February 04, 2022
Cyberside Chat: The History and Evolution of Ransomware
I recently sat down with Chris McKie, Director of Security Solutions, to discuss the history of ransomware, its current challenges, and how he sees it evolving in the months and years to come.
Ryan: Thank you for taking the time to chat with us today. I think we will start the discussion with the basics of ransomware and how it has evolved.
Chris: Ransomware is not new, although many think it is. It has actually been around since 1989, with the first known ransomware attack on the healthcare industry. The attack was rudimentary at best, distributing 20,000 floppy disks to AIDS researchers and, claiming that the disks contained a program that analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire. However, the disk also contained a malware program that initially remained dormant in computers, only activating after a computer was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and another $378 for a software lease. The AIDS Trojan, as it became known as, was pretty easy to overcome as it used simple symmetric cryptography, and tools were soon available to decrypt the files.
This early version laid the foundation for malware, encrypting valuable files and data and holding them for payment. An idea that by the early 2000’s evolved into utilizing more sophisticated and tougher-to-crack encryption algorithms, which continued to grow to the sophisticated attacks and ransomware as a service we currently see today.
R: What about Phishing emails? How has phishing evolved to the levels we see today?
C: Initial phishing schemes spoofed emails and websites as lures to prompt people to hand over sensitive information voluntarily. In the early 2000s, phishers would register dozens of domains that looked like legitimate sites and send spoofed emails to customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information. As they found success, it led to similar attacks on the banking industry, with millions of accounts, more significant payments, and sensitive information being compromised. This also led to the rise of various software to combat these attacks, including IP tracing, which worked to help thwart attacks and recover funds lost.
However, the rise of these early security measures forced hackers to innovate and raise their game.
R: Let's chat about Ransomware as a service and how this appears to have exploded over the past few years, and the driving factors behind it.
C: Ransomware really started to take off with the advent of CryptoLocker, which was around 2013. . Part of the reason why we’ve seen astronomical growth of ransomware attacks is that it works. Cybercriminals are making a lot of money - recent estimates peg the ransomware market in the billions, and attacks are only increasing.
Additionally, we see ransomware attacks growing hand-in-hand with the rise of cryptocurrencies. Now that cryptocurrencies are widely available, accessible, and arguably anonymized, the friction for ransom payment is removed, making payment easier and quicker than ever before.
The financial models that cybercriminals have created with ransomware reward innovation, and because of this, we now see ransomware code development offered to less sophisticated hackers and cybercriminals via ransomware as a service. With affiliate networks in play, ransomware-as-a-service expands the reach of ransomware so that almost anyone can play a part in the ransomware criminal ecosystem and make money.
R: How do you see the future of work, particularly for small businesses, and what about protecting the endpoints of their networks?
C: One of the challenges facing small businesses is the mistaken belief that because they are small, they wouldn’t be a target for hackers or a ransomware attack. The truth is, small businesses are ideal targets for hackers, as they often lack strong security and in many cases do not foster a culture of cybersecurity awareness and best practices. Adding to this is the fact that so many employees are working from home, leaving many with minimal endpoint and network security protection. Furthermore, with a distributed workforce, it may be hard to ensure everyone’s computer and applications are up to date and properly patched.
Therefore, it will be more important than ever to make sure that endpoints are protected and patched and that employees are regularly trained about phishing and email security best practices.
Lastly, small businesses must plan on being breached. Sooner or later, malware will make its way onto an endpoint or server. If it’s ransomware, then having a backup and recovery solution in place BEFORE this happens will not only help prevent a business from paying a cyber ransom but also enable a business to keep running without losing key files.
R: That seems like a lot of work for an SMB, given their challenges to run their business alone. Do you see this becoming an outsourcing solution for their security needs?
C: Without question, small businesses are at a disadvantage when it comes to maintaining adequate cybersecurity. Most lack cybersecurity experts on hand or fail to implement sufficient security training programs and tools. Without personnel and resources, small businesses face an undaunting challenge to stay secure.
This is where an MSP can play a pivotal role. Not only can an MSP provide much-needed IT services, but many are highly skilled at deploying remote management tools that keep endpoints patched and up to date. As well, many MSPs are adept at managing email, endpoint, and network security, which provides a comprehensive array of data, user, and device protection.
Lastly, most MSPs can provide critical services around business continuity and disaster recovery. This value-add service helps ensure that when a small business is hit with a ransomware attack, experiences data theft, or some other event that would compromise IT systems, the small business can quickly and efficiently return to business as usual.
Hackers are only going to improve on their techniques and innovate with novel tactics and techniques. MSPs are in a much better position to stay abreast of these new developments and trends. Because of this, an MSP should always be in a unique position to help protect small businesses from even the most advanced threats.
R: Where do you see the next attack coming from? Why is Ransomware still happening? Can we stop it?
C: As mentioned, this is about how organized (and not so organized) criminals make money. As long as there is a way for them to profit, then ransomware will persist. Despite efforts to combat new techniques and tactics, they will continue to adapt and evolve. I do not see this cycle ending anytime soon, though I am energized to see the progress that global cooperation is having on disrupting ransomware operators and affiliates. Companies are becoming more resilient to these attacks and working toward more solid security strategies.
This is also why MSPs need to, at minimum, have a high-level understanding of security and how the solutions they use affect the security of the users, applications, and data they are responsible for. It is also where the partnership with their solution supplier needs to be symbiotic to ensure any questions, needs, training, etc., are addressed entirely and timely.
We won’t be able to 100 percent stop ransomware attacks, but with the right people, processes, and technologies working in tandem, we can put substantive measures in place to minimize risk and mitigate the downside effects of ransomware attacks today and tomorrow.