Ransomware and Beyond series

The Origin Story: How Ransomware Began, and How It’s Evolved

Ransomware is a threat that most businesses—and all IT professionals—are well aware of today. In fact, in a survey carried out by Pulse Q&A, 69% of respondents reported having worked at an organization during a ransomware attack. This is an issue that affects many and is showing no signs of going away anytime soon.

Have you ever worked at an organization during a ransomware incident? Yes - 69% No - 31%

As with most threats, it’s helpful to learn more about where ransomware came from in order to understand how it affects the world today. We’ve covered the basics of what ransomware is in our first article, and in this one, we’ll cover its origins (as well as how it’s evolved over time).

Early ransomware attacks

While many resources cite 2013 as the year that ransomware first came onto the scene, its origins actually date back quite a bit further.

According to Richardson and North’s comprehensive timeline provided in their paper Ransomware: Evolution, Mitigation, and Prevention, the first ransomware virus was created and distributed all the way back in 1989—on a floppy disk, if you can believe it—at the World Health Organization’s International AIDS conference. This was also covered in a recent webinar with Graham Cluley.

In a fascinating retrospective in The Atlantic, Kaveh Waddell recounts that the virus was created by an evolutionary biologist named Joseph Popp, who hid the ransomware behind a computer-based questionnaire that “would help determine patients’ risk of contracting AIDS.” The message instructed victims to send $189 in cash to a P.O. box in Panama in order to have their files decrypted. Popp was arrested for his attempted scam (and you really should read more about this case, because it’s a wild ride), and ransomware faded into the background until its re-emergence in 2005.

From 2005 until 2013, a number of ransomware attacks emerged. Most of these attacks came in the form of locker ransomware, which means they operated by “locking” the user out of their computer. According to Richardson and North’s timeline, many of these attacks were easily overcome, and as a result did not pose a huge threat to the community at large.

Evolution over the years

Everything changed in 2013. This was the year CryptoLocker made an appearance, and it completely altered the ransomware landscape. This so-called “crypto ransomware” sample operated differently than locker ransomware that came before it. Rather than locking users out of their systems, it worked by encrypting their files and prompting them to pay a ransom fee in order to have them decrypted. For attackers, this was a more successful—and more lucrative—endeavor, and its popularity took off in the malicious hacking community.

As this form of ransomware became more of a threat over the next few years, attackers began to realize that they could make more money from bigger targets with more resources. According to CrowdStrike’s article on the evolution of ransomware, this realization led to the emergence of “Big Game Hunting” in 2018. This term refers to the overall pivot from targeting many individuals to targeting large organizations.

The idea behind this pivot was that attackers could potentially make more money by focusing on a narrower set of victims that had more resources—and good reason—to pay ransom. After all, the threat of having one’s data exposed is not one any company wants to face. In fact, according to Cybereason, 53 percent of organizations indicated that their brand and reputation were damaged as a result of a successful attack.

Today’s ransomware

In the last few years, the stakes have only been raised, along with the ransom amounts requested by attackers (which, in some cases, have skyrocketed into the tens of millions of dollars). As David Bisson notes over on our blog, ransomware attacks were more prevalent in the first half of 2021 than in all of 2020.

Bisson also notes that most of today’s ransomware attacks—64% of them, in fact—come from one of three families: Ryuk, Cerber, and SamSam. Let’s briefly touch on each of these.

Ryuk: This type of ransomware has been active since 2018 and, according to CSO, typically targets businesses, hospitals, and government institutions. In fact, we published a story on our own blog about Cozad Community Health System’s experience with Ryuk. Those behind these ransomware strain attacks are known for demanding higher ransom payments compared to those carried out by other ransomware groups, with CSO estimating that ransom amounts requested from these attacks range from $100,000 - $500,000.

Cerber: Security Boulevard defines Cerber as an “evolved ransomware technology,” in that it’s delivered as Ransomware-as-a-Service (RaaS). This means that anyone can buy and distribute it in exchange for a cut of the profits for those who make it. This type of ransomware targets cloud-based Office 365 users via phishing.

SamSam: According to Security Boulevard, SamSam mainly targets organizations that provide essential functions, such as hospitals and city municipalities. SamSam doesn’t use phishing as its delivery vector but rather Remote Desktop Protocol (RDP).

Who’s carrying out the attacks?

Bisson outlines three main groups that are responsible for today’s attacks: state-sponsored actors, digital criminal organizations, and security researchers. Here’s what we know about each of these groups.

State-sponsored actors: In this scenario, attackers are commissioned by a governmental body to create and carry out ransomware threats. As Bisson explains, “As the governmental body didn’t launch the attack itself, it can try to leverage that fact for plausible deniability, thus raising the political costs should another state wish to retaliate.” A recent example of this is the campaign operated by Iran’s Islamic Revolutionary Guard Corps (IRGC) in May 2021.

Digital criminal organizations: These groups, says Bisson, do not receive direct support from governmental agencies, but some do receive protections from these bodies. He cites the example of REvil, which appears to be based in Russia—a country that has been famously lax about prosecuting groups that operate within it.

Security researchers: One final example of people who create ransomware are ones that do so inadvertently. That is, some researchers develop ransomware-like programs as part of their work, and are then unable to prevent bad actors from co-opting and distributing them as actual ransomware after their work is made public.

Ransomware is an ever-evolving threat

One thing is clear about ransomware: it’s not slowing down any time soon. It’s evolved very quickly over the last few years, and will likely only continue to do so.

But while ransomware has come a long way since its origins, so have the security measures that have been developed to combat it. Luckily, there are a number of solutions that both individuals and companies can adopt in order to protect themselves against ransomware attacks, and keep their data safe in the event that they are the victim of one.

Continue to the next section to read about some of the largest ransomware attacks we’ve seen globally, and the impacts those attacks have had on the world around us.

Next article

Test your ransomware knowledge
Take the ransomware quiz and see if your knowledge is up to scratch
Sign up to the Ransomware and Beyond Series

We'll notify you when new articles are released

More from this series
1. What is ransomware?

Ransomware is one of the top cybersecurity threats, and it has gained enough ubiquity and power in recent years that defending against it is now a major security consideration for most corporations, and even government bodies.

Read article
3. Ransomware impacts on the world around us – top ransomware attacks

Ransomware is an ever-changing threat, and its impacts have grown both in seriousness and scale over the last few years.

Read article
4. Top 7 Ways Ransomware Enters Networks

nyone with an eye on cybersecurity these days knows that there’s never just one thing to worry about. As David Pickett, Senior Cybersecurity Analyst at Zix | AppRiver puts it, there are a number of ways that hackers can use ransomware to enter networks, and that number is growing all the time.

Read article