In just 15 years, ransomware attacks have gone from a slapdash type of scam to a major and lucrative weapon for cybercriminals.
2005 to 2012. Early ransomware emerged as a subclass of “scareware” – a basic social engineering technique that attempted to frighten users into buying software (usually phony antivirus software). Early ransomware was unsophisticated, relying on panic more than advanced cryptography. Often, targets were able to reclaim their targeted data with ease.
Even as ransomware evolved, bad actors faced a big challenge: collecting ransoms. Since ransomware amounts to fraud, cybercriminals need to collect money from victims in a way that is quick, anonymous, and untraceable. Until 2012, the only way to do this was by using prepaid cash cards, retail shopping cards, and other jury-rigged methods. Though there was plenty of ransomware software floating around online, the difficulty of collecting on ransoms meant that overall damages were low.
2012: Bitcoin. The arrival of the cryptocurrency, Bitcoin, changed everything. As a decentralized digital currency, operated over a blockchain network, Bitcion offered the ability to easily move large amounts of money with anonymity. Bitcoin was the ransomware tool that cyber-criminals had been waiting for. Rather than asking their victims to pay them in piecemeal amounts using odd methods, they could instantly ransom dollars in electronic form. Today, all major variants of ransomware require payment in Bitcoin, ethereum, or other cryptocurrencies.
2013/2014: CryptoLocker. In the wake of bitcoin’s emergence, ransomware quickly grew more sophisticated. A type of ransomware called CryptoLocker was created. CryptoLocker spread via a trojan botnet, and wielded a powerful new form of encryption technology. CryptoLocker earned its distributors $300 million within a 100-day stretch, before a combined effort led by the FBI and a team of cybersecurity experts managed to shut it down. CryptoLocker was a turning point in the world of ransomware; its criminal success caught the attention of larger criminal syndicates, and inspired cybercriminals to refine their ransomware approach even further.
2015 to present: Bigger Targets
"Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service."
WannaCry ransom note text
Since 2015, ransomware has become more and more powerful. In 2017, a brand of ransomware called WannaCry began attacking older Windows systems. After attacking computers attached to the UK’s National Health Service, within a day, WannaCry had spread across tens of thousands of systems in more than 150 countries. The largest ransomware epidemic in history, WannaCry has cost businesses millions of dollars in damages. Through 2019, WannaCry remained the most common encryption family used in ransomware attacks.
This pivot to attacking commercial and civic targets represents ransomware’s contemporary phase. As part of this shift, many ransomware attackers have traded quantity for quality. Rather than going after numerous individuals, they are targeting a smaller amount of large organizations handling more sensitive data and possessing more funds for ransom payouts.
Today, one in three ransomware attacks target a business. Ransomware is so effective that it's responsible for 24% of malware-based cyberattacks. On the Dark Web, a lucrative trade has sprung up around ransomware codes and exploit kit components – tools that help cybercriminals target victims.
Ransomware is such an issue because the 15-year history of this threat has seen various nefarious forces coalesce.
There are three main vectors that ransomware can get inside a device or system. The most common methods are:
WannaCry infected people via an exploit pack. The most devastating piece of ransomware in history used a Microsoft exploit stolen from the National Security Agency (NSA).
All forms of ransomware restrict access to files or data that are valuable to the user, and then demand payment in order to recover that access. Within this overall approach, there are various types of ransomware:
Crypto-malware. The most popular form of ransomware, and extremely damaging, crypto-malware gets inside a system and encrypts all the files and data contained within. Access is impossible without the malefactor’s decryption key.
Scareware. Once executed, scareware automatically locks a user’s computer and displays a message claiming that it has detected a virus or an error. The scareware instructs the victim to pay a specific amount to “fix” the issue. Some forms of scareware don’t technically encrypt files, but flood the screen with pop-up messages that make using the system impossible.
Lockers. Rather than encrypting select files, lockers lock victims out of their systems completely, preventing them from accessing anything. Locker-based attacks include a screen display that tells the victim the ransom demand, and often includes a countdown timer, intended to induce panic and force victims to pay without attempting to find another solution.
Doxware/Leakware. This type of ransomware claims and encrypts a certain sort of data. It then threatens to release victims’ personal (in the case of an individual) or sensitive (in the case of a business) data to specific parties or the general public. Victims of doxware/leakware are driven to pay the ransom for fear of highly private data being exposed.
RaaS (Ransomware as a Service). For parties that want to initiate a ransomware attack but don’t have the time, the tools, and/or the expertise, the cybercriminal market has a solution. People can reach out to a professional hacker to do the job for them. This hacker will carry out the attack, and receive a portion of the ransom reward in exchange for their services.
Extortion. According to Recorded Future, many ransomware attackers are now carrying out extortion, by threatening to release exfiltrated files unless a victim pays a ransom. This is partly due to the fact that extortion cases garner media attention, something many cybercriminals crave. This publicity aids the sales of their Ransomware-as-a-Service (RaaS) offerings.
Big Game Hunting. This is a targeted, complex, low-volume, high-return form of ransomware attack. The attacker gains entry, makes lateral movements to observe the network, then gains access to exfiltrate files and deploy the ransomware. Big game hunters are patient. It typically takes days for an attacker to understand the network, gain the proper access, and deploy.
The spear-phishing techniques deployed on email and social channels are very similar in nature and involve an element of social engineering to enable the initial compromise to succeed. In the case of social media compromise, the attacker can often perform their target recon on the channel itself (e.g. LinkedIn) and then simply make a connection request to the target to begin establishing the trust relationship. In fact, the more connections the attacker makes within the organization, the greater the sense of trust that is established.
At this point, the attacker is in an excellent position to launch the attack by sending a malware-laced attachment or link to the targeted victim, under the pretext of a legitimate purpose. For example, cyber criminals might adopt the guise of a recruiter, and after penetrating the organization with a multiplicity of connection requests, may now send a malware-laced file link under the cover of a job description. Once the victim clicks through on the document, the host device can be compromised with a first stage malware payload.
In an enterprise attack, this would only be the first stage and would unlikely contain ransomware per se. The longer term objective would be to effect lateral movement for long term persistence and to establish command and control for data exfiltration and finally ransomware deployment.
Given the nature of these “Big Game Hunting” scenarios where ransomware is often delivered as part of a multi-stage attack process, and may occur on any one of several attack surfaces, it is important to coordinate defensive counter-measures across all of these vectors. For example, detecting a malware attack on a social channel could also be an indication of a broader attack front across multiple attack surfaces such as email and remote access management tools.
On the whole, ransomware attacks are frighteningly successful. The malware and the techniques are constantly evolving, and once encryption takes place, it can be very hard to reverse. The reality is that, hit with a sophisticated ransomware attack, most enterprises pay.
For this reason, the absolute best course of action against ransomware is proactive prevention combined with constant data backup. Some best practices include:
When it comes to ransomware, prevention is better than cure. However, should an organization be unfortunate enough and fall prey to ransomware, the following steps should be followed:
With proper digital risk protection, organizations can detect and nullify ransomware threats before they become an issue. The Safeguard Cyber Platform can keep pace with the scale and velocity of modern digital communications, and detect phishing links and other indicators of ransomware across the full suite of cloud platforms. Threats are instantly flagged and quarantined before an unsuspecting human target clicks on anything dangerous.