Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
December 2024 has the dubious distinction of being the 35th anniversary of the first ransomware and the 20th anniversary of the first modern criminal use of ransomware. Since the late 1980s, ransomware has evolved and innovated into a major criminal enterprise, so it seems only fitting to reflect on the changes and innovations we’ve seen in ransomware over the past three decades.
The first use of ransomware was identified in December 1989; an individual physically shipped diskettes that claimed to contain software to help judge whether an individual was at risk of developing AIDS, hence the malware is called the AIDS Trojan. Once installed, the software waited until the computer was restarted 90 times before proceeding to hide folders, encrypt file names and display a ransom note that required a cashier’s check to be mailed to a PO Box in Panama for a license that restored files and folders. .
The individual responsible has been identified, but has been unable to be prosecuted. Ultimately, the difficulty in distributing the malware and collecting payment in a pre-internet world meant the attempt was unsuccessful. However, advanced technology; Computers are becoming more and more connected to networks and new opportunities are developing to distribute ransomware.
The risk of a “cryptovirus” that could use encryption to launch attacks based on extortion to victims who require payment to provide a decryption key, was recognized by researchers in 1996. As the defenses needed to defeat the threat : efficient. antivirus software and system backups.
Technical Lead, Security Research – EMEA at Cisco Talos.
Reap the rewards of ransomware
In December 2004 evidence of the first use of criminal ransomware, GPCode was discovered. This attack was targeted at users in Russia, delivered as an email attachment purporting to be a job application. Once opened, the attachment downloaded and installed malware on the victim’s machine that scanned the file system that encrypts files of targeted types. Early samples applied a custom encryption routine that was easily defeated, before the attacker adopted a secure public key. encryption algorithms that were much more difficult to crack.
Clearly, this attack sparked the imagination of criminals, with a variety of ransomware variants being released soon after. However, these early attacks were hampered by a lack of easily accessible means to collect the ransom payment without disclosing the identity of the attacker. Providing instructions for payments to be wired to specific bank accounts left the attack vulnerable to legal investigation to “follow the money.” Attackers have become increasingly creative by asking victims to call premium rate phone numbers or even purchase items from an online pharmacy and provide the receipt to receive decryption instructions.
Virtual currencies and gold trading platforms offer a means of transferring payments outside of regulated banking systems and have become widely adopted by ransomware operators as a direct mechanism to receive payments while maintaining their anonymity. However, ultimately, these payment services have proven vulnerable to action by regulatory authorities that limit their use.
The emergence of cryptocurrencies, such as bitcoin, offered an effective way for criminals to collect ransoms anonymously in a framework that was resistant to disruption by regulatory authorities or law enforcement. Consequently, cryptocurrency payments have been enthusiastically embraced by ransomware operators with the successful CryptoLocker ransomware of late 2013 being one of the early adopters.
Diversify the portfolio of ransomware operations
With the adoption of cryptocurrencies as an effective means of receiving payment, ransomware operators have been able to focus on expanding their operations. The ransomware ecosystem has begun to professionalize with specialized providers offering their services to share some of the functions involved in carrying out attacks.
In the early 2010s, ransomware operators tended to adopt their own preferred ways to distribute their malware, such as sending spam messages, subverting websites or partnering with botnet operators which could install malware on a large number of compromised systems. By developing an ecosystem of partners, ransomware writers could focus on developing better ransomware and leave the distribution of malware to less technically skilled operators who could focus on distribution and social engineering techniques.
Criminals have developed sophisticated portals for their affiliates to measure their success and access new features to facilitate their attacks and the collection of ransom payments. Initially, these attacks adopted a mass market-style malware distribution that tries to infect as many users as possible to maximize ransom payments regardless of the victims’ profile.
In 2016, a new ransomware variant, SamSam was identified that was distributed according to a different model. Instead of prioritizing the amount of infections, hitting a large number of users for a relatively small ransom, the distributors of SamSam targeted specific institutions and demanded large sums for their ransom. The gang combines hacking techniques with ransomware, trying to penetrate the organization’s systems. Then identifying and installing ransomware on key computer systems to maximize disruption to the entire organization.
This innovation changed the ransomware market. Ransomware operators discovered that it was more profitable to target institutions, disrupting entire organizations and bringing their operations to a standstill that allowed them to demand a much higher ransom than encrypting the end devices of the individuals.
Quickly, criminals prioritized certain industrial sectors; the healthcare industry has become a frequent target. Presumably because the ransomware affected key operating systems, seriously disrupting the operation of the health structure, putting lives at risk and, therefore, adding pressure on top management to pay the ransom to quickly restore functions.
Modern ransomware was born
In November 2019, the double extortion innovation was used for the first time by the attackers delivering the Maze ransomware. In these attacks, the attacker steals confidential data from the systems before encrypting it. By doing so, the attacker is able to apply two levers of pressure on the business leaders to pay the ransom; the removal of access to data, and the threat of public disclosure of confidential data with reputational and regulatory consequences.
A number of ransomware imitators have appeared over the years. We have seen fake-ransomware that simply presents a ransom note without bothering to encrypt any data; hoping the victims will pay no matter what.
WannaCry was a self-propagating malware that spread around the world in May 2017. Although the malware did encrypt data, the small number of common bitcoin wallets that were asked to pay the ransoms meant that there were few opportunity for the attacker to find out who. the victims had paid the ransom and to whom the decryption keys should be released.
The June 2017 NotPetya malware, presumed to be ransomware, is spreading autonomously through networks. While it encrypted files and displayed a ransom note, it was a destructive attack. The unique ID in the note was irrelevant to the encryption process, and the malware removed as well as encrypted critical data, making it unrecoverable even with the correct decryption key.
Ransomware is not just a financial crime. It affects those who are affected by the disruption of essential services. People unable to access vital data or work are left anxious and stressed, while IT departments working to resolve the situation suffer additional stress and risk burnout. On a human level, inevitably some people lose irreplaceable data as photos of loved ones or projects to which they have dedicated many months or years of work.
Lessons for business and industry
The IT landscape in 2024 is very different from that of 1989 or 2004. Improved software engineering and patch management means it’s harder for ransomware to infect systems through unpatched web browser vulnerabilities. Conversely, the number of password breaches over the years, making potentially reused or easily guessable passwords available to criminals, means that increasingly the human user is the entry point.
We should not feel helpless in the face of ransomware. Law enforcement activity has arrested and charged several ransomware operators. Others who have avoided arrest have been subject to international sanctions. The infrastructure used to coordinate the attacks and the crypto-currency wallets were seized. Antivirus detection has also advanced over the years, while some malware can bypass detection, modern. endpoint protection software it constantly looks for evidence of unknown programs attempting to encrypt files without permission.
The Achilles heel of ransomware are back-ups. Data that is saved and stored offline can be used to restore files that have otherwise been corrupted and lost, thus negating any need to pay the ransom to recover files. The success of ransomware over the past 35 years is also the story of the failure of widespread adoption of backup devices to restore files.
Looking to the future, it is unlikely that we will see the end of ransomware. Its profitability for criminals means that it is likely to continue to plague us for many years. It is also unlikely that it will remain the same. Criminals have shown remarkable inventiveness in devising new techniques and methods to improve their business model and evade detection of themselves and their malware.
However, the cybersecurity The industry is equally innovative, constantly developing new tools and strategies to combat these threats. By staying informed, adopting robust security measures, and collaborating globally, we can mitigate risks and build a more resilient digital future.
We have compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
