May 22, 2024

Last Updated on May 23, 2024

Ransomware has been a major threat to organizations worldwide for at least the past ten to twelve years. Not only have we failed to eradicate this familiar scheme—it’s now a bigger issue than ever.

The article shares a brief overview of ransomware’s evolution, current definition, and future trends.


When was the first ransomware attack?

Most sources consider the first true ransomware attack to be the AIDS Trojan from 1989. A Harvard-educated biologist named Joseph Popp mailed 20,000 malicious floppy disks supposedly containing an HIV questionnaire to attendees of the 1989 World Health Organization AIDS conference.

Once in memory on a victim’s PC, the malware encrypted their files with a basic symmetric encryptor. This was quickly defeated, enabling most victims to avoid paying the ransom. The ransom demand was $189, to be paid by a cashier’s check or money order sent to a P.O. box in Panama.

Popp was apprehended but declared unfit for trial due to insanity. Still, he earned his place in history as “the father of ransomware.”


What is the current definition of ransomware?

According to Sagi Brody, CTO at Opti9 Tech, ransomware represents a major subset of cyber-attacks involving either of two basic attack patterns:

  1. Malware that gains access to a server, endpoint, or other asset, and encrypts or otherwise restricts it so you cannot access the asset or any data on it until you pay the ransom and receive the encryption key. This is the classic “crypto-locker” ransomware attack vector.
  2. An attack that gains access to intellectual property, customer data, or other sensitive data and exfiltrates it offsite. The hackers then extort a blackmail payment under threat of making the data public.


How has ransomware evolved?

While the ransomware concept has a long history, ransomware attacks remained uncommon until the emergence of cryptocurrency networks around 2012. This gave hackers an untraceable way to receive payment, making ransomware—along with many other cybercrime models—safer, simpler, and more profitable.

Beginning with CryptoLocker and its many clones in 2013, the modern ransomware model emerged, combining the benefits of cryptocurrency with more advanced encryption delivered from a command-and-control server. These more powerful threats quickly yielded millions in ransom payments, a far cry from early ransom demands in the hundreds of dollars.

Another ransomware refinement since around 2018 has been the addition of “big game hunting” attacks to the traditional automated attack model. Besides launching numerous attacks against small/random targets, ransomware groups began aiming targeted attacks at a few larger organizations, hoping to land a bigger overall payoff worthy of the extra effort.

Ransomware actors have also adapted their extortion techniques to increase pressure on victims to pay. For example, by exfiltrating high-value data and threatening to leak it in addition to encrypting the victim’s environment, hackers increase the potential damage to victims, improving their chances of a payoff.

Attackers may also make a third extortion threat, such as a distributed denial of service (DDoS) attack or media shaming assault. Other pressure tactics include threats to delete decryption keys or publish stolen data if a victim hires a professional ransomware negotiator or notifies law enforcement about an incident.

But perhaps the biggest evolution of ransomware in the past decade is the increased collaboration among groups in the “ransomware economy.” Many groups now specialize in different parts of the attack chain, from initial access brokers (IABs) who infiltrate the target’s network to ransomware-as-a-service (RaaS) providers who deliver the attack infrastructure to affiliate entities who perform the attack.


What are the potential impacts of today’s ransomware threats?

Today’s double and triple extortion models threaten to combine financial, operational, and reputational damages, such as:

  • Significant revenue loss following an incident
  • The financial loss of the ransom payment
  • Financial impacts from operational downtime—one of the biggest ransomware impacts
  • Loss of sensitive data, even after paying a ransom
  • Loss of time and money spent restoring systems and recovering from the attack
  • Legal costs from attorney fees, lawsuits, regulatory sanctions, etc.
  • Loss of employees due to layoffs, resignations, and/or turnover following a ransomware attack
  • Loss of executive and C-level talent in the fallout from an attack
  • A tarnished brand image leading to loss of current and future customers and business partners over months or years


Are ransomware attacks increasing or decreasing in frequency?

It is unknown how many ransomware incidents actually occur, because a high percentage of attacks are unreported.

According to SANS Institute research, threat intelligence data on successful ransomware attacks as leaked by the ransomware actors themselves is the best indicator of the ransomware problem’s true magnitude. These sources indicate a 73%-plus increase in ransomware attack frequency from 2022 to 2023.

Both established and new ransomware groups contributed to the increase, with about 17% of 2023 attacks being perpetrated by a group that was unknown in 2022. The industries most frequently victimized by ransomware include construction, healthcare, IT services, legal, higher education, financial services, and government.

These consistent patterns of increased effort and success on the part of attackers demonstrates that there is still plenty of money to be made through ransomware, and that current efforts to deal with this threat are not effective overall. Therefore, it is likely that todays’ ransomware trends will continue to expand and accelerate, resulting in:

  • More attacks
  • More sophisticated and damaging attacks with a wider array of impacts
  • Larger extortion demands with more pressures on victims to pay

The ransomware deployment in a victim’s environment may be the final step in a months-long chain of activity that could be discovered and blocked. Improved detection and response capabilities along with effective backups are key to reducing ransomware risk.


What’s next?

For more guidance on this topic, listen to Episode 137 of The Virtual CISO Podcast with guest Sagi Brody, CTO at Opti9 Tech.