The Ongoing Evolution of Modern Ransomware

Author: Yossi Naar, Chief Visionary Officer and Co-founder, Cybereason

Ransomware attacks continue to make headlines, and for good reason: on average, there is a new ransomware attack every 11 seconds, and the losses to organisations from ransomware attacks is projected to reach $20 billion over the course of 2021. That rate translates into about 3 million ransomware attacks over a year.

Let that sink in. We are not talking about the number of files encrypted or organisations affected — that’s 3 million unique ransomware attacks against organisations.

The Ransomware Threat: 30 Years in the Making

The majority of organisations that have suffered a ransomware attack experienced significant impact to the business as a result, including loss of revenue, damage to the organisation’s brand, unplanned workforce reductions, and even closure of the business altogether.

There have been over 200 ransomware attacks that have made headlines in 2021 so far — and those are just the ransomware attacks that have been acknowledged publicly. To understand how we got here, we need to look at how the threat has evolved over the years:

1989: The Birth of Ransomware

Look back at 1989, when the first documented case of ransomware emerged. In December of that year, Harvard-educated evolutionary biologist Dr. Joseph Popp sent 20,000 floppy disks infected with a computer virus to individuals who had attended the World Health Organisation’s international AIDS Conference in Stockholm.

Once loaded onto a computer, the virus hid file directories, locked file names, and informed victims that they could only restore access to their files by sending $189 to a P.O. Box located in Panama.

Dr. Popp ended up attracting the attention of authorities while at Schiphol Airport about two weeks after the attack. Subsequently, law enforcement arrested the evolutionary biologist at his parents’ home and extradited him to the UK. There, he faced 10 charges of extortion and criminal damage for distributing what’s now called the “AIDS Trojan”.

2007: Locker Ransomware Variants Emerge

Nearly 20 years later, following the AIDS Trojan incident, the first locker ransomware variants appeared on the threat landscape. These early versions targeted users in Russia by “locking” victims’ machines and preventing them from using their computers’ basic functions like the keyboard and mouse, as noted by researchers at Kennesaw State University.

After displaying an “adult image” on the infected computers, the ransomware instructed victims to either call a premium-rate phone number or send an SMS text message to meet the attackers’ ransom demands.

2013: CryptoLocker Ushers in Modern Crypto-Ransomware

In 2013, a new ransomware threat called “CryptoLocker” installed itself into Windows victims’ “Documents and Settings” folder as well as added itself to the registry list. After connecting to one of its hardcoded command and control (C&C) servers, the threat uploaded a small file to identify its victim and used that file to generate a public-private key pair.

It then leveraged the public key to encrypt victims’ documents, spreadsheets, images, and other files before displaying its ransom note. That message informed the victim that they had 72 hours to pay a ransom demand of $300 — not even pennies on the dollar compared to today’s ransom demands that range into the tens-of-millions.

Attacks involving CryptoLocker became more prevalent in the years that followed. Per Kennesaw State University’s researchers, the FBI estimated that victims had paid $27 million to CryptoLocker’s operators by the end of 2015.

2018: Ransomware Actors Embrace Big Game Hunting

Beginning in 2018, the FBI observed a decline in indiscriminate ransomware attacks. Its analysts saw those campaigns give way to operations targeting businesses — in particular, state and local governments, health care entities, industrial companies, and transportation organisations.

Many ransomware groups made this shift to targeting large organisations so that they could encrypt high value data, undermine victims’ operations, and thereby demand an even higher ransom payment. The report Ransomware: The True Cost to Business mentioned above highlights some of the impact these attacks can have on organisations in the UAE, including:

Loss of Business Revenue: 63 percent of UAE organisations reported lost business (19 percent higher than global average) as a result of the ransomware attack and 42 percent reported significant loss of revenue.
Brand and Reputation Damage: 54 percent of organisations in the Emirates indicated that their brand and reputation were damaged as a result of a successful attack.
C-Level Talent Loss: 50 percent of UAE organisations (19 percent higher than global average) reported losing C-Level talent as a direct result of ransomware attacks.
Employee Layoffs: In line with the global average, 29 percent reported being forced to layoff employees due to financial pressures following a ransomware attack.

2019: Maze Ransomware Gang and Double Extortion

Near the end of November of 2019, the Maze group had successfully breached a security staffing company by stealing its information in plaintext before encrypting its files. To prove its claim, the attackers sent along a sample of files stolen from the company and leaked 700 MB of data online soon thereafter.

Other ransomware groups embraced this “double extortion” technique in the months that followed. In doing so, they gave themselves an edge over organisations with a data backup strategy. They knew that victims could use their data copies to still restore infected computers but that they couldn’t reverse the course of data theft.

So, the attackers demanded two ransom payments from their victims, one for the decryption of their data and the other for the deletion of their information off their operation’s servers.

The Rise of Sophisticated RansomOps

In a recent article we discussed how today’s complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaigns like the ones listed above. The article also discussed the larger Ransomware Economy at work, each with their own specialisations.

These players include the Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving laterally to maximise the potential impact, and the Ransomware-as-a-Service (RaaS) operators who provide attack infrastructure to affiliates who carry out the attacks.

This level of compromise puts RansomOps attackers in a position where they can demand even bigger ransoms, and RansomOps techniques also commonly involve multiple extortion techniques like the double extortion tactic discussed above.

Some groups have taken things a step further: the Grief ransomware gang had begun threatening to delete a victim’s decryption key if they elected to hire someone to help them negotiate the ransom demand down. This came on the heels of the RagnarLocker group threatening to publish a victim’s data if they notified the FBI or local law enforcement about an infection.

Defending Against Ransomware and RansomOps

It’s possible for organisations to defend against ransomware and RansomOps from the earliest stages of an attack. Remember, the actual ransomware payload is the very tail end of a RansomOps attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be thwarted before there is any serious impact to the targeted organisation.

The key to ending ransomware attacks is to minimise the period between the moment when a RansomOps attack first infiltrates your environment and the moment when the security team can detect and end it. This cannot be achieved using outmoded technologies that rely on threat intelligence derived from commodity or other “known” attacks.

Therefore, many organisations have opted to adopt solutions that can detect unique and highly targeted attacks based on more subtle behavioral signals that can surface these attacks earlier in the kill chain. As these solutions prove more effective than their predecessors, it will be interesting to see how the attackers adapt and continue to evolve their tools and tactics to compensate.

Survey reveals misalignment between cybersecurity and business goals in the UAE and KSA

Bybit opens global headquarters in Dubai on the heels of 50% increase in user base

DIFC Courts reinforces its commitment to sustainability following expansion of its digital infrastructure

NETSCOUT adds new data centre presence in Dubai with added Arbor Cloud Capabilities

Dubai ranks as the second most crypto-ready city in the world

LinkShadow reinforces its commitment to Saudi Arabia

Huawei Cloud’s Riyadh launch boosts Saudi tech advancement

Cisco unveils new data centre to enhance security services in Saudi Arabia

Survey reveals misalignment between cybersecurity and business goals in the UAE and KSA

Google Cloud announce significant new collaboration with Saudi Pharmaceuticals giant

KROHNE delivers insights to inspire the next generation of engineers in Oman

Oracle supports major project to accelerate Oman digital economy

Ooredoo accelerates cybersecurity in Oman with new deal

Omantel selects Ericsson to manage its nationwide multi-vendor networks

Oman TRA shares plans to accelerate 5G deployment

BDB launches “tijara” platform for SMEs

Bahrain achieves full nationwide 5G coverage

Batelco, SonicWall launch integrated security solutions for SMEs in Bahrain

Bahrain to offer COVID-19 test results on WhatsApp, Facebook Messenger

Infor supports Bahrain’s digital transformation

Infopercept opens its first Middle East office in Kuwait

Microsoft Compliance Manager now available in Kuwait

Commercial Bank of Kuwait gets mobile payments moving with Thales Digital Solutions

Ooredoo chooses Fortinet to deliver secure SD-WAN managed services in Kuwait

Zain rolls out first-ever 5G roaming service in MENA

Looking for the best label solutions in South Africa? Go OKI!

OKI is only going bigger in the South African market!

Huawei honours Women in Tech at Apps UP 2022

Amazon payment services launches in the MENA region

Egypt turns to AI to deliver COVID-19 diagnosis service to People of Determination

Vertiv extends partnership with MDS SI Group to enhance digital infrastructure solutions

Bosch sees 21% sales surge in the Middle East

“AI has been in Google’s DNA from the beginning – we are an AI-first company” – Tarek Khalil, Google Cloud

How companies can future-proof their business with Web3

“Diversity, equity and inclusion are a core part of our culture and values at AWS” – Yasmine Afifi

Gender Lens investing vital to economic recovery

Virgin Hyperloop unveils location for Hyperloop certification centre

TikTok taps Oracle as secure cloud provider

Zoom gets security boost with Keybase acquisition

Why collaboration is the answer to the successful roll-out of 5G

OPSWAT invests $10 Million in scholarship learning program to help close cybersecurity skills gap

Alef Education showcases the Alef Metaverse to improve climate education at COP28

Bybit and AUS unveil the tech talents of tomorrow

How digital education solutions can help students achieve their full learning potential

Seeds for the Future 2023: Huawei gathers ME & CA’s brightest ICT talent in Qatar

Middle East Energy to further boost their sustainability agenda

EDF UK selects Dynatrace to keep the power flowing

KROHNE harnessing the power of analytics to drive energy transformation

“All of us are pulling in the right direction for a better tomorrow” – Frank Janssens, VP at KROHNE

AI and advanced analytics drive sustainability and efficiency

Above and ‘Beyon’ – New Money SuperApp launched in the UAE

New cross-border payments platform Digit9 launches in the UAE

Hub71 partners with global economic transformation specialist on MENA start-up ecosystem

Spheroid Universe coin to be listed on MEXC exchange

DIFC Innovation Hub launches AccelerateHER program

Innovating Finance: UAE’s Pioneering Role in the Blockchain and Crypto Landscape

Pioneering Sharjah’s Digital Revolution

Interview: Shaping a Secure World

Dubai Chamber of Digital Economy scouts Asia for tech start-ups

Government leaders from IT sector honoured at GovTech Innovation Awards

Dubai Science Park study backs R&D localisation amid projected surge in UAE healthcare spending

MarkiTech expands GCC footprint

MoHAP Launches Health Sector’s First National Centre of Excellence for AI

Korian Benelux future-proofs residential Care with AI-driven solutions

SAS accelerates responsible innovation efforts with new collaborations

Digitalisation key to accelerating construction development in Middle East, says Trimble

R&M Introduces First Single Pair Ethernet System to Support Middle East Smart Building Trend

To ‘upsmart’ your building, start with the elevator

Renters searching for homes online surge amid coronavirus fears

Emirati tech entrepreneur launches new app to ease Dubai’s rental woes

Brands Beware: The Application Generation Demands Seamless Digital Experiences

Opinion: Brands must respond to meet heightened customer expectations

Thriwe: Enhancing the Omni-channel experience

Navigating the Festive Cyber Landscape: Ensuring Online Safety during Holiday Shopping

Celebrate the Dubai Shopping Festival with Eros Electronics’ exclusive deals

Kaspersky Thin Client 2.0: Cyber Immune protection with enhanced connectivity, performance and design

xCube launches the UAE’s first fully automated SLB service for retail investors

Pure introduces first external block storage for Azure VMware Solution

RUCKUS Networks launches AI-driven solutions for hospitality

Genetec announces availability of Security Center SaaS