Ransomware Evolution

Since 1989, ransomware attacks have been not an if but a when. Today, ransomware campaigns are surging globally, being one of the most widely utilized cybercriminal extortion tools.

There’s no denying that we live in times of a digital pandemic driven by ransomware, with a dire need to defend against attacks more efficiently than ever. Keeping your SIEM up-to-date with the latest compatible SOC content can feel like a never-ending task. To improve the maturity and advancement of detection content, security engineers might use SOC Prime’s content mapped to MITRE ATT&CK framework. And to advance threat hunting experience and overcome data normalization limitations, Uncoder CTI allows remapping the default SIEM & XRD parameters to the specific data schema in use.

Even with the most innovative tools, there is no iron-clad protection against ransomware. Since this type of threat first surfaced in 1989, hackers honed their skills and techniques, making ransomware attacks more costly and harmful. This article offers a rundown of the key milestones of ransomware evolution.

Dawn of Ransomware

The practice of deploying malware that locks users out of their devices or deprives them of files’ access until a ransom is paid has been causing the hustle and bustle for more than 30 years. The first ransomware case was the 1989 AIDS Trojan, aka PS Cyborg. The malware was coined by biologist Joseph L. Popp, who sent out by mail around 20,000 infected floppy disks titled “AIDS Information – Introductory Diskettes” to the WHO AIDS conference participants in Stockholm. The trojan virus from a diskette installed itself on MS-DOS systems and, after a 90th reboot, encrypted all file names and hid directories. Its victims were demanded to pay a ransom of $189.

Interestingly, the threat actor behind the attack promised to donate all the profits from this campaign to support AIDS research.

The 90s was a relatively calm decade in the ransomware scene. Nonetheless, the threat landscape never sleeps. POC released by Adam L. Young and Moti Yung in 1996 revealed a malicious program that used public-key encryption algorithms to lock devices, allowing adversaries to extort money from targeted users. The extensive research revealed tendencies and methods, setting the scene for ransomware as we know it today.

New Horizons

The 21st century opened a new chapter in malware that holds its victims at ransom. New strains are found in the wild on an ongoing basis as cybercriminals tirelessly hone their technical and social engineering skills.

Ransomware remained relatively uncommon until the mid-2000s, when more advanced and difficult-to-crack invasion methods became commonly utilized, such as RSA encryption. One of the malware of this category to utilize advanced RSA encryption schemes was Archiveus Trojan.

The Trojan surfaced in 2006. It was delivered by email in the form of a bogus job application attachment. The malware used a 660-bit RSA public key, encrypting every file saved in a PC’s MyDocuments directory. As a ransom, victims were urged to purchase pharmaceutical products online. The Archiveus Trojan did not persist; researchers distributed decryption software for victims to regain access to their files. The attack marks the beginning of what can now be called a ransomware pandemic with no foreseeable end. Another landmark event in the history of ransomware was an encryption Trojan dubbed the GPCode. It emerged in June 2006, spreading via an email attachment, also using a 660-bit RSA public key. It looked much like its predecessor but was more disruptive: the GPCode encrypted files beyond the My Documents folder.

Other versions of ransomware circulated simultaneously with GPCode and its numerous variants, built to lock users out of their infected devices without using encryption methods. By 2010 the threat actors behind GPCode attacks resorted to using a more complex 1024-bit RSA encryption. These sophisticated algorithms became a golden standard that prevails in ransomware to this day.

Another crucial milestone in the evolution of this prominent cyber threat is aligned with the rise of anonymous payment services. Researchers report that 30,000 new ransomware samples were detected in the first two quarters of 2011, by the end of the third quarter growing to the record amount of 60,000 cases.

The last decade has been characterized by ransomware attacks becoming a more widespread threat. Adversaries approach malware crafting and attacks’ planning with utmost diligence, expanding the map of these high-dollar crimes at high speed.

A number of revolutionary ransomware campaigns marked the beginning of a new, harsher reality in the cybersecurity industry. Many such attacks that made international headlines affected hundreds of thousands of machines globally, causing billions of dollars in damages. To name a few – the infamous WannaCry from 2017 or a Russia-linked AI-powered cyber weapon dubbed NotPetya brought new challenges to professionals operating in the threat landscape.

Wrapping up

Nowadays, ransomware has become a cash cow for cybercriminals, and it is here to stay. Ransomware attacks are now highly technological and thoroughly planned offenses that put individuals and businesses of all sizes at risk. However, forewarned is forearmed, so keep your finger on the pulse of constantly evolving threats to boost your company’s defense capabilities and not become a sitting duck for ransomware actors.

Interesting Related Article: “Cybersecurity Experts Weigh-In on Preventing & Surviving Ransomware Attacks