The Historical Evolution of Ransomware

The Historical Evolution of Ransomware

In the murky, shadowy, and treacherous world of cyber crime, ransomware stands as the most pervasive and destructive threat. Its evolution over just the past 5 years, much less the past decade, has been nothing short of alarming.

In the murky, shadowy, and treacherous world of cyber crime, ransomware stands as the most pervasive and destructive threat in modern times. Its evolution over just the past 5 years, much less the previous decade, has been nothing short of alarming. Ransomware has transformed from simple, opportunistic attacks into Big Game hunting; sophisticated, highly-targeted operations capable of bringing entire organizations, and even governments to their knees. The stakes are extraordinarily high, as evidenced by recent high-profile attacks disrupting critical infrastructure and destabilized national economies. 

The 2021 ransomware attack on JBS in Australia, the world’s largest meat processing company, which disrupted food supply chains globally, and the countless others throughout the years, highlight the dire and immediate threat ransomware poses to global stability. There are too many examples to list because ransomware has been causing insane, unabated havoc, and does not appear to be stopping anytime soon unless drastic measures are taken by global governments.

Understanding the evolution of ransomware is critical to grasping the severity of the current threat it poses to the world economy, and the urgent need for decisive action.


The Early Days: From the AIDS Trojan to CryptoLocker

Ransomware first emerged on the scene in the late 1980s with the AIDS Trojan, created by Dr. Joseph Popp. Distributed via floppy disks, this rudimentary malware encrypted filenames and demanded a US$189 ransom sent to a post office box in Panama. Although primitive, it laid the basic groundwork for future ransomware attacks.

The early 2000s saw sporadic ransomware incidents, but it was not until the rise of more effective encryption techniques that ransomware began to gain traction. The notable Gpcode in 2004 and its variants showed the growing potential of ransomware, encrypting files and demanding payment for decryption keys.

CryptoLocker: A Turning Point

The release of CryptoLocker in 2013 marked a significant turning point in ransomware history. Distributed through phishing emails, CryptoLocker encrypted victims' files and demanded payment in Bitcoin, a relatively new and untraceable currency at the time. The ransomware spread rapidly, infecting over 250,000 computers, and generating upwards of US$25+ million in ransom payments. The success of CryptoLocker inspired a wave of similar attacks, firmly establishing ransomware as a lucrative cyber crime strategy.

Global Disruption Thanks to WannaCry and Petya

In 2017, the ransomware threat escalated dramatically with the WannaCry attack. Exploiting the EternalBlue vulnerability in Windows operating systems, WannaCry spread rapidly across the globe, affecting over 200,000 computers in 150 countries. It caused widespread disruption, particularly in the UK's National Health Service (NHS), where it led to the cancellation of thousands of medical appointments and surgeries. The financial impact was significant, with estimated damages running into billions of dollars. 

It is worth noting although WannaCry is considered a ransomware attack, it was not a traditional cyber crime operation perpetrated by an eCrime adversary. WannaCry was actually conducted by North Korea, most likely attributed to SILENT CHOLLIMA, one of multiple threat actor groups tracked under the monolithic Lazarus moniker.

Shortly after WannaCry, the Petya/NotPetya ransomware emerged. Initially appearing as a ransomware attack, NotPetya was later revealed to be a wiper, designed to cause maximum disruption rather than generate ransom payments. This attack targeted Ukrainian infrastructure but quickly spread globally, impacting companies like Maersk, Merck, and FedEx. The total economic damage caused by NotPetya has been estimated to exceed US$10 billion.

The Rise of Ransomware-as-a-Service (RaaS)

The introduction of Ransomware-as-a-Service (RaaS) revolutionized the ransomware landscape. Prior to RaaS eCrime adversaries would develop their own ransomware tools, and conduct the actual ransomware operation on their own. One of the most powerful variants of all time, Ryuk by WIZARD SPIDER is estimated to have netted the group upwards of US$150+ in ransom payouts by the end of 2020.

RaaS platforms, such as GandCrab and REvil by PINCHY SPIDER, allowed even non-technical, lower level criminals to launch sophisticated ransomware attacks. GandCrab alone reportedly earned over US$2b in ransom payments before PINCHY SPIDER voluntarily shut it down in late 2019.

PINCHY SPIDER continued their trend with their REvil ransomware, targeting high-profile organizations and demanding exorbitant ransoms. In 2020, a REvil affiliate attacked the foreign exchange company Travelex, causing a three-week shutdown and a ransom demand of US$6m. Similarly, in 2021, another REvil operation targeting Kaseya, a managed service provider, affected up to 1,500 businesses globally and demanded a US$70m ransom, marking one of the largest ransomware demands to date.

TWISTED SPIDER Trend Setting with Double Extortion

TWISTED SPIDER, the operators of the Maze ransomware, introduced a new tactic in late 2019 that has since become a standard operating procedure of pretty much any modern ransomware attack: double extortion. In addition to encrypting data, TWISTED SPIDER exfiltrated sensitive information and threatened to publish it on the dark web unless the ransom was paid. This strategy proved highly effective, leading to the proliferation of similar tactics by other groups like CARBON SPIDER (Darkside), GRACEFUL SPIDER (Clop), INDRIK SPIDER (BitPaymer and WastedLocker), and many other eCrime adversaries. 

CARBON SPIDER made major headlines in 2021 with the Colonial Pipeline attack, and placed the group squarely in the crosshairs of the U.S. government. By exploiting a compromised password, a DarkSide affiliate managed to infiltrate the network, leading to the shutdown of the largest fuel pipeline in the United States. The attack caused widespread panic and fuel shortages, with the company ultimately paying a US$4.4m ransom to restore operations.

High-Profile Ransomware Attacks in 2022

In 2022, the ransomware landscape continued to witness high-profile attacks. ALPHA SPIDER with its ALPHV ransomware targeted various sectors, including education and technology. In one instance, ALPHA SPIDER attacked the University of Pisa, demanding a US$5m ransom and leaking sensitive research data to their dark web dedicated leak site when the demand was not met.

Additionally, HIVE SPIDER became increasingly active, targeting critical infrastructure and healthcare organizations. HIVE SPIDER’s attack on the Costa Rican government in 2022 crippled several government agencies, leading to a national state of emergency. The group demanded a US$10m ransom, demonstrating the far-reaching impacts of modern ransomware attacks on national security.

The Modern Era of Ransomware from 2023 & Beyond

As of 2023, ransomware continues to evolve, becoming more sophisticated and targeted. BITWISE SPIDER, the adversary responsible for arguably the most successful and longest running RaaS in history with its LockBit ransomware, emerged on the scene in mid-2021 as a prominent threat, known for its aggressive tactics and high-profile attacks. 

Lockbit 2.0, followed by Lockbit Black, Lockbit Green, and other versions quickly became the go-to RaaS. BITWISE SPIDER maintained a high operational tempo from 2021 until the end of 2023, and even into the early part of 2024 when law enforcement finally started to take substantive action.

As of 2024, several other ransomware variants have emerged, posing significant threats to global security. One of the most prominent is Royal ransomware by ROYAL SPIDER, which employs advanced encryption techniques and exfiltration methods, making it difficult for victims to recover their data without paying the ransom. 

Black Basta, likely developed by WANDERING SPIDER, is known for its ability to rapidly spread and evade traditional detection mechanisms, targeting large corporations and critical infrastructure sectors. 

Additionally, the emergence of RECESS SPIDER with the Play ransomware has been notable for its use of multi-threaded encryption processes significantly speeding up the attack, coupled with sophisticated social engineering tactics to infiltrate systems. 

These newer variants illustrate the continuous evolution of ransomware, underscoring the urgent need for advanced and adaptive cyber defenses.

Assessing the Total Ransom Payouts Over the Years

The financial toll of ransomware has escalated dramatically over the years. In 2016, ransomware payments were estimated to be around US$1b. This figure grew exponentially, with reported payments reaching US$2b in 2017, driven by high-profile attacks like WannaCry and NotPetya. 

The rise of RaaS platforms contributed to a surge in 2019, with ransomware payments surpassing US$3b. By 2020, the global cost of ransomware attacks, including ransom payments and associated damages, was estimated at $20 billion. 

In 2021, ransom payments alone were estimated to exceed US$600m, with some estimates suggesting the total cost, including downtime and recovery efforts, could be as high as US$20b. 

By 2022 and into 2023, the cumulative financial impact of ransomware attacks has likely surpassed US$100b, factoring in both direct ransom payments and the broader economic fallout.

Which eCrime Adversaries are the Top Earners?

Throughout the years, several ransomware groups have emerged as top earners, amassing significant sums through their malicious activities. PINCHY SPIDER, between GandCrab and REvil, has reportedly earned over US$3b in ransom payments. 

WIZARD SPIDER has earned well over US$150m in Ryuk attacks alone, not to mention the additional tens of millions of dollars from Conti attacks. 

CARBON SPIDER, infamous for the Colonial Pipeline attack, has netted millions due to Darkside and subsequent ransomware versions. 

BITWISE SPIDER with LockBit, and ALPHA SPIDER with ALPHV, more recent players, have quickly risen in notoriety and profitability, targeting high-value organizations and demanding multimillion-dollar ransoms. These groups exemplify the scale and profitability of modern ransomware operations, driving the need for robust and proactive cyber defenses.

It is worth noting that ALPHA SPIDER has essentially been neutered thanks to law enforcement action in late 2023.

Conclusion

The evolution of ransomware from the rudimentary AIDS Trojan to the sophisticated, multi-million dollar attacks of 2024 starkly illustrates the relentless advancement of eCrime adversary tactics. Each major ransomware incident has built upon the successes and failures of its predecessors, culminating in the highly advanced threats we face today. From the global chaos wrought by WannaCry to the targeted devastation executed by CARBON SPIDER and BITWISE SPIDER, ransomware has consistently demonstrated its unparalleled capacity to inflict severe financial and operational damage.

Recognizing this history is imperative. The urgency and treachery of the ransomware threat cannot be overstated. As ransomware continues to evolve, it becomes ever more insidious, targeting critical infrastructure, healthcare systems, and financial institutions with alarming precision and ruthlessness. Staying informed and vigilant is no longer optional; it is a necessity for survival in the digital age.

The need for robust cyber defenses and proactive cyber threat intelligence (CTI) has never been more pressing. CTI stands as our strongest weapon in this escalating battle. By delivering actionable insights into the tactics, techniques, and procedures (TTPs) of eCrime threat actors responsible for RaaS operations, CTI empowers organizations to anticipate and neutralize attacks before they wreak havoc. Real-time intelligence on emerging threats is crucial, enabling security teams to dynamically adapt defenses, harden systems, and implement precise countermeasures.

Moreover, the power of collective defense cannot be underestimated. Sharing CTI within and across industries creates a united front against ransomware, amplifying our collective strength. 

As we confront this evolving menace, leveraging CTI will be essential in transforming our defensive posture from reactive to anticipatory. This proactive stance is our best hope in safeguarding our digital assets and infrastructures against the treacherous onslaught of ransomware.

The time to act is now. The stakes have never been higher, and the threat has never been more dire. Equip your organization with the insights, tools, and strategies to not only defend but to dominate in the face of cyber adversity. Together, we can turn the tide against ransomware, fortifying our digital world against those who seek to exploit it for financial gain.

🚨
Contact Praeryx if you are interested in learning how we help organizations comprehend complex adversary behavior.
Tags: Cyber Crime Blog

You might also like

Why Talented Employees Abandon the Rot of Trash Leadership

Why Talented Employees Abandon the Rot of Trash Leadership

Consolidated EASM & Dark Web Monitoring Tools Are Failing to Protect Your Organization

Consolidated EASM & Dark Web Monitoring Tools Are Failing to Protect Your Organization

Whispers of a Neon Labyrinth

Whispers of a Neon Labyrinth

Generative AI Inversion Attacks and the Fall of Human Dominion

Generative AI Inversion Attacks and the Fall of Human Dominion

Generative AI and the Coming Apocalypse

Generative AI and the Coming Apocalypse

Cyber Threat Intelligence and the Illusion of Security

Cyber Threat Intelligence and the Illusion of Security