One of the most famous malware variants in existence today, ransomware – which enables a cybercriminal to deny a victim access to their files until a ransom has been paid – has become a major focus of cybercriminals and cyber defenders alike.
Ransomware works by using encryption algorithms, which are designed to ensure that only someone with access to the decryption key can reverse the transformation applied to the encrypted data and restore the original, usable version. A victim is motivated to pay a ransom by the loss of access to valuable data, and, upon payment of the ransom, all the ransomware operator must do is provide a short decryption key to restore access to all of the encrypted data.
The theory behind ransomware is fairly simple and does not vary much from one variant of ransomware to another. However, the specifics of how ransomware is used by cybercriminals can be very different for different groups and attack campaigns, and has evolved significantly over the past few years.
2017 was the year when ransomware truly entered public awareness. While ransomware has been around for decades, the WannaCry and NotPetya attacks of 2017 made this type of malware a household name. These ransomware variants also inspired other cybercriminals and malware authors to enter the ransomware space.
WannaCry is a ransomware worm that uses the EternalBlue exploit, developed by the NSA, to spread itself from computer to computer. Within a span of three days, WannaCry managed to infect over 200,000 computers and cause billions in damages before the attack was terminated by a security researcher targeting its built-in “kill switch”.
NotPetya is an example of a famous variant that actually isn’t ransomware at all, but rather wiper malware that masquerades as ransomware. While it demanded ransom payments from its victims, the malware’s code had no way to provide the malware’s operators with a decryption key. Since they didn’t have the key, they couldn’t provide it to their victims, making recovery of encrypted files impossible.
In 2018, ransomware fell in popularity as rises in the value of cryptocurrency drove a surge in cryptojacking. Cryptojacking malware is designed to infect a target computer and use it to perform the computation-heavy steps required to “mine” Bitcoin and other Proof of Work (PoW) cryptocurrencies and receive the rewards associated with finding a valid block.
However, this isn’t to say that ransomware was completely inactive in 2018. In August 2018, the Ryuk ransomware (one of the leading ransomware threats today) was discovered for the first time “in the wild”. The emergence of Ryuk was part of a shift in how ransomware operators made their money. Attacks like WannaCry targeted quantity over quality, attacking as many victims as possible and demanding a small ransom from each. However, this approach was not always profitable as the average person lacked the know-how to pay a ransom in cryptocurrency. As a result, ransomware operators had to provide a significant amount of “customer service” to get their payments.
In 2018 and beyond, ransomware operators have become more selective in their choice of targets. By attacking specific businesses, cybercriminals could increase the probability that the data encrypted by their malware was valuable and that their target was capable of paying the ransom. This enabled ransomware operators to demand a higher price per victim with a reasonable expectation of being paid.
2019 was famous as the year in which ransomware operators switched their focus to critical institutions. In the first three quarters of 2019 alone, over 621 hospitals, schools, and cities in the United States were victims of ransomware attacks by Ryuk and other ransomware variants. These attacks had an estimated price tag in the hundreds of millions of dollars and resulted in cities being unable to provide services to their residents, and hospitals being forced to cancel non-essential procedures in order to provide critical care to patients.
This new approach to ransomware took advantage of the importance of the services that these organizations provide. Unlike some businesses, which could weather degraded operations while recovering from an attack, cities, schools, and hospitals needed to restore operations as quickly as possible and often had access to emergency funds. As a result, ransomware attacks against these organizations were often successful and continue to occur.
In late 2019 and early 2020, a new trend emerged in ransomware attacks. Instead of restricting themselves to encrypting a victim’s files, ransomware authors began stealing sensitive data from their targets as well. Ransomware variants stealing user data include Ako, CL0P, DoppelPaymer, Maze, Pysa, Nefilim, Nemty, Netwalker, Ragnarlocker, REvil, Sekhmet, and Snatch.
This move was in response to organizations refusing to pay ransom demands after falling victim to a ransomware infection. Although the cost of remediating a ransomware attack is often higher than the demanded ransom, best practice dictates that ransoms should not be paid since they enable the cybercriminals to continue their operations and perform additional attacks.
By stealing data from infected computers before encrypting it, ransomware operators could threaten to expose this data if the victim refused to pay the ransom. Depending on the type of data collected and leaked, this could cause an organization to lose competitive advantage in the marketplace or run afoul of data protection laws, such as the General Data Protection Regulation (GDPR), for its failure to protect the customer data entrusted to it.
Ransomware has proven to be an extremely effective tool for cybercriminals. The loss of access to their data has motivated many organizations to pay large ransoms to retrieve it. The success of ransomware means that it is unlikely to go away as a threat to organizations’ cybersecurity. Protecting against this damaging malware requires deployment of a specialized anti-ransomware solution.