The transformation of ransomware

Yossi Naar at Cybereason describes the evolution of ransomware into a highly sophisticated threat, and explains how organisations can protect themselves from it.

Ransomware appears to be inescapable in today’s day and age, affecting thousands of organisations worldwide.

It was estimated that a new ransomware attack occurred every 11 seconds over the course of 2021. This rate converts to approximately 3 million attacks in a single year. Of course, headlines have brought our attention to strikes against Colonial Pipeline, Kaseya and the Irish Health Service Executive (HSE) etc.

Yet, what we hear in the news only just scratches the surface of this criminal enterprise. Indeed, organisations globally are anticipated to lose as much as $265 billion by 2031. That’s roughly 11% of the UK’s GDP today, and about the size of Romania’s current GDP.

The unlucky organisations who have been hit have experienced critical repercussions to the business as a result: From revenue losses and damage to the company brand, to unplanned workforce reductions and in some cases, the closure of business altogether.

If we are to understand our present predicament and better navigate these terrains moving forwards, we need to look back. We need to see just how the threat has evolved and transformed over time.

The origins of ransomware

The computer virus emerged back in 1983 when Fred Cohen, a University of Southern California graduate student, inserted his proof-of-concept code into a system to gain control of it. Yet, it wasn’t until six years later that a new type of malware appeared, one that would encrypt files or render them unusable until a ransom had been paid.

The first documented case of ransomware took place in December 1989. Attendees of the World Health Organisation’s international AIDS Conference in Stockholm, from across 90 nations, started to receive floppy disks. These disks purported to have a questionnaire that could help determine the risk that a patient might contract AIDs. Twenty thousand disks were eventually distributed, all of which were infected with a virus that hid directories and locked file names once loaded onto a computer. In order to restore access, the victims were asked to send US$189 to a P.O box in Panama.

Behind this operation was Harvard-educated evolutionary biologist, Dr Joseph Popp, who was arrested at his parents’ home not long following the attack. Once extradited to the UK, he faced ten charges of extortion and criminal damage for unleashing what’s come to be known as the ‘AIDS Trojan’.

Threat actors ‘Locked Out’ with new variants

It then took nearly two decades before threat actors launched the first locker ransomware variants. Researchers at Kennesaw State University found that early adaptations targeted users in Russia by ‘locking’ victims out of their machines, keeping them from executing basic computer functions like using the keyboard and mouse.

An ‘adult image’ was then displayed on the screen of the infected computer, and victims were instructed to call a premium-rate phone number or send an SMS to meet the attacker’s ransom demand.

From locker to CryptoLocker

In 2013, a new ransomware threat appeared dubbed ‘CryptoLocker’. CryptoLocker would install itself into the ‘documents and settings’ folder of Windows computers, before ultimately, connecting to a command and control server; through which cyber criminals could send their malicious commands. From here, an asymmetric encryption method is employed.

To put it simply, a public-private key pair is created: a public key for encryption and a private key for decryption – both of which are linked. Typically, the public key is shared with the sender of sensitive information, while the recipient would maintain possession of the private key. But in this case, both keys are held by the threat actor.

They would scan the affected device for documents, spreadsheets, images and other files, to encrypt using the public key. Once completed, a message would inform the victim of a 72 hour timeframe in which they would need to pay up a ransom of US$300 – petty cash when compared to the tens of millions demanded today.

This was just the beginning for CryptoLocker though, as the FBI believed victims had paid up an estimated US$27 million to CryptoLocker operators by the end of 2015.

Targeted attacks

Until 2018, ransomware attacks were largely indiscriminate, targeting anyone and everyone they could. Following this, however, the FBI began to notice a decline as ransomware gangs seemed intent on hitting businesses. Specifically, state and local governments, industrial companies, transportation organisations and healthcare entities.

By striking larger organisations, with highly valuable data and a critical role to society, ransomware groups upped the ante and could simultaneously, hike ransom demands.

We’ll encrypt your files…and leak them too

One of the pivotal moments in the evolution of ransomware is the debut of ‘double extortion’. Over time, most organisations had caught on to the tactics of ransomware and were learning the importance of backing up all files and data. But when we adapt, so too do the cybercriminals.

Towards the end of November 2019, the Maze ransomware group managed to breach a security staffing company. However, before deploying ransomware, they stole company information in plaintext and proved this by sending a sample of the files stolen to the victim, along with leaking 700MB of data online.

This strategy offered the criminal group an advantage. Even though, organisations might be able to restore their data and files through the backup strategy, they would not be able to reverse data theft. Therefore, returning the victim back to the same dilemma but twice as bad: pay the ransom or lose access to your files and risk seeing those files leaked to the public.

It’s a tactic that will continue to be embraced in years to come.

The sophistication of ransomware

Unlike the “spray and pray” mass email spam campaigns conducted in the past to bait individuals into clicking on an infected link or downloading a corrupt file – both popular points of malware entry - today attacks have become stealthier and more complex. Ransomware itself has become its own economy within the larger market of cyber crime, and there exists multiple players all with their own specialisations.

For instance, Initial Access Brokers (IABs) help in the preparation stages of an attack by infiltrating the network, and moving laterally to affect as much of the organisation as possible when malware is finally deployed.

Conversely, Ransomware-as-a-service (RaaS) operators are those who provide the attack infrastructure which affiliates can use to actually carry out the attack. Tied with multiple extortion techniques and we have ourselves a new form of ransomware: RansomOps.

In fact, some groups like the Grief ransomware gang, are going so far as to threaten to delete a victim’s decryption key should they bring someone in to help negotiate the ransom down; A development following on from RagnarLocker group’s threat to publish a victim’s data if the FBI or local law enforcement is notified of the infection.

Not all hope is lost

This general overview has shown us just how far ransomware has come from when it was delivered via floppy disks, and ransom demands were in the low hundreds. Now it can seem like an impossible task to protect oneself from the possibility of an attack.

Yet, it is important to remember that the ransomware itself is not typically deployed until the very end of a much larger RansomOps campaign. This means there are weeks or even months of detectable activity during which the attack can be circumvented, before experiencing any severe impact. You just need to know where to look.

The best way to do so is by adopting technologies that leverage behavioural signals to detect unique attacks, surfacing them earlier on in the kill chain. The sooner they are detected, the better. Fortunately, defenders increasingly have a range of powerful solutions at their disposal to effectively combat the attackers.

Yossi Naar is Chief Visionary Officer and Co-founder, Cybereason

Main image courtesy of iStockPhoto.com