More than 30 years after the AIDS computer virus spread via infected floppy disks, ransomware has taken the world by storm. But echoes of that first attack can still be heard today.
Ransomware's steep rise over the past few years turned a once-obscure online threat into a household name. Since the beginning of the COVID-19 pandemic, it has made its way into news headlines almost daily. And, with attacks hobbling everything from local governments and hospitals to gas stations, it is a concern not just for businesses and governments, but for everyday people.
In 2020 alone, there were 304 million ransomware attacks, a 62% increase from the year before. And there’s good reason to believe that trend is continuing. By one measure, ransomware attacks tripled in the first three months of 2022 compared with a year earlier, with ransomware attacks in the first half of the year on track to eclipse those that occurred in 2021.
The question is "why"? Yes, ransomware attacks are profitable. But understanding ransomware’s rise is not as simple as looking at reports of ransoms paid, nor a timeline of attacks. Instead, it requires a deep understanding of several influencing factors.
Technological advancement: a double-edged sword
In the scope of human activities, cybercrime is not "old" by any means. But the meteoric rise of computer-based crime as a phenomenon in the last three decades correlates with the rise of the Internet and technology more broadly. Looking at the Internet alone, the number of users increased from only 413 million in the year 2000, to over 3.4 billion in 2016. This enormous increase in the number of users has swelled the population of would-be victims, allowing cybercriminals to target people and organizations in all walks of life, in a variety of ways and at great distances.
Ransomware, as a distinct form of cybercrime, is almost as old as cybercrime itself. In fact, we have to look back more than 30 years to find the first attempt at what we now consider to be ransomware.
A (computer) virus, some floppy disks and an mailbox in Panama
The year was 1989, and the AIDS epidemic was in full swing, garnering international attention and concern. One scientist, named Joseph Popp, created a computer-based questionnaire that he claimed would help determine a patient’s risk of contracting AIDS. He then distributed it on 20,000 floppy disks to researchers from 90 countries who had gathered at an international conference on AIDS.
But Popp's floppy disks actually contained something much different: a computer virus, subsequently dubbed AIDS, that encrypted data stored on computer hard drives and displayed a message demanding $189 be mailed to Panama to unlock them.
It was the first, documented "ransomware attack," in which software was used to extract a ransom from a victim. Popp's campaign fell short, however. The spread of the AIDS malware was held back by a number of obstacles. Among them: the lack of an effective spreading mechanism, as well as the complication of completing a ransom payment using analog means (the postal service).
More than three decades later, however, cybercriminals have taken full advantage of modern technology to make this type of crime easier to carry out, as well as more profitable.
Unlike the late 1980s, almost every organization today is connected to- and heavily reliant on the Internet to function. Now ubiquitous technologies like email and remote access technology, as well as cloud-based infrastructure and applications provide ample opportunities for malicious actors to gain access to sensitive corporate IT environments. As a result, modern ransomware attacks are multi faceted and stealthy: leveraging clandestine access to victim networks and, often, "living off the land" by using dual-purpose administrative tools to expand attackers reach within- and control over sensitive IT assets like domain controllers. The ransomware, when it is deployed, is a coup de grace: the final act in a long term campaign that often includes collection and theft of sensitive data.
As for payments, whereas the AIDS attack in the late 1980s asked victims to mail $189 in cash to an address in Panama, the advent of cryptocurrencies in the last decade and a half has been a boon for ransomware operations as well as other forms of cyber attacks. Rather than trying to game commercial cash transfers on closely monitored banking networks or money wires like Western Union, cybercriminals have taken advantage of the decentralized and (mostly) anonymous nature of cryptocurrency networks to streamline payments and quickly "cash out" after a successful operation.
Pandemic fuels cyber attacks
Despite being outdated, Joseph Popp’s operation from thirty years ago still resonates today. For example, as with his AIDS survey lure, cybercriminals are still using real-world problems to further their activities. For Popp, anxiety about the AIDS epidemic and victims' curiosity (about his computer-based survey) were effective lures to trick researchers into loading his floppy disk and installing the AIDS trojan on their computers. For cybercriminals today, the COVID-19 pandemic has been used to exploit people and organizations.
The difference today: cybercriminals have advanced their operations at least tenfold since the start of the COVID pandemic, and the attack possibilities for cybercriminals are more far reaching. Cybercriminals have, for example, set their sights on critical infrastructure, something far beyond Popp's wildest imaginings. For example, the Darkside ransomware gang attacked the Colonial Pipeline, a major fuel line that runs along the eastern seaboard of the U.S. The attack, on Colonial's IT environment, still resulted in the shutdown of the pipeline as Colonial scrambled to pay the attackers and remove the malware from their network. That, in turn, led to panicked buying of gas, especially in the southern U.S.
Fast evolving business models
In fact, the early to mid-2010s saw the rapid growth of ransomware schemes, as cybercriminals carried out ransomware attacks on smaller targets, more often than large organizations. In a Mimecast study, it was found that the average ransomware payment for U.S. victims was more than $6 Million in 2021. The dollar amount demanded by cybercriminals has greatly increased, because these criminal operations have discovered within the last 5 years that targeting larger organizations is most profitable.
The growth of ransomware as a criminal activity also brought about changes in ransomware operations designed to support high volumes of activity. For example, groups in recent years have embraced the ransomware-as-a-service (RaaS) model, relying on third party affiliates within the cybercriminal community to identify and hack victims. This kind of "franchise" model has allowed ransomware gangs to work smarter, not harder. These days, carrying out ransomware attacks typically involves coordination among multiple parties and requires the selling and renting of tools that have been perfected by cybercriminals, rather than a single entity performing an entire attack on their own.
And that evolution continues as the "business environment" for ransomware groups changes. For example, in Episode 2 of ConversingLabs, our podcast, Yelisey Boguslavskiy, Head of Research at AdvIntel noted that Conti has shifted within the past year away from the ransomware-as-a-service model to one that is more centralized. "They don’t want to rely on others,” he said. That strict focus on the bottom line has allowed Conti to stay in the field as one of the most active ransomware groups, even during a year in which law enforcement has started to come down hard on these groups.
Law enforcement comes knocking
Over all, life has become tougher for ransomware gangs. Governments this past year began taking measures to hold cybercriminals accountable for their actions. For example, the U.S. Justice Department seized $2.3 million in cryptocurrency paid to affiliates of the Darkside ransomware group, the same group that attacked Colonial Pipeline.
Also in the U.S., the DOJ and FBI said they arrested a reputed author of the REvil ransomware. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also taken steps to mandate reporting procedures and response efforts through their Stop Ransomware initiative. These actions are making it clear that ransomware criminals can no longer count on anonymity, nor stay outside the reach of the long arm of the law.
Context matters
While ransomware is still an active problem today, the effort to properly defend against it has strengthened as we have learned more about how ransomware gangs work. As the fight against ransomware continues, it will be essential to pay attention to the various factors that have helped ransomware thrive over the past three decades and become what it is today.
Keep learning
ReversingLabs continues to analyze how technology advances and uncover the aspects of successful ransomware and ransomware campaigns that will aid defenders in blocking ransomware attacks.
Here are a number of useful resources to educate you about the threat posed by ransomware:
Keep learning
- Learn how to do more with your SOAR with our Webinar: Enhance Your SOC With Threat Intelligence Enrichment.
- Get schooled by the lessons of Layer 8: See Dr. Jessica Barker on The Human Elements Driving Cyber Attacks.
- Go deep on e-discovery with our Webinar: Strengthening Malware Defenses in Legal Firms.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.