How Have Ransomware Attacks Evolved?
Ransomware began in 1989, when attendees of an international AIDS conference received “AIDS Information” floppy disks laden with a trojan virus. After 90 system reboots on an infected system, the trojan would hide all directories, encrypt all files on the infected hard drive, and display a note from "PC Cyborg Corporation" requesting a $189 payment to an address in Panama to restore access.
The next wave of ransomware-style cyberattacks came in the early 1990s with “scareware,” so called for its use of fear-based social engineering techniques. Infected computers would display an error message, followed by an offer to buy and download software to fix the issue. Of course, the software was more malware, often designed to steal data.
The rise of file sharing popularized a category of ransomware called police lockers, screen lockers, or simply lockers. Often hidden on sites hosting peer-to-peer downloads or adult content, lockers would display a message explaining that the system had been locked (frequently citing a law enforcement or government agency such as the FBI, suspected illegal activity, etc.) until the user paid a fine. Many lockers simply restricted mouse movement, and a system restart could restore normal functions, but fear led many victims to pay.
The Link Between Ransomware and Cryptocurrency
Early on, ransom demands typically peaked at a few hundred dollars from individual users. Moreover, ransom payments were usually made with ordinary payment cards, making the transactions far easier to track and the threat actors easier to catch.
Today, innovations in cybercrime and crypto technology have helped ransomware explode in popularity. In particular, bitcoin and other cryptocurrency—digital currency based on anonymity and encryption—have enabled bad actors to cover their tracks by making transactions nearly untraceable.
Ransomware as a Service (RaaS)
A byproduct of that heightened popularity and success, RaaS tools are often subscription-based and inexpensive, just like legal SaaS offerings. Many are readily available on the dark web, and they enable even people without programming skills to launch a cyberattack and earn a portion of its gains.
Double Extortion Ransomware
Eventually, better data backup and decryption technology began to move the needle in victims’ favor. In response, in 2019, a criminal group called TA2102 perpetrated the first high-profile double extortion ransomware attack, both encrypting and exfiltrating the victim’s data before threatening to leak it unless paid US$2.3 million in bitcoin. This way, even if the victim had managed to restore their data, they would still suffer a severe data breach unless they paid.
In 2022 and 2023, an insidious trend emerged that redefined ransomware at its core. Both an evolution and a sort of regression, encryption-less ransomware attacks don’t encrypt victims’ files. Instead, attackers focused only on exfiltrating sensitive data as leverage for extortion.
Victims of these attacks tend to be in industries that handle highly sensitive PII, such as the legal and healthcare sectors. Because their key concern is preventing leaks of their sensitive data, many will pay the ransom regardless of encryption. Because the data isn’t encrypted, it’s quicker and easier to recover, often translating to faster ransom payouts.