Ransomware Rewind: A trip to our roots

The idea of attacking computers is almost as old as computers themselves and, following the first computer viruses, ransomware took its first baby steps via floppy disks in the late 80s. Today it is a fully fledged career-focused adult, making enough waves to make it on a 30 under 30 list, albeit for troublemakers. Taking a look at how we got here will help us to understand what it takes to stay one step ahead of the game.

Start at the beginning

In 1989, twenty thousand floppy disks were distributed to researchers across 90 countries, supposedly containing a questionnaire that could help determine patients’ risk of contracting AIDS. Instead, file names were encrypted on infected computers, and users were instructed to mail payment to re-gain access to their digital content. It was basic, but it worked. Dubbed the AIDS Trojan, it is widely considered to be one of the first ransomware attacks in history.

Despite becoming a common method of attack, the word “ransomware” didn’t really take hold for another 20+ years. The concept of ransomware worked its way into general knowledge around the same time as Bitcoin arrived on the scene, allowing payments to be made outside of the watchful eyes of governments or banks. It was quickly cottoned on to as a great way to anonymously extort ransoms without getting caught.

If those early floppy disk attacks were primitive in execution, the next step up came from a ransomware strain called CryptoLocker. When launched, it spread rapidly across more than 250,000 computer systems via malicious email attachments. It introduced stronger encryption methods, demanded crypto payments in exchange for a decryption key and threatened to delete the key if payments weren’t made by a set deadline. When it was eventually taken down by police, copycat criminals began launching their own ransomware trojan attacks using CryptoLocker as a model.

Carpe diem, or at least put it up for ransom

Inevitably for any successful money-making scheme, ransomware only became more popular over time. By 2015, the FBI were receiving 2,453 ransomware-related complaints totalling more than US$24mn in damages — and those were just the reported U.S. cases. 

The emergence of plug-and-play ransomware-as-a-service kits then made attacks even easier, ushering in a new wave of opportunistic attacks at the hands of novice attackers.

Seen as easy money, these attackers relied heavily on “spray and pray” tactics such as phishing, social engineering and exploit kits to target as many organisations and systems as possible, seen most prominently in the 2017 WannaCry outbreak. In yet another evolution, WannaCry could self-replicate too. Anti-virus systems and patching alone couldn’t stop the ransomware from impacting more than 10,000 organisations and 200,000 individuals in over 150 countries. 

Attackers continued to hone their techniques, discovering they could extort victim organisations more than once; first for the decryption key and second to prevent stolen corporate data from being leaked publicly. 

Double extortion caught on like wildfire and remains popular today. ThreatPost reported that double extortion ransomware damage skyrocketed by 935% in 2021 alone. And, as attackers continue to evolve, some have added a third extortion layer by threatening further cyber attacks if the ask for payments remains unfulfilled. 

Ransomware today: Strong, innovative, and looking to the future

The last few years have seen ransomware transfer from cyber threat to real-world threat as attackers started to target those who simply couldn’t afford to wait out an attack: healthcare facilities, for example. Last year, 81% of UK healthcare orgs faced a ransomware attack, with 38% reporting they paid the ransom, and 44% reporting that they refused – but lost their essential healthcare data. 

Big money has attracted skilled attackers, with many attacks today led by highly skilled operators using customised methods to reach their goals. After compromising identities to breach an organisation, they move and escalate privileges strategically and “live off the land” while learning the ins and outs of the environment. Along the way, they look for ways to disrupt backups, delete shadow copies and unlock files. All of this is background work, hidden in the shadows – only once they are well prepared to wreak maximum damage do they reveal themselves with ransomware released from the inside, often followed with crippling double-extortion threats.

Ransomware gangs continue to evolve, just as ‘regular’ organisations do. With our recent research showing that 70% of organisations faced at least two ransomware attacks last year, it’s essential to know how to stay ahead. Defending against constantly evolving tactics, techniques and procedures is a formidable challenge. Instead of trying to keep determined and often well-resourced ransomware actors out, it’s often about reversing your gaze and working to protect critical endpoints and systems from the inside out. A good understanding of the mind of an attacker is key to outsmarting them at their own game.