From plug-and-play ransomware-as-a-service offerings to highly skilled operator-based attacks, ransomware is proof that cyber attackers are constantly innovating to achieve their goals. Long before global supply chain infections made front-page news, ransomware crept into computers through malicious floppy disks, bewildering users and padding a Panama-based P.O. box with extortion payments. Let’s rewind back three decades to see how far ransomware has come — and what it will take to stay ahead of continued attacker innovation.
The Early Days of Ransomware
The year was 1989. Twenty thousand floppy disks were distributed to researchers across 90 countries, purportedly containing a questionnaire that could help determine patients’ risk of contracting AIDS. But the disks contained a virus of their own. File names were encrypted on infected computers, and users were instructed to send payment via cashier’s check or international money order to re-gain access to their digital content. This relatively basic encryption virus, dubbed the AIDS Trojan, or PC Cyborg Trojan, is widely considered to be one of the first ransomware attacks in history.
Yet the word “ransomware” didn’t really take hold for another 20+ years. Before it did, Bitcoin entered the picture in 2009, offering people a simpler, speedier way to buy, sell and exchange things directly. By eliminating intermediaries like banks and governments, Bitcoin and other cryptocurrency methods also gave criminals an anonymous way to extort ransoms from individuals and corporations without getting caught. They quickly took advantage of the opportunity.
By 2013, a ransomware strain called CryptoLocker spread rapidly across more than 250,000 computer systems via malicious email attachments. It introduced stronger encryption methods, demanded crypto payments in exchange for a decryption key and threatened to delete the key if payments weren’t made by a set deadline. The following year, law enforcement took down the ransomware’s primary propagation mechanism, the Gameover Zeus Botnet, but not before the attackers took off with millions of dollars. Eager to cash in, copycat criminals began launching their own ransomware trojan attacks using CryptoLocker as a model.
Ransomware Goes Mainstream in the Opportunism Era
In 2015, the FBI received 2,453 ransomware-related complaints totaling more than $24 million in damages — and those were just the reported U.S. cases. By the time Locky ransomware — capable of attacking 50,000 systems in a single day — and the advanced encryption strain Petya emerged in 2016, security teams were on high alert. The emergence of plug-and-play ransomware-as-a-service kits that year removed many barriers to entry, ushering in a new wave of opportunistic attacks at the hands of novice attackers.
These financially motivated threat actors relied heavily on “spray and pray” tactics such as phishing, social engineering and exploit kits to target as many organizations and systems as possible. The 2017 WannaCry outbreak exemplified this opportunistic attack style. Unlike previous strains of ransomware, WannaCry could self-replicate and spread using the “eternalblue” SMB vulnerability in Microsoft systems. Anti-virus systems and patching alone couldn’t stop the ransomware from impacting more than 10,000 organizations and 200,000 individuals in over 150 countries. The attacks also highlighted an urgent need for more holistic endpoint protection mechanisms to help block credential theft attempts and prevent data encryption and loss.
Not all attacks were opportunistic or random in nature during this time. That same year, NotPetya, a massive, highly coordinated ransomware attack targeted Ukrainian government offices and enterprises — foreshadowing current events. Threat actors leveraged a supply chain vulnerability to infiltrate target networks, conduct reconnaissance and methodically plan before launching attacks from the inside. While the initial infections targeted specific organizations in the region, the ransomware soon spilled over into new areas, automatically propagating through interconnected infrastructure and creating global chaos. NotPetya is said to have caused more than $10 billion in damages worldwide.
Attackers continued to evolve their techniques, discovering they could extort their victim organizations more than once: first for the decryption key and second to prevent stolen corporate data from being leaked publicly. The attackers behind the now-defunct Maze ransomware were some of the first to introduce this double-extortion method, demonstrating how backups can serve as double-edged swords. While vital, backups can make it easier for attackers to find and steal sensitive data, since it often exists in two separate places.
Double extortion caught on like wildfire and remains popular today. ThreatPost reported that double-extortion ransomware damage skyrocketed by 935% in 2021 alone. And as attackers continue to evolve, some have added a third extortion layer by demanding payment from the victim organization’s customers or partners.
Ransomware Today: Bolder, Highly Targeted and Turning to the Cloud
In the past few years, many ransomware actors have narrowed their focus to target specific organizations based on their ability or need to shell out sky-high ransomware payments. This was evident in the dramatic spike in attacks targeting healthcare organizations in 2020 that caused $21 billion in damages.
Increasingly, targeted ransomware attacks are led by highly skilled operators using highly customized methods to reach their goals. After compromising identities to breach an organization, they move and escalate privileges strategically and “live off the land” while learning the ins and outs of the environment. Along the way, they look for ways to disrupt backups, delete shadow copies and unlock files. Only after they’ve achieved high levels of privileged access do they drop the ransomware from within the organization’s network, often following with crippling double-extortion threats.
The December 2020 SolarWinds breach further emboldened ransomware actors, as seen in a rapid-fire series of major attacks on enterprises and critical infrastructure. Among them was the 2021 supply chain ransomware attack on Kaseya that leveraged trusted services’ granted permissions and access to auto-propagate ransomware downstream to managed service providers (MSPs) and their customers around the world.
Meanwhile, the demand for ransomware-as-a-service continues to surge. ZDNet reported that nearly two-thirds of analyzed ransomware attacks in 2020 involved easy-to-use RaaS, which is readily available for purchase or lease on dark web forums. Well-established criminal business operations are scaling their RaaS offerings to meet increasing demand, but they’re not stopping there. A February 2022 U.S. CISA alert highlighted ransomware threat actors’ expanding “professional services” offerings such as payment negotiation services, payment dispute arbitration aid and 24/7 help centers. The CISA alert also highlighted Remote Desktop Protocol (RDP) as one of the top initial infection vectors for ransomware incidents.
The introduction of the BlueKeep and DejaBlue critical vulnerabilities followed by the sharp rise in remote work in 2020 further emphasized potential RDP security risks. In H1 2020, compromised RDP endpoints were the No. 1 source of ransomware incidents, according to several corroborating reports. Similarly, the 2021 Hiscock Cyber Readiness Report revealed that open RDP desktop ports were responsible for 61% of all ransomware insurance claims in 2020 – contributing to surging cyber insurance costs. Continued attacks remind organizations of all sizes to establish secure RDP connections from the start by following best practices such as limiting privileged access, enabling adaptive MFA on network-level authentication (NLA) and keeping RDP servers behind the firewall to avoid exposure.
And as enterprise organizations’ reliance on cloud services continues to grow in support of digital initiatives and work-from-anywhere models, cyber gangs keep moving toward the cloud. So-called “ransomcloud” attacks targeting cloud service customers typically begin with credential theft on an endpoint device, involve lateral movement and privilege escalation in search of valid user credentials for a cloud account and then deploy ransomware from within the cloud environment to encrypt and steal information.
In some cases, threat actors will encrypt data locally and then sync the infected endpoint device to the cloud so data housed there gets encrypted as well. Attackers may find double extortion easier to pull off in cloud environments, since data extraction from the cloud is less likely to trigger any data loss prevention (DLP) controls in place. This is yet another reason for organizations to double-down on defense-in-depth by layering protection and detection mechanisms and following foundational best practices such as removing local admin rights from endpoints, implementing multi-factor authentication (MFA), consistently enforcing least privilege controls and implementing lifecycle management capabilities.
According to the Allianz Risk Barometer 2022, cyber incidents rank as a top three peril in most countries today, with global respondents naming ransomware as the top cyber threat for the year ahead. Defending against constantly evolving tactics, techniques and procedures (TTPs) is a formidable challenge. That’s why it’s so important to understand how attackers work — to get inside their mind and fight innovation with innovation. Instead of trying to keep determined and (often) well-resourced ransomware actors out, it’s about reversing your gaze and working to protect critical endpoints and systems from the inside out. A combination of ingenuity, agility and a defense-in-depth approach to ransomware protection is key to blocking the path to encryption and outsmarting attackers at their own game.