5 Major Moments That Changed the History of Ransomware
Ransomware has seen a rapid rise over the last few years to become one of the most dangerous cyberthreats any business faces today. But this is not a new issue.
Indeed, ever since the first ransomware was delivered via floppy disk in the late 80s, authors of these attacks have sought to constantly evolve their tactics to evade detection and increase the chances of their victims paying out.
This may include developing more destructive strains of ransomware, adding double or triple extortion threats or targeting their attacks at organizations likely to suffer the biggest impact. It’s therefore vital that organizations ensure they’re up to date with the latest trends and techniques.
However, companies can learn a lot from previous incidents about how ransomware attacks are carried out, the type of businesses they target, and the damage they can cause. Here are a few of the most consequential variants and attacks, and what they’ve taught businesses.
The 2013 spread of Cryptolocker was one of the first mainstream ransomware variants, and may have been the incident that alerted many cybersecurity professionals to the threat posed. It spread as a Trojan sent via malicious emails and sought out files on infected PCs to encrypt.
It was thought to have targeted a quarter of a million devices over a period of four months, earning its authors around $3 million in the process. This therefore highlighted how lucrative ransomware could be and how many firms would be willing to pay up in order to regain access to their files.
Perhaps the most costly ransomware attack in history, the 2017 WannaCry attack was characterized by the speed and scale at which it spread. It reached over 150 countries, affecting organizations such as telecommunications companies and healthcare providers.
While the true number of victims remains unknown, it’s estimated to have cost the global economy more than $4 billion to fix, with the UK’s National Health Service alone costing around $100 million.
The ransomware spread using a vulnerability in Windows, with older machines especially vulnerable. It therefore illustrated the importance of keeping up to date with essential cybersecurity best practices such as regularly patching equipment, as well as reminding firms just how quickly they can lose control of their systems if proper defenses aren’t in place.
WannaCry was far from the only major ransomware to surface in 2017, as the emergence of the Petya the year before swiftly led to the related NotPetya. In this case, it was not only files that were encrypted, but entire systems, as the malware targeted a device’s Master File Table (MFT), making user access impossible.
However, while Petya required a user to open the infected file, the more serious NotPetya was able to spread on its own. What’s more, while Petya infections were recoverable with difficulty (or a payment), the damage NotPetya did to systems was permanent.
In this case, the point was disruption, with NotPetya believed to be a state-sponsored attack targeted at Ukrainian organizations. It marked a new phase of ransomware, with the techniques being used as a weapon of cyberwarfare and not just a way for criminals to make money.
The impact of ransomware outside of IT operations has been growing for some time. Attacks on public services such as local governments throughout the US have illustrated how the problem can seriously impact the lives of citizens, but the knock-on effects that can be caused to critical infrastructure can also be wide-reaching.
In 2021, this resulted in fuel shortages and panic buying up and down the east coast of the US when energy firm Colonial Pipeline came under a ransomware attack. The impact even reached areas not served by the firm as worried citizens sought to stockpile what was available. The company felt compelled to pay a $4 million ransom in order to restore operations and consumer confidence.
While this was agreed with the organization’s insurance provider, and much of the money was later recovered by the FBI, it clearly indicates the severe pressure that businesses can be put under with a ransomware attack.
As ransomware has grown more profitable for hackers, the groups perpetuating these attacks have become ever-more organized, and one of the most notorious and successful ransomware groups has been REvil. Coming to attention in 2020, the Russian-based group offered a Ransomware-as-a-Service model to other criminals and favored double extortion methods that saw them exfiltrate data from targets and threaten to release it publicly unless payments were made swiftly.
At one point, around a third of ransomware infections seen by security researchers used REvil’s malware. One of the most noteworthy attacks was aimed at managed services provider Kaseya in 2021. This spread through the supply chain to the organization’s customers, with up to 1,500 businesses affected.
While the REvil network was said to have been shut down by Russian authorities in early 2022, its tactics to put extra pressure on companies to pay up or face further consequences have been widely emulated and have made ransomware an even more dangerous threat for many businesses.
With ransomware a continually-evolving threat, cybersecurity teams can’t afford to stand still. Therefore, they need to take steps to understand their risk profile, identity where weaknesses lie, and put in place strong defenses.
Coming under ransomware attack is now a case of when, not if, so it’s vital firms learn the lessons of the past and make sure they’re prepared.