressively worded notifications alleging the authorities from the local law enforcement agency, FBI or some international group have detected illegal activities on the victim’s PC where they user has to pay a fine through MoneyPak or Ukash online payment systems.
2012, saw the first major MoneyPak attack. Also referred to as Reverton, it was a ransomware as a service (RaaS) attack – a service that gave new hackers and criminals with limited technical skills the ability to purchase ransomware on the dark web. This attack displayed a message on the victims screen claiming that there is a new US law enforcement, claiming that the victim committed a crime, even going as far as to turn on the user’s camera to imply that the user was recorded. It then demanded that the victim make a payment to avoid jail time.
The encrypted files include; .jpg, .doc, .pdf and .xls. Notably, this was also the first ransomware to request payment through bitcoin, a crypto currency. This method was likely chosen as it enabled cyber criminals and victims to transfer payment easily and anonymously, ultimately making it increasingly difficult to identify them.
Emergence of Advanced Encryption: CryptoLocker Era and Bitcoin
2013 saw the emergence of “CryptoLocker”, a ransomware strain using an advanced 2048-bit RSA key, the most advanced ransomware at the time. It was also the first ransomware to be spreading using a botnet, namely the “Gameover Zeus” botnet. CryptoLocker was both a locker and crypto variant. It used more traditional tactics to propagate in the victim’s network as attachments to inconspicuous emails. The cybercriminals were able to receive $27 million dollars in the first two months and was virtually unstoppable until the botnet used to distribute the malware was taken down in 2014.
In that same year, SimpleLocker became the first ransomware to encrypt files on Android devices. The attack encrypted files such as documents, images and videos on the user devices’ SD card. This represented a massive turning point in the progression of ransomware, as it introduced a fresh set of victims and attacks.
Another Android-focused attack was Lockerpin released in 2015. Instead of encrypting files, this ransomware completely locked users out by altering the android’s PIN.
The first notable Mac ransomware was the “FileCoder” and was discovered by 2014 but was initially released in 2012. This malware was never finished, but it did encrypt files and demand payment. The first successful Mac attack however is the “KeRanger” ransomware attack. KeRanger demanded that victims pay around $400 in bitcoin. KeRanger is activated remotely on the victim’s computer, originating from a compromised installer of transmission – a widely used BitTorrent client that’s sourced from the official website. After being installed, the ransomware waits three days after infection before connecting to a command & control server over the Tor network, then encrypted .dmg file, masquerading as General.rtf file, and other file types on the victim’s system.
Ransomware then began to increase in sophistication, become more difficult to break and gained more global notoriety.
2016 saw the introduction of the Petya – a family of encryption malware. Petya targeted Microsoft Windows-based systems, infected the master boot record to carry out the payload that would then encrypt the hard drive’s file system, and prevent Windows from booting. The system would only be unblocked after the victim provides the encryption key, usually after providing payment in bitcoin to the malicious actors. It wasn’t until 2017 however, that Petya started making international news when a new variant was used in a cyberattack against Ukraine targets. Kaspkey dubbed the new variant as NotPetya to distinguish it from the older version, as it operated differently using an exploit known as the EternalBlue. ExternalBlue was initially developed by the U.S National Security Agency, and later stolen. Once the system had been compromised and exposed to the exploit, a flaw in Windows networking protocols silently spread across the network, similarly to a worm, hence the dub ransomworm.
In that same year, the infamous WannaCry ransomware attack using the stolen EternalBlue exploit. This ransomware attack spread through computers operating Windows and user’s files were held hostage where a Bitcoin ransom would then be demanded. Notably, users had the opportunity to avoid falling victim to this attack, as Windows had been aware of the vulnerability and released a patch two months prior to the WannaCry ransomware attack. Unfortunately however, many users do not update their systems regularly and are left exposed to the attack.
The threat actors initially requested $300 dollars worth of bitcoin and then raised it to $600. It also threatened to permanently delete the victim’s files if they did not pay within three days. WannaCry affected many industries, including; healthcare, security, emergency, education, gas, telecom and many more in over 150 countries. It was later confirmed in December of 2017, that North Korea was behind the attack, although they denied any involvement.
What is Multi-Extortion Ransomware Attacks?
Multi-extortion ransomware, also known as multifaceted or double extortion, was first identified in 2019 and employs multiple layers of attacks to persuade victims to pay the ransomware groups the ransom.
In this attack the threat actor will take the extra step to threaten to publish private and confidential data to the dark web leak sites, sell to the highest bidder, or destroy it, if the ransom isn’t paid by a certain deadline, giving the criminal additional leverage to collect ransom payments.
In contrast, a typical ransomware attack will only encrypt a victim’s data. The increased risk of exfiltration makes this attack particularly hazardous for businesses across all sectors.
A criminal group by the name of TA2102 hit Allied Universal, a security staffing firm, in 2019 with the first-ever double extortion ransomware attack. If the victim organization did not comply with their demands, they threatened to expose the data online, demanding 2.3 million US in bitcoin to prevent this. This implied that even if Allied had backups and were able to restore their network and data, they would still experience a serious data breach unless they paid up, even if they were able to restore their network and data.
Since then, there have been an increasing number of Multi-extortion ransomware attacks. In addition, ransomware attacks in general have become increasingly complex, larger and more frequent and easier to carry out as individuals can purchase ransomware as a service over the dark web.
The Rise of Ransomware as a Service
Ransomware-as-a-Service (RaaS) refers to a cybersecurity business model where ransomware authors and groups create and distribute ransomware software to other cybercriminals who then use it to carry out attacks. Persons who purchase ransomware are referred to as affiliates, and they often do not possess advanced technical skills, they instead rely on the user-friendly interface and infrastructure they purchased. RaaS is a variation of the MaaS (Malware-as-a-Service) model, which in turn is a malicious variant of the SaaS (Software-as-a-Service) model.
Purchasing a RaaS is usually done on a darknet, and has various payment models. These include:
- Commission as a percentage of the ransom
- A Monthly subscription
- Pure Profit Sharing
- A One-time license fee with no profit sharing
Some RaaS providers combine several payment methods, such as a subscription fee and a share of the ransom.
RaaS have grown in popularity as they lower the barrier for entry to extort businesses by allowing attackers without a strong background in programming languages, hacking or other technical skills to launch assaults by selling or renting ready-made tools and ransomware products. As a result, ransomware instances will continue to rise, while at the same time, the campaign against ransomware is being hampered because RaaS users can continue their illegal activity even if the malware writers are apprehended.
Ransomware As A Service Attack Examples
Dharma (CrySiS)
Dharma has been active in the RaaS community since 2017, therefore it is by no means a new player. It was delivered by cybercriminals manually through Remote Desktop Protocol (RDP) connections, typically by exploiting leaked or weak credentials. The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer. Files with the dharma extension are replaced. Compared to other RaaS, Dharma’s ransom demands are often smaller, averaging $9,000 on average. According to some analysts, this might be the result of the RaaS supplier allowing even novice hackers to register as affiliates.
REvil
Also known as the Sodinokini, was sold by the criminal group PINCHY and accounts for the largest ransom demand on record, at $10 million. Prior to leaking the stolen data, PINCHY typically notifies victims of the impending attack via a blog post on their DLS that includes sample data as proof. Once they gaining access to the blog post, a countdown timer will start, thereafter the allotted time has passed, the leak will be made public. REvil has reportedly earned its developers $100 million in a year. This ransomware appears to be heavily targeted at legal, insurance, and agricultural companies. After being investigated by McAfee, it was determined that the code for this attack is well written code designed to execute quickly to encrypt the defined files in the configuration of the ransomware.
BlackCat
Initially detected in 2021, BlackCat, also referred to as ALPHV, Noberus, is regarded as one of the most sophisticated and threatening malware strains of that year. It was coded in Rust programming language and is simple to compile against different operating architectures. BlackCat is particularly dangerous as it is highly customizable and easy to individualize. It was mainly used to compromise Widows and Linux based operating systems.
BlackCat is run by the Russian-speaking cybercriminal organization ALPHV. Its campaigns frequently use a triple-extortion strategy, demanding individual ransom payments for the decryption of infected files, the confidentiality of stolen information, and the avoidance of DoS attacks. Although BlackCat’s escapades have affected 200 enterprise organizations between November 2021 and September 2022, it has primarily targeted businesses in the financial, manufacturing, legal, and professional services sectors.
How to Prevent and Limit the Effect of Ransomware on Your Organization
Regular Backups
Backing important information is recommended to be the most effective way of recovering from a ransomware attack. The backups should be performed regularly to limit the impact of data or network loss and expedite recovery. They should also be stored in more than one location, whether physical or cloud-based. Critical backups should be isolated from the network for optimum protection.
Keep Systems patched and up to date
Keeping your operating systems and software up to date also reduces vulnerabilities that attackers could use to carry out a ransomware attack. Vulnerable networks, applications, and operating systems are prime targets. When performing updates, make sure you benefit from the latest security patches. This makes it harder for cybercriminals to exploit vulnerabilities in your programs.
Employ Least privilege
Apply the “Least Privilege” approach to all systems and services, and limit users’ permissions to install and run undesired software programs. By limiting certain privileges, malware may be stopped from operating or have less room to proliferate throughout the network. Furthermore, security teams should limit who can access essential data.
Least privilege usually involves a zero-trust model that assumes any users cannot be trusted, meaning they will require identity verification at every level of access, where verification is done using two-factor/multi-factor authentication to prevent access to sensitive data should a breach happen.
Security Awareness Training
By providing consistent and comprehensive training and education to users, it will help reduce the likelihood of ransomware attacks, as users will become aware of the common ransomware tactics threat posed by ransomware and become more familiar with security measures.
Ensure that your employees know how to report suspicious behavior and understand the importance of timely reporting. When employees can spot and avoid malicious emails, everyone plays a part in protecting the organization.
Harden Endpoints
Endpoint security should be a top priority for business. As businesses expands, each devices added to the network acts a new possible point where the attacker could gain access to the main network and access sensitive information. As a result, Secure configuration settings can help limit your organization’s attack surface and close security gaps created from default configurations that come with each device. End Point Detect and Response normally include;
Data loss prevention, intrusion detection, anti-spam filters & email protection, antivirus & anti-malware, and file encryption, amongst other tools.
Network Segmentation
In the event of an attack, it’s critical to prevent the spread of ransomware as much as possible because it can swiftly infect the entire network.
By implementing network segmentation, the company may isolate the ransomware and stop it from spreading to other computers by dividing it into several smaller networks.
To stop ransomware from reaching the target data, each individual subsystem needs to have its own security measures, firewalls, and unique access. Segmented access will not only stop the threat from spreading to the main network, but it will also give the security team more time to find, contain, and eliminate the danger.
6 Kinds of Ransomware You Might Not Know About
Final Thoughts
The increase in sophistication has marked the evolution of ransomware attacks over the years, shift in tactics and impact on organizations of almost every industry. From its earliest detection in 1989 with the AIDS Trojan through floppy disks, to the complex devastation of multi-extortion ransomware and ransomware as a service, ransomware has continued to adapt to exploit technological advancements and human vulnerabilities.
To combat the growing threat of ransomware, businesses must adapt a multifaceted approach to prevention and mitigation. These include, regular backups, system patching, employing least privilege and security awareness training, among other techniques.
As ransomware continues to evolve, security professionals and organizations must stay vigilant, adaptive, and prepared. Collaboration among industries, governments, and cybersecurity experts will be essential in building a resilient defence against the ever-evolving ransomware landscape.
By understanding the history and tactics of ransomware, as well as implementing proactive measures, businesses can better safeguard their data, operations, and reputation in an increasingly digital world.
Don't wait – secure your data with Oppos' Penetration Testing Services
Ransomware FAQs
Ransomware is malicious software encrypting victim’s data, demanding payment for access restoration, often infiltrating via phishing, fake downloads, or vulnerabilities.
Ransomware would typically be classified as a different form of malware than a virus.
Yes, ransomware can be removed using specialized anti-malware tools, but recovering encrypted data may still require decryption keys.
Ransomware attacks can last from minutes to weeks, depending on the network’s complexity, response efficiency, and specific malware characteristics.
Yes, ransomware poses a serious threat to data security and privacy, necessitating proactive measures and robust cybersecurity practices.
