Monday 14th June 2021

BLOG: The Evolution of Ransomware

Ransomware is a threat landscape that is always transforming and evolving, despite the origin of ransomware attacks being quite simple, they are now complex and almost undetectable and consistently take on the role of being one of the worse incidents to happen to organisations. Unfortunately, because of the profitability, ransomware attacks will continue to occur. Today, the ransom is almost always requested in the untraceable, anonymous currency of Bitcoin. Now that ransoms can be paid in an untraceable manner, the frequency of ransomware attacks has exploded, but ut is impotant to understand the history of ransomware and how it has evolved.


It is difficult to pin point when ransomware attacks begun, however the first documented Ransomware attack was implemented in December 1989 by Joseph L. Popp. The attack was executed through an infected computer disk. Popp distributed 20,000 infected disks to attendees of the international AIDS conference. The disks were labeled “AIDS Information – Introductory Diskettes.” Under the pretense of being a questionnaire to assist users determine their risk of contracting AIDS, the disks were surreptitiously infected with ransomware named the “AIDS Trojan” otherwise given the alias the “PC Cyborg.” After 90 reboots, unsuspecting victims were met with a ransom demand for $189. Joseph L. Popp wanted payments to be sent to his post office box in Panama, despite traced and caught, he was never prosecuted.


In 2005/2006, GPCoder was a notorious ransomware strain due to its encryption technique, groups of cybercriminals and threat actors started taking advantage of asymmetric RSA encryption in ordered to make their attacks impossible to impede. Several years later its prototype Gpcode.AK began using 1024-bit RSA encryption. This variant targeted more than 35 file extensions.


Years later, variants identified as FakeAV became equally well known, FakeAV was disguised as security tools but instead infected computers. This type of variant continually appeared during this time, “WinAntiVirus Pro 2006, “AdvancedAntivirus 2008,” and “PC AntiSpyware 2010,” were popular at this time.


2012 saw a new era start for ransomware strategies, computers were now being infected with a new type of ransomware technique referred to as “Desktop Hijack”, this technique displays an image on the screen with a message posing as though it’s an alert from the police, or another law enforcement agency, alleging that the targeted individual had violated the law by downloading content that violated copyright. The message explained that the files on the victim’s infected computer were remotely locked by the law enforcement agency, and in order to regain access to the locked computer, a fine would need to be paid.


This then caused a catalyst of new ransomware variants (including variants in different languages) that threatened the computers of users and organisations. This variant provided threat actors with the capability to exploit vulnerable businesses and organisations.


To make it difficult to trace these threat actors, new infection and data encryption strategies were used such as transferring certain algorithms into currency and new variants of ransomware such as “CryptoLocker”, “CryptoWall” or “TeslaCrypt”, were appearing until the end of 2015.


By 2016 cybersecurity professionals observed that the number of ransomware groups increased significantly. Ransomware attack techniques started changing, researchers had discovered the spread of a ransomware variant that had an infection strategy that implemented a timer that increased the ransom amount as the days progressed.
2017 was classified as “the golden year of Ransomware”. WannaCry spread rapidly throughout the world due to its ability to spread quickly across networks, which accelerating its infection rate quickly. WannaCry’s ransom note was translated into 27 languages and its impact generated losses of $4 billion globally. Ransomware attacks cost $5 billion in 2017, this showcased the volatile impact that WannaCry had.


In 2018, the ransomware variants that were reported showed more complicated infection strategies, including the previously mentioned self-propagation with WannaCry. These sophisticated infection methods continued on the same track in 2019 as in the previous year. In addition to being more sophisticated, ransomware became more targeted, being disseminated to attack specific entities, mainly large companies.

2020 Since the beginning of the pandemic, threat actors took advantage of this circumstance and exploited this for financial gain. 2020 was the year when ransom payments had reached their highest ($30 million), which was double the amount of the previous record. It has been estimated that ransomware may soon become a nine-figure industry.
Ransomware will likely continue to evolve due to its continuous exploitation, it has become one of the most leading and profitable fraudulent businesses in the world, just this year we’ve seen two of the largest ransomware attacks against the Colonial Pipeline and JBS. Ransomware’s intensity is very complex and can hinder organisations, even to the point where they are unable to return to regular operations. To read more about ransomware groups that have made a large impact throughout history and more, click here.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.