Tracing the destructive path of ransomware's evolution

The year is 1989. “Rain Man” wins the Academy Award for Best Picture. Motorola releases the world’s smallest and lightest phone. The Berlin Wall falls. Taylor Swift is born. It also begins the dawn of a new era of cyber extortion. 

The AIDS Trojan arrived innocuously, distributed via floppy disk to public health professionals. But it harbored a nasty surprise. After the 90th PC reboot, it cryptographically locked victims’ hard drives, demanding a $189 payment to unlock files. While this attack was thwarted easily, it changed the game. Over the next 30 years, ransomware proliferated from curiosity to a catastrophic threat fueled by an unrelenting arms race between extortionists and security teams.

The early days of ransomware

The AIDS Trojan sparked global intrigue, but ransomware largely lurked as an experiment among niche blackhat circles over the next decade. Early attacks relied on rudimentary techniques like simple file locking, basic encryption, and manual payment collection. Reach remained limited without efficient attack vectors.

Then, the internet exploded onto the scene. Global connectivity provided the vital infusion ransomware needed to transform from novelty to noticeable threat. The growing ubiquity of networked systems brought an influx of targets and channels to reach them through.

New attacks like the mid-2000s’ Archievus strain -- the first ransomware to use advanced RSA encryption -- reflected this evolution, spreading via malware emails to encrypt files on infected machines. Ransom demands weren’t catastrophic then, but with decryption increasingly difficult, victims felt mounting pressure to comply.

The ransomware gold rush

By the late 2000s, profit-focused ransomware builders witnessed increasing returns from larger infection networks and cryptocurrency enabling anonymous payments. Sensing an opportunity, they invested heavily in new tools and infrastructure to extract higher profits from a burgeoning victim base.

This gold rush mentality ushered shocking developments in 2011-2012, like the sophisticated CryptoLocker, which infected nearly 250,000 victims in the first few months aided by botnets and money-laundering services. CryptoLocker averaged $300 ransom payments -- sometimes as high as $700 -- reportedly netting operators more than $27 million in the first two months. Others took notice of this disruptive, lucrative formula.

What followed was an exponential rise of increasingly cunning ransomware strains and the formalization of ransomware as a professionalized criminal enterprise geared toward efficiency and scale.

The RaaS revolution

The early 2010s’ escalation drew high profits for established ransomware groups but also unwanted attention from authorities. Savvy developers adapted by creating ransomware toolkits and leasing them to novice hackers rather than directly orchestrating attacks.

This ransomware-as-a-service (RaaS) model granted aspiring cybercriminals turnkey ransomware packages in exchange for a cut of their proceeds.

RaaS flooded the criminal underground with cheap, plug-and-play ransomware strains that those with limited technical skills could use. Inexperienced threat actors could simply send phishing emails, purchase advertising to spread infections, or scan for unpatched systems rather than conduct sophisticated intrusions themselves.

Victim numbers and payments soared accordingly as novice affiliates caused havoc with slick ransomware tools -- achieving economies of skills unimaginable individually. RaaS firmly cemented ransomware within the mainstream criminal repertoire.

Advanced, targeted attacks

Sophisticated ransomware schemes surfaced dangerously in the 2020s, featuring advanced methodologies and extensive victim targeting.

Conti, which emerged in 2020, was estimated to have roughly 350 members who together earned upwards of $2.7 billion in cryptocurrency in just two years. In June 2021, the REvil gang extracted $11 million from JBS Meats by utilizing a dark web auction of stolen data to pressure the company alongside demanding a $50 million ransom.

The escalating demands and damages caused by these -- and related -- groups cemented a pivot from widespread, opportunistic targeting toward meticulously planned “big game hunting.” Contemporary attackers carefully select high-value organizations and infrastructure to cripple until substantial ransoms are paid -- frequently upwards of seven figures for large corporations, hospitals, pipelines, and municipalities.

Present-day ransomware groups' techniques reflect a chilling professionalization of tactics. They leverage military-grade encryption, identity-hiding cryptocurrencies, data-stealing side efforts, and penetration testing of victims before attacks to determine maximum tolerances. Hackers often gain initial entry by purchasing access to systems from underground brokers, then deploy multipart extortion schemes, including threatening distributed denial-of-service (DDoS) attacks, if demands aren’t promptly met.

Ransomware perpetrators also tap advancements like artificial intelligence (AI) to accelerate attacks through malicious code generation, underground dark web communities to coordinate schemes, and initial access markets to reduce overhead.

How ransomware tactics keep evolving

Ransomware groups continue to innovate their attack methods.

Supply chain attacks have become increasingly common. By compromising a single software supplier, attackers can access the networks of thousands of downstream customers. The REvil group's Kaseya attack in 2021 exemplified this, affecting between 800 and 1,500 businesses through a vulnerability in Kaseya's VSA software.

Initial access brokers have also become key enablers for ransomware operations. These brokers specialize in gaining entry to corporate networks and then selling that access to the highest bidder. This allows ransomware groups to outsource the initial intrusion and quickly scale their attacks.

Zero-day vulnerabilities, flaws unknown to the software vendor, are another favorite tool. Groups like DarkSide -- responsible for the Colonial Pipeline attack -- have exploited this tactic to deploy ransomware before victims can patch their systems.

Double extortion, where attackers encrypt files and steal sensitive data, threatening to release it, is now the norm. Maze pioneered this in late 2019, and nearly all strains have adopted it, putting additional pressure on victims to pay.

Ransomware groups often rebrand or switch strains to evade detection and sanctions. DarkSide became BlackMatter after Colonial Pipeline, while Ryuk operators transitioned to Conti. This shell game makes it harder for defenders to keep up.

How to protect and prepare

With ransomware attacks showing no signs of slowing down, you must take proactive steps to protect your organization and minimize the impact of a potential breach.

Prevention is key. Keep all your systems and software updated, use strong and unique passwords, enable multi-factor authentication (MFA), and regularly back up your critical data. Don't forget to train your employees, as many incidents start with phishing emails or social engineering attacks.

You must also focus on resilience and recovery. Have a well-rehearsed incident response plan that outlines clear procedures for dealing with an attack, including isolating infected systems, notifying stakeholders, and restoring from backups.

Ensure you have a communication plan to manage internal and external messaging during and after an attack. This can help minimize reputational damage and keep everyone informed.

Regularly test your backup and restore processes to ensure they work when needed. And continuously update them as your production environment and business priorities change. Consider investing in cyber insurance to help cover the costs associated with an attack, but carefully review the policy terms.

Protecting against ransomware requires a multi-layered, holistic approach encompassing people, processes, and technology.

Forging a future of resilience

The evolution of ransomware over the past three decades has been a chilling testament to the ingenuity and adaptability of cybercriminals. From supply chain attacks to double extortion, the tactics are becoming more devious and the consequences more severe.

But the battle is far from over. Ransomware may continue to evolve, but so will our defenses. With determination, collaboration, and a proactive approach, we can ensure that the next chapter in the ransomware story is one of resilience, not ruin.

Justin Giardina is Chief Technology Officer at 11:11 Systems.