This is How Ransomware Has Evolved Since Its Inception

It didn’t take too long to verify that ransomware is one of the “master” attacks of cybercrime. It is characterized by being highly effective and is a real money machine. In a single event it is capable of raising billions of euros from innocent victims. These people think that by paying the ransom they will have their files back. Unfortunately, this is not the case in the vast majority of cases. In this article, we are going to share everything you need to know about the evolution of this attack to date.

Before we begin to explain the history and evolution of ransomware, we are going to remind you of what it consists of.

How Ransomware Has Evolved

It is an attack that causes the encryption or encryption of some or all of your files found on your computer. The main signal that gives us to understand that we were victims of this attack is that a pop-up window like this appears:

All the content in this popup window was designed and created to despair the victim. The screenshot that we are seeing as an example corresponds to one of the largest ransomware attacks in history: WannaCrypt / WannaCry . It has information such as what happened to your computer, whether it is possible to recover the files that have been encrypted, and even how to make the payment.

In some cases like this, you can see how much time the victim would have to make the payment before the files are permanently lost. Also, how long does it take before the ransom “ransom” money increases. A very important detail, and that we will not tire of repeating, is that you should not pay for the supposed rescue of your files. Even if they happen to give you “proof of life” for your files, you shouldn’t. All you can do is make them a victim another time.

Ransomware history

The end of the 80s, specifically 1989, witnessed what is considered the first ransomware. It was a program with fairly primitive characteristics that was distributed maliciously through old floppy disks . Its first appearance resulted in a wave of extortion threats during the early 2000s. However, it did not get the attention of the general public until CryptoLocker appeared in 2013.

Ransomware is so profitable that it has become a round business and is growing in the world of cybercrime. Another extremely popular and dangerous ransomware is called Sodinokibi . So dangerous and cunning can it be, that a few months ago it obtained an improvement that makes it difficult to detect: payment through cryptocurrencies that leave virtually no trace of your transactions.

Bitcoin is the cryptocurrency that ransomware is used to accepting. However, Sodinokibi has made the decision to pass Monero. The latter does not allow any trace of the transactions carried out. So it is practically useless to try to track ransom payments.

Trojans on the web and file encryption

Between 2012 and 2013, an ancestor of the ransomware was on the prowl. It consisted of a Trojan virus that blocked your browser and even the full screen of your computer. What happened was that you saw a message with the appropriate format to get your attention. The message that could be read was an alleged accusation of crimes such as piracy, child pornography and other illegal acts.

If the potential victim comes to believe the message, read below for tips on how to make a payment in exchange for not being reported to the police and being brought to trial. At that time, the methods of paying were various card deposit services.

The authors of this Trojan managed to raise millions of dollars thanks to the thousands of victims who fell daily. However, it was easy enough to remove. It only required that you restore your operating system to a previous point before infection, or restore your web browser.

From 2013, encryption of files began to gain prominence. CryptoLocker is one of the pioneers in ransomware and appeared specifically in the month of September of that year. Files were encrypted under robust 2048-bit RSA encryption algorithms. The public-private key pair was practically inaccessible since it was stored on the Command & Control server that manages the ransomware itself. Victims had an alleged three-day deadline to pay the ransom with Bitcoin or prepaid card reloading services.

Evidence of how profitable they can be that required payment of between $ 100 and $ 600, whatever the method of payment. This popular ransomware originates from a botnet called Gameover ZeuS , which made its first appearance in 2011. Its original purpose was to appropriate bank account access credentials. The success, let’s say, of this type of attack led to the appearance of several successors that were as successful as the original. Some of them are PClock, CryptoLocker 2.0 and TorrentLocker.

RaaS: Ransomware-as-a-Service

The 2000s are characterized by various situations and curious facts, one of them is the Anything-as-a-Service, that is, everything as a service. Software-as-a-Service, Infrastructure-as-a-Service are just a few examples that everything can be configured to become a profitable service. The downside is that this knows almost no borders and ransomware gained its place in this area in 2015.

RaaS consisted of a model in which different groups of cybercriminals distributed certain ransomware. Subsequently, the profits were distributed among those same groups and the authors of the ransomware. They even put together panels with extremely detailed statistics that allowed to track the status of the victims. And if necessity dictated, they could customize the codes and distribute even more dangerous ransomware.

When we started this article, we had mentioned WannaCry . Precisely, this is one of the ransomware that have appeared between 2015 and 2018 where the RaaS gained prominence. To this day, it is remembered as one of the most devastating and financially damaging attacks on its billions of victims. An interesting fact is that this ransomware, as well as another very popular one called NotPetya , was very successful due to the implementation of exploits already identified by the United States National Security Agency, but which were not officially published for correction. Consequently, almost nobody was going to be able to prevent this attack, so in a few days it managed to wreak havoc. Both WannaCry and NotPetya are said to have been created by cybercriminals who had financial funds and support from government authorities.

The actuality of this attack is characterized by completely renewed strategies. Targets are no longer focused on individual user groups but rather on network user groups found in organizations. Why? Because over the years, factors such as Security Awareness best practices and the very high price of Bitcoin caused ransomware to decline as we know it generally.

Today, the focus is to take advantage of network vulnerabilities to gain access to them and even generate backdoors to have almost complete control of the networks that are victims. Another detail to consider is that attacking only an organization of a certain caliber and reputation can easily generate thousands of dollars in damages that translate into profits for cybercriminals.

And now, what must we do to protect ourselves?

There is no news in relation to that. We must continue with the same practices as always. In that sense, there are not many secrets. However, IT and Information Security specialists must have sufficient preparation, knowledge and attention to the trends of this type of attack. It is extremely important that organizations place great importance on the security of their network systems. If such a case does not occur, there may be cases of data theft or worse, data breach that could lead to many other attacks.