Warning symbol on computer showing ransomware attack and backup and recovery

The Evolution of Ransomware and How Enterprises Can Protect Themselves

Nearly every day, the news is filled with new ransomware attacks. Over the last 30 years, ransomware has transformed into one of the most sophisticated attack methods, and while the attack methods vary, the premise remains the same: find a vulnerability, block access to vital data and information, and demand a ransom in exchange for reinstating access. Today, it’s not “if” an organization will be attacked, but rather “when.” And when that time comes, companies need to know what kind of ransomware they are dealing with, what kinds of information they have, and what their options are for recovery.

A brief history of ransomware

Ransomware is not a new phenomenon. The first attack of its kind happened in 1980, when 20,000 floppy disks were mailed out, containing ransomware that held data hostage and demanded payment. Because ransomware was unheard of, users that inserted the floppy disk had no reason to believe there was anything malicious on it. Fortunately, a decryption key was easy to find, and the perpetrator likely made little to no money.  Similarly in 2004, an attack known as GPCode Archievius infected systems with malicious links sent via phishing emails, which used a custom encryption algorithm to encrypt files. Attackers were asking for $20 for the decryption key, however users were able to find the key without paying ransom.

The 2010’s experienced a newer, more powerful form of ransomware, called locker ransomware. Locker ransomware had stronger encryption algorithms and was tied to the early days of cryptocurrency. Notable attacks during this decade included WinLock in 2011, which infected users who visited malicious websites and locked them out of their devices. Reveton in 2012 was the first ransomware-as-a-service (RaaS), which was a rented service that allowed attackers with little to no technical experience to purchase ransomware. Reveton was the attack method that brought the idea to the masses and the first ones to demand payment in Bitcoin. These attacks were often disguised as messages sent from law enforcement, threatening jail time if the user didn’t pay a ransom.

2013 saw the most sophisticated attack of the day, called CryptoLocker, which used a ransomware strain known as 2,048-bit RSA key. CryptoLocker was both a locker and crypto variant and used attachments sent in innocent-looking emails. While seen today as a bush league kind of attack, back then it made cybercriminals over $27M in ransomware payments within the first two months. Soon after, threat actors transitioned their business over to mobile devices, including Androids, Mac, and Linux. In 2014, SimpleLocker was the first ransomware attack on Androids, encrypting images, documents, and videos. LockerPin was similar, but this attack locked users out of their devices and changed their PINs.

Ransomware went global with the highly reported attack called WannaCry in 2017. WannaCry, known as a ransomworm attack (meaning a worm can discretely clone itself within any network ort system) attacked devices in over 150 countries, from banks to hospitals to law enforcement.

Ransomware transforms

Since its inception, ransomware has worked its way up to the familiar attacks experienced today. But instead of a one-size-fits-all approach, modern ransomware is all about personalization. Today, bad actors have turned casual ransomware attacks into a business model that dives deep into victim profiling and is armed with an airtight strategy leading to the trillion-dollar industry it is today.

Ransomware lurks in the dark for months to learn about an organization’s network, systems, employees, and identifying holes in security that only someone on the inside would typically be aware of. By the time the company becomes aware of the breach, attackers already know what weaknesses they can exploit. And to add onto the list of tactics, attackers approach organizations with methods of double extortion which both encrypts and steals the victim’s data and unleashes the threat of not just unencrypting their files but selling the data on the dark web.

Larger corporations have become some of the more common victims of ransomware, as attackers pursue “big game hunting” for even bigger payouts. Instead of conducting many small-scale attacks, cybercriminals are spending months researching, lurking, and waiting for the best time of attack within large enterprises. Recent and notable “big game” hunts have included the Colonial Pipeline, JBS USA, and the cities of Atlanta and Baltimore. The COVID-19 pandemic further advanced double extortion methods and RaaS. In May 2021, a RaaS variant called REvil and the criminals behind it demanded $70M in ransom from service provider, Kaseya, in exchange for releasing over 1 million devices that had taken hostage.

Every part of ransomware evolution led to one of today’s popular tactics: triple threat extortion. With double extortion, attackers not only hold the victim’s data hostage, but they make a copy of the data with the threat of selling the data on the black market if they don’t receive even more money than the original ransom. With triple extortion, attackers encrypt the data (first layer), make copies of the data for further threats (second layer), and then target anyone who may be impacted by the disclosure of an organization’s data. They often incorporate another vicious tactic, such as launching a distributed denial-of-service (DDoS) attack, or going after the victim’s customers, affiliates, and suppliers for more ransom demands and to put pressure on the original victim.

As ransomware technology and tactics continue to evolve, it’s rarely ever a “one and done” event. The original attack often leads to a chain reaction of attacks, making it important to constantly evolving one’s data protection strategy.

Modern times call for modern solutions

Unfortunately, cyberattacks are inevitable. But what’s not inevitable is losing all organizational data and files forever. Fortunately, organizations have an opportunity to implement disaster recovery and backup strategies that will save them from losing their valuable assets or losing millions, and while 88% of organizations incorporate disaster recovery strategies into their budgets today, there are still gaps leaving many susceptible to data loss.

In a 2022 report on data protection, a startling 36% of organizations reported that they were only able to recover about 80% of their data following a ransomware attack. Today, recovery and backup cannot be considered efficient just by backing up data periodically. Instead, organizations need to ensure a continuous data backup loop – after all, what good is recoverable data if the last backup happened a year ago? On top of this, it’s important to also conduct regular disaster recovery simulations to keep crisis teams ready with the latest procedures. This way not only will data be recoverable, but it can be recovered as quickly as possible with minimal interruption to day-to-day business.

The tried and true 32110 rule is an easy one to incorporate into any business. Have three copies of your most important data updated at all times, stored on at least two different types of storage, and host one of those copies offsite. At least one copy of your data should be resilient through being air-happened, offline, or immutable. Lastly, there should be zero backup errors, meaning automated backup verification ensures the recovered data is valid and usable.

Organizations cannot take a blind eye to cyberattacks and data backup and recoverability are more than just a budget line item – they are the last line of defense for businesses and will be the most valuable asset they have when suffering from a breach.