The History of Ransomware: Past, Present, and Future

Ransomware is one of the few cybersecurity threats that have become part of common vocabulary.

A day doesn’t go by when we don’t read news about a ransomware attack preventing an organization from operating or causing harm to our infrastructure. But it wasn’t always like this.

Ransomware is a relatively young threat—at least its current form is—and understanding the origins of ransomware and how it evolved to become a dominant type of malware over the last decade or so can help us understand its future and prepare for it in time.

A Brief History of Ransomware Attacks

Ransomware is defined as a type of malicious software, or malware for short, designed to block access to a computer system until a sum of money is paid. The first malicious software that fits this definition was created in 1989 by Harvard-taught evolutionary biologist Dr. Joseph Popp.

Popp’s ransomware is commonly referred to as the AIDS Trojan because it was distributed on floppy disks titled “AIDS Information Introductory Diskette.” Because the internet was still in its infancy, Popp distributed his malicious software by sending the floppy disks to addresses obtained from a mailing list.

After infection, AIDS would sit dormant until the infected computer was booted for the 90th time since the initial infection.

It would then hide directories and encrypt the names of all files on the main system drive, rendering the computer unusable.

Finally, the ransomware would display a message with payment instructions, requesting the victim to send $189 to a post office box in Panama.

Because the AIDS Trojan only encrypted file names—not files themselves—it can be described as proto-ransomware. The first malicious software utilizing proper encryption algorithms to make files inaccessible started to appear in the wild in 2005.

One notable example is PGPCoder (GPCode), which successfully implemented RSA 1024-bit encryption to render brute force decryption attempts useless. The victims of PGPCoder were asked to pay a ransom of $100–200 to an e-gold or Liberty Reserve account to regain access to their data.

While effective, the reach of PGPCoder and other early ransomware strains was limited. That changed with Reveton in 2012. Its widespread distribution network, and the fact that it exploited commonly used web browser plugins, allowed it to successfully target a large number of victims, many of whom decided that paying the ransom is better than the alternative.

Later versions of Reveton switched from MoneyPak to then emerging peer-to-peer payment technology called Bitcoin. Other ransomware creators quickly realized the benefits of using the somewhat anonymous decentralized digital currency to receive ransom payments, and modern crypto-ransomware was born, with CryptoLocker being the most prominent example for that era.

Trend Micro and other cybersecurity software companies that monitor the evolving threat landscape often state the 2016 was the year of ransomware because the number of discovered ransomware families climbed up to 247, an increase of 752 percent compared with 2015.

5 Ransomware Attacks that Made History

Here’s a short list of some of the most noteworthy ransomware attacks discovered between 2016 and now:

• Petya (2016): The primary target of the Petya ransomware attack was Ukraine, with Germany being the second hardest hit. Instead of encrypting individual files, Petya encrypts the file tables that store information about the location of files and directories on the infected storage device.
• WannaCry (2017): It’s estimated that the WannaCry ransomware attack infected as many as 300,000 computers internationally in over 150 countries. The included ransom notice demanding a payment of $300 in bitcoin was even translated into 20 different languages.
• SamSam (2018): Many ransomware strains are distributed using low-skill techniques like phishing, but not SamSam. This ransomware attack spread by exploiting vulnerabilities on poorly secured servers running JBoss (now WildFly), an application server that’s currently developed by Red Hat.
• RobbinHood (2019): The RobbinHood ransomware is single-handedly responsible for the Baltimore ransomware attack of May 2019, which prevented more than 500,000 residents from performing many routine tasks, including pulling home titles in order to complete real estate sales.
• DarkSide (2021): By bypassing User Account Control (UAC) in Windows, DarkSide ransomware was able to shut down Colonial Pipeline, the 5,500 miles long pipeline that carries 45 percent of the fuel used on the East Coast of the United States.

What all these ransomware attacks have in common is the high cost of recovery, which is one reason why ransomware is now widely considered to be one of the most (if not the most) dangerous cyber threats out there.

The Current State of Ransomware

In its “The State of Ransomware 2021” survey, Sophos reveals that the average total cost of recovery from a ransomware attack has reached $1.85 million, up from $761,106 in 2020.

The steep growth of ransomware recovery costs is driven by two main factors:

• Continued digital transformation of organizations of all sizes: The pandemic has accelerated digital transformation across most industries as consumers moved toward online channels, forcing organizations to take advantage of available IT solutions. It’s estimated that organizations worldwide now use on average 110 Software as a Service (SaaS) applications. Together with Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) solutions, they give organizations the agility they need to embrace new hybrid work arrangements and flexibly adjust infrastructure as needed.
• Increasing sophistication of ransomware attacks: Long gone are the days of the AIDS Trojan and its fairly primitive approach to file name encryption. Ransomware creators today use a combination of sophisticated tactics to make the malicious software they produce harder to detect and more capable of causing real damage. In fact, ransomware attacks have become so sophisticated that more than half of IT decision-makers surveyed by Sophos believe they are now too advanced for their IT team to handle on their own.

Although the sky-high cost of ransomware recovery may seem to suggest that ransomware attacks affect mostly large enterprises, government organizations, and critical infrastructure providers, the fact is that small and medium-sized businesses (SMBs) are now under attack as much as everyone else.

In 2019, a Datto survey revealed that 85 percent of managed services providers (MSPs) reported attacks against SMBs in the previous two years, and the disruption caused by the pandemic has made SMBs even more vulnerable to ransomware than ever before.

Cybercriminals that target SMBs realize that their limited in-house cybersecurity expertise and general lack of resources make them far more vulnerable than enterprises employing large teams of IT experts. SMBs are also more likely to neglect data backup best practices, which leaves them with little to no options on how to recover from a ransomware attack besides paying the ransom.

It’s no wonder then that the total value of suspicious activity reported in ransomware-related incidents during the first six months of 2021 was $590 million, greatly exceeding the value reported for the entirety of 2020 ( $416 million).

Ransomware Isn’t Going Away Anytime Soon

Because of how profitable ransomware continues to be for its creators, we can’t reasonably expect this cyber threat to go away anytime soon.

Cybersecurity Ventures estimates that there will be a new ransomware attack every two seconds by 2031, with ransomware damages costing the world as much as $265 billion.

“Ransomware is the fastest-growing cybercrime for a reason,” says Steve Morgan, founder at Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “It’s the proverbial get-rich-quick scheme in the minds of hackers.”

To avoid becoming its victims, all organizations—not just the largest and most prominent ones—must strengthen their defenses and, at the very least, implement the following basic precautions:

• Employee education: Most ransomware attacks start with a phishing email containing a seemingly innocent hyperlink or attachment. When employees are aware of the risk of phishing and know how to tell phishing emails apart from legitimate ones, the risk of an organization-wide data breach becomes much lower.
• Backup and recovery: So many victims decide to pay ransoms only because they don’t have up-to-date backups that they could use to recover encrypted data. To avoid ending up in the same unfortunate situation, organizations should have at least one backup at an off-site location that can’t be reached by a ransomware attack spreading from one device to the next across the main enterprise network.
• Access control: Most employees follow predictable patterns when completing day-to-day tasks, using the same applications and transferring data across the same storage devices. With techniques such as application whitelisting and gradual storage control, it’s possible to render even the most sophisticated strains of malware infective by explicitly allowing only certain software applications to access specific storage devices in specific ways.
• Behavior monitoring: It’s true that the differences between individual strains of malware can be huge, but they all fundamentally do the same thing: encrypt important files to make them inaccessible. When behavior monitoring software is used to detect behaviors that suggest ransomware activity, noticing that something fishy is going on and reacting in a timely manner to prevent further spread of the attack becomes much easier.
• Patch management: Unpatched software may contain security vulnerabilities that can be exploited by ransomware creators to gain access to protected resources, so patching it as soon as possible is critically important. In environments where employees can’t be reasonably expected to keep their devices up to date on their own, patch management tools can be used to help IT teams install patches remotely.

Because the implementation of even these basic ransomware precautions can be a substantial challenge for small and medium-sized organizations with limited or no in-house IT staff, the managed security services (MSS) market is projected to nearly double in size from 2021 to 2026.

MSSPs make it possible for organizations to borrow cybersecurity expertise and experience as needed. That way, they can protect themselves using the same best-in-class strategies and technologies as large enterprises without losing focus on core business. With the right MSSP, the looming threat of ransomware can be easier to defend against, but it’s still present and won’t go away anytime soon.

Summary on Ransomware’s Future

Ransomware has been a major threat for well over a decade now. Since its early days, ransomware has evolved almost beyond recognition, and the most sophisticated attacks detected in the wild today employ all kinds of clever tricks and techniques to get past cybersecurity defenses undetected and encrypt as many important files as possible.

The damage caused by a ransomware attack goes well beyond the immediate cost of losing documents and other data. It also often includes reputation costs and various penalties associated with regulatory fines. It’s certain that ransomware will remain a serious threat even in the foreseeable future, so organizations of all sizes must up their cybersecurity game to increase their chances of surviving a close encounter with it.

Schedule a call with our team to discuss ransomware risks at your business! Our IT support & strategy services are tailored to meet the needs of small and medium-sized organizations in Washington D.C., Maryland, and Virginia.