Today’s news headlines are dominated by reports of the latest ransomware attacks. It seems that individuals and companies are constantly falling victim to this cybercrime, which has been a growing threat for over 30 years. The methods used by cybercriminals have evolved over time, but the basic premise remains the same: attackers target vulnerable victims, deny them access to important files or systems, and demand a ransom in exchange for restoring access. In order to fully understand how ransomware has become such a ubiquitous threat today, let’s take a look at its history and evolution.
In 1989, ransomware made its debut following the World Health Organization’s AIDS conference. Joseph L. Popp, a biologist from Harvard, mailed 20,000 floppy disks to event attendees. These disks were thought to contain a questionnaire that could determine the likelihood of contracting HIV. However, once the disks were inserted into victims’ systems, the malware, known as the AIDS Trojan, would encrypt their files and display a message demanding a $189 ransom. Despite its simplicity, IT specialists were able to quickly discover a decryption key, allowing victims to regain access to their files without paying the ransom. Although Popp didn’t make much money from this scam, his idea would later develop into a multibillion-dollar industry, earning him the title of the “father of ransomware.”
After a 15-year hiatus, ransomware resurfaced in the early 2000s with the advent of the internet. Two notable attacks during this period were GPCode and Archievus. GPCode infected systems through malicious links and phishing emails, demanding as little as $20 for a decryption key. Archievus, on the other hand, was the first strain to use a 1,024-bit RSA encryption code. However, due to the attackers’ failure to use different passwords to unlock systems, victims were able to crack the encryption and regain access. While these attacks were significant at the time, they are considered rudimentary compared to the sophisticated ransomware we see today.
The early 2010s saw the emergence of locker ransomware, stronger encryption algorithms, and the rise of cryptocurrencies. WinLock, which emerged in 2011, was the first locker ransomware that completely locked victims out of their devices. The introduction of ransomware as a service (RaaS) in 2012 with Reveton allowed cybercriminals with limited technical skills to purchase and distribute ransomware. Additionally, the integration of cryptocurrencies, such as bitcoin, enabled threat actors and victims to easily and anonymously transfer ransom payments. In 2013, CryptoLocker emerged as the most sophisticated ransomware to date, using an advanced 2,048-bit RSA key for encryption. The cybercriminals behind CryptoLocker managed to pocket $27 million within the first two months of its release.
Until the mid-2010s, ransomware primarily targeted PCs. However, threat actors began expanding their focus to include mobile, Mac, and Linux devices. Simplelocker, released in 2014, was the first ransomware to encrypt files on Android devices, while Lockerpin changed the device’s PIN to lock users out. In 2016, Ransom32 became the first ransomware variant based entirely on JavaScript, allowing it to function across all operating systems. This period also witnessed the first proof-of-concept ransomware attacks on IoT devices, raising concerns about the security of interconnected devices.
The late 2010s brought even more sophisticated and destructive ransomware attacks. Petya, in 2016, became the first variant to overwrite the master boot record and encrypt the master file table, denying victims access to their entire hard drives. Zcryptor, also in 2016, combined features of ransomware and worms to create a cryptoworm or ransomworm that could discreetly spread across systems and networked devices. The infamous WannaCry attack in 2017 affected hundreds of thousands of machines across more than 150 countries. WannaCry spread via the EternalBlue vulnerability, exploiting a flaw in the Server Message Block protocol. This attack highlighted the need for timely software updates and patches to prevent such widespread ransomware outbreaks.
In recent years, ransomware has reached its most damaging and destructive stage yet, with the emergence of extortionware and big-game hunting. Extortionware involves attackers stealing data instead of encrypting it, using the stolen information to blackmail victims into paying a ransom. Double extortion ransomware attacks have further heightened the threat by combining data encryption and data theft. If victims refuse to pay the ransom to unencrypt their files, the attackers threaten to release sensitive information, potentially causing severe reputational and financial damage.
As ransomware continues to evolve and become more sophisticated, individuals and organizations must remain vigilant in their cybersecurity practices. Regularly updating software, implementing strong security measures, and educating users about potential threats are crucial steps in mitigating the risk of falling victim to ransomware. Additionally, governments and law enforcement agencies must work together to apprehend and prosecute cybercriminals to deter future attacks.
In conclusion, ransomware has evolved from simple floppy disk distributions to sophisticated attacks that can infect various devices and cause widespread damage. Understanding the history and evolution of ransomware is essential in developing effective strategies to combat this growing threat.