Ransomware has quickly emerged as a massive cybersecurity threat and is evolving continuously. 2020 woke up to the massive Travelex attack that rendered their online currency services offline for more than a month now. Global logistics vendor Toll Group reported that a ransomware attack had downed their systems. Certainly, these incidents should serve as a wake-up call for all businesses to remain vigilant against ransomware. To minimize the chances of being victimized by ransomware means going back in time to understand how ransomware developed and how it evolved.

Ransomware: What It is and How It Originated

Ransomware is malicious code designed for financial gain that locks out users from accessing their computer files or systems until the victim pays a ransom in exchange for a decryption key that allows users to access files that may have been unwittingly encrypted.

Ransomware is said to have originated in 1989, when a floppy disk carrying a malicious payload was distributed at an AIDS event hosted by the World Health Organization (WHO). The program encrypted file names then asked the victim to pay $189 to a bank account in Panama. Between 1989 and early 2000’s, there were several low-impact ransomware programs that emerged, but all of them used symmetric key encryption, for which a crack was relatively easy to find.

Contemporary ransomware programs started to show up around 2005 that used asymmetric RSA encryption to encrypt files. Victims were unable to decrypt the files or unlock their data unless a ransom was paid. Some of these earlier programs were more like adware than ransomware as they created many pop-up windows and password prompts.

In 2013, one of the first true contemporary ransomware programs called Cryptolocker made its debut. Cryptolocker asked its victims to make payments in Bitcoin. In 2016, the Samsam ransomware emerged, using brute force password guessing via remote desktop protocol (RDP). The attack method becomes highly successful and the mechanism is still used widely by attackers.

Petya reared its ugly head in 2017, attacking governments, hospitals and companies. NotPetya causes Maersk $250-$300 million in damages. Then Wannacry becomes the most successful vermin to date, infecting 230,000 computers in 150 countries in just one day. Now ransomware-as-a-service toolkits are available for sale, complete with vendor support.

Evolving Attack Methods

Europol recently reported a growing interest in ransomware-led organized crime. While the global volume of ransomware attacks has gone down, the average cost of ransomware has more than doubled in the past year. And the situation is getting worse by the day.

Early ransomware systems would either encrypt immediately upon executing or were hard-coded to go off at a specific point in time. Today’s malware stealthily resides in a target’s machine, sends vital information to the hacker who determines the perfect victim, the ideal files for encryption and the perfect opportunity to go after crown jewels.

Modern ransomware will break-in, dial home and then notify hacker so that he can figure out the next best steps. Usually this will involve:

• Determining what to encrypt to get the most bang for the buck.
• Determining what to encrypt to maximize pressure for the speediest payoff.
• Determining the ability of the victim to pay.
• Determining the right individual who can authorize payment.
• Disabling, corrupting or maliciously encrypting online and offline back-ups.

More Malicious Ransomware

While early forms of ransomware focused on encrypting data and demanding a ransom, some criminals seek things beyond Bitcoin. They want credentials, intellectual property, customer data and more. When Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by ransomware, criminals went after password management platforms, Medicaid billing portals, social media accounts, payroll services, commercial phone, internet and power services, shipping and postage accounts, state and government bidding portals and several others.

How Can You Avoid Becoming the Next Victim?

Ransomware is a symptom of a vulnerable network, systems or even user/employee apathy. If you do not eradicate the problem at its root via systemic security awareness training, you will never be able to stop ransomware attacks from crippling your business. The key to protecting your organization from ransomware is by adopting cybersecurity hygiene best practices that can include:

• Educating your employees and other stakeholders on best practices and cybersecurity hygiene.  This includes running phishing simulation exercises regularly to make users aware of the latest attack methods.
• Focusing on better patching. Ensure that your systems are up to date with the latest software. Millions of systems remain unpatched and prone to ransomware attack.
• Improving cyber hygiene: Effective cyber hygiene includes identifying and plugging vulnerabilities, updating credentials, using layers of encryption and firewalls to protect data, backing up data regularly and maintaining a contingency plan and incident response team in case of attack.

Trends suggest that more and more victims find it easier to just give in to this type of extortion. That’s because the hacker has encrypted your most valuable crown jewels, rendered your back-ups useless and threatening to expose sensitive data. Research shows that 15 percent of all ransomware victims paid ransom in 2019, almost quadrupled from 2018 ( four percent). In 2020 and beyond, unless measures are taken this number is likely to grow.