Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.
The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.
Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.
To ensure the complete surrender of victims, threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.
In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.
The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.
During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.
2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.
Emergence of Ransomware-as-a-Service (RaaS)
In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.
Locky Ransomware and KeRanger
The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).
WannaCry and Notpetya
With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially. And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.
A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.
Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.
Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.
The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.
Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats.