The ransomware threat is nothing new. Though it really got going around the mid-2010s, cyberattacks in which malicious actors encrypt files and demand payment to render them accessible again have been launched for over thirty years.
Recently, however, the nature of the battle against ransomware has changed: defenders must contend with greater attack volumes, higher ransom demands, and more sophisticated strategies for disseminating malware across IT environments — as well as more widespread activity. Because ransomware attacks continue to be highly lucrative for criminals, it’s unlikely that this trend will reverse itself anytime soon.
The Evolution of the Current Ransomware Threat
The first known ransomware attack took place in December 1989. Delegates who attended the World Health Organization’s AIDS conference that year were sent floppy disks containing malicious code that installed itself onto MS-DOS systems and eventually encrypted filenames, rendering the affected systems basically unusable. Victims were instructed to mail payment to the “PC Cyborg Corporation” at an address in Panama in order to regain access to their files.
As you might imagine, this early attack wasn’t enormously successful. Not only was postal mail an inefficient means of collecting payment, but the encryption methods used by the trojan were weak, so security researchers were able to develop a decryption tool, which they quickly released to the public.
For all its failures, the AIDS Trojan/PC Cyborg attack did unwittingly provide a blueprint for the next generation of attackers of what to avoid and what to do better, in order to achieve their objectives.
Newer generations of ransomware included public-key cryptography (ensuring that decryption keys didn’t have to be embedded in the malware), effective means of gaining initial access to victim environments, and easily disseminating ransomware across an organization’s I.T systems, and a solid strategy for collecting anonymous cross-border payments.
With the rise of Bitcoin and other cryptocurrencies in the early 2010s, the stage was set for ransomware to become the constant and growing threat that it is today. CryptoLocker, which propagated via spam and phishing attachments, targeted home computer users, used strong public-key cryptography and demanded payments in Bitcoin, began to propagate in 2013. By 2015, the FBI reported that there had been more than 1,000 victims of CyptoLocker, with collective total losses that exceeded $18 million.
The modern ransomware era — in which malware spreads widely, attacks are high-profile, ransoms are often in the millions of dollars, and victims are pressured to pay up right away — arguably began with the WannaCry ransomware attack in 2017. Exploiting a Microsoft Windows vulnerability for which a patch was already available, WannaCry eventually infected more than 230,000 computers in over 150 countries, making Bitcoin payment demands in 20 different languages. WannaCry’s perpetrators demanded only $300 per infected machine. We’ll likely never know if WannaCry was truly intended to collect ransoms from all infected victims, if the malware was released prematurely, or if it was simply intended to cause mass disruption. However, Wannacry was clearly designed by nation-state-level attackers attempting to do damage on a massive scale. Wannacry’s authors incorporate extremely effective and stable remote code execution exploits and wrote the ransomware to spread across networks automatically. Since then, we’ve seen many ransomware actors build these “worm” like functionalities into their malware to effectively infect an entire organization quickly.
Scaling Up: Ransomware-as-a-Service Emerges
Over the last few years, ransomware operators have looked to legitimate software developers for a new business model. As Software-as-a-Service (SaaS) became popular, criminals began supplying access to ransomware toolkits to anyone who wanted to build their own ransomware extortion “business”. These Ransomware-as-a-Service (RaaS) kits made it possible for would-be criminals with little technical skill or expertise to launch ransomware attacks, as long as the RaaS operators get a cut of the ransom. The kits are widely advertised and marketed on the dark web, where everyone from organized cybercriminal groups to individuals can purchase them. Just like regular SaaS, RaaS can include 24×7 user support, additional bundled offers, and access to user reviews and community forums. And the prices for access are relatively low, ranging from $40 to several thousand dollars a month or simply a percentage commission on any ransomware payments received.
With the average ransom demand in late 2020 reaching a new high of $847,344 — and continuing to trend upwards — it’s easy to see how this cost model would be advantageous for criminals. After all, only a small portion of the attacks need to succeed in order for the attacker to generate significant revenue.
The broad global adoption of cryptocurrencies facilitates both the sale of RaaS kits and the collection of payments from victims. Meanwhile, ransomware development is becoming more and more professionalized and is operating on an industrial scale. RaaS operators continue to reinvest their earnings into more reliable exploits, into software developers who are tasked with quickly integrating the latest attack tooling and methods. This enables ransomware cybercriminals to gain initial access to victim environments by leveraging the latest exploits, improved techniques for orchestrating lateral movement, and better ransomware deployment capabilities overall. Criminal groups are also offering pre-established access to a victim’s network in exchange for a percentage of the final ransom payment. This gives less-skilled criminals access to greater numbers of potential victims, and better-resourced groups the advantage of scale.
How to Prevent Ransomware as It Continues to Rise.
Over the coming months and years, it’s all but certain that ransomware attacks will continue to increase in frequency, severity, impact, and economic cost. If the opportunity remains, criminals will take advantage of it. As long as companies continue to pay ransoms rather than face the catastrophic business and operational consequences of extended downtime, there’s no end in sight. Every time that a victim pays up, it feeds the criminals’ incentive to perpetrate further attacks.
Far too many organizations still fail to master the basics of cybersecurity hygiene, including maintaining ongoing visibility into their asset inventory, managing vulnerabilities, and reducing the attack surface. Particularly because RaaS makes it possible for less-sophisticated threat actors to perpetrate large volumes of attacks, it’s very common for attackers to exploit relatively simple mechanisms to gain initial access to the environment where they’ll deploy the ransomware.
What’s more, in today’s world criminal-friendly payment methods are readily available. It’s possible to collect anonymous payments in multi-million-dollar amounts, and cybercriminal groups based in Eastern European countries do so on a regular basis. Though attribution is always a challenge, it appears that some nation-state actors are affiliating themselves with these organized criminal groups as ransomware attacks become part of the global geopolitical cyber battlefront.
Despite the best efforts of law enforcement and government agencies, these criminal groups continue to operate with impunity. Because they’re located in jurisdictions where they have tacit or explicit protection from governments and local authorities, it’s extremely difficult to stop them.
And as growing numbers of high-profile attacks attract media attention, they continue to invite copycats to imitate them. The Colonial Pipeline attack, for instance, drew the entire world’s notice when it successfully brought the fuel supply to the eastern United States to a halt. Soon afterward, the Kaseya supply chain attack demonstrated the enormous scale of the impact that such attacks can have.
In the wake of these events, it’s likely that we’ll see increasing government intervention, including new regulations and disclosure requirements. Meanwhile, insurers are increasingly opting out of covering this risk or demanding high premiums.
It’s incumbent upon all organizations to limit their risk exposure by developing and implementing a cyber risk management program that’s rigorous and quantitative in nature. Without this — and a strong foundation of security hygiene, incident response planning, and putting appropriate controls in place — the financial consequences will eventually become too grave to bear.