SHARED INTEL: How ransomware evolved from consumer trickery to deep enterprise hacks

By David Balaban

Ransomware is undoubtedly one of the most unnerving phenomena in the cyber threat landscape. Numerous strains of this destructive code have been the front-page news in global computer security chronicles for almost a decade now, with jaw-dropping ups and dramatic downs accompanying its progress.

Related: What local government can do to repel ransomware

Ransomware came into existence in 1989 as a primitive program dubbed the AIDS Trojan that was spreading via 5.25-inch diskettes. This debut was followed by the emergence of several marginal blackmail threats in the mid-2000s that never gained significant traction among online criminals. The epidemic went truly mainstream with the release of CryptoLocker back in 2013, and it has since transformed into a major dark web economy spawning the likes of Sodinokibi, Ryuk, and Maze lineages that are targeting the enterprise on a huge scale in 2020.

Although most people think of ransomware as a dodgy application that encrypts data and holds it for ransom, the concept is much more heterogeneous than that. It additionally spans mild-impact screen lockers, data wipers disguised as something else, infections that overwrite the master boot record (MBR), and most recently, nasties that enhance the attack logic with data theft.

The above-mentioned AIDS Trojan hailing from the distant pre-Internet era was the progenitor of the trend, but its real-world impact was close to zero. The Archiveus Trojan from 2006 was the first one to use RSA cipher, but it was reminiscent of a proof of concept and used a static 30-digit decryption password that was shortly cracked. None of these early threats went pro. In this timeline, I will instead focus on the strains that became the driving force of the ransomware evolution.

FBI spoofs

2012 – 2013. During this period, the ransomware ecosystem was dominated by Trojans that locked the screen or web browser with fake alerts impersonating law enforcement agencies. These warnings would state that the victim committed a felony such as copyright violation or distribution of child pornography. The message pressured the user into submitting a fine via a prepaid service like MoneyPak, Ukash, or Paysafe otherwise the case would go to court.

The “police” ransomware campaigns were backed by a sophisticated Trojan called Reveton. It allowed malefactors to align the infection with the victims’ geographic location so that one’s local law enforcement agency was mimicked in the lock screen. This quirk made the attack look more trustworthy and added a layer of flexibility to these scams.

The FBI-themed ransomware was one of the most prolific infections at the time. It surfaced in November 2012 and was making thousands of victims a day. Its lock screen included the victim’s IP address, precise location, ISP name, and Windows version. The average ransom amounted to $300-$500 worth of prepaid cards. Fortunately, most of these culprits were easy to remove. All it took was restoring the system to its earlier state or resetting the affected web browser. This explains why “police” lockers were promptly superseded by more complex infections.

File encryption

2013 – 2015. The above-mentioned CryptoLocker became the game-changer. It emerged in September 2013 and paved the way for hundreds of file-encrypting menaces that have splashed onto the scene ever since. This threat leveraged 2048-bit RSA encryption and stored the public-private key pair on its Command & Control (C2) server. The victims had a three-day deadline to pay the ransom using Bitcoin or prepaid cards (Ukash, CashU, MoneyPak, or Paysafecard). The early versions of CryptoLocker demanded $100 for decryption, but the amount reached $600 per computer by December 2013.


This ransomware was doing the rounds over spam generated by the Gameover ZeuS botnet, which had been originally launched in 2011 as a toolkit for stealing victim’s banking credentials and was repurposed for malware propagation. The success of the CryptoLocker outbreak gave rise to several copycats that piggybacked on the prototype’s ill fame. These included PClock, CryptoLocker 2.0, Crypt0L0cker, and TorrentLocker.

The CryptoLocker wave went into a decline in June 2014 as a result of the so-called Operation Tovar, an initiative orchestrated by law enforcement agencies from multiple countries. It took down Gameover ZeuS botnet and thereby stopped the ransomware distribution in its tracks.

The extortion epidemic did not end at that point, though. Instead, ransomware became more complex and thwarted any attempts to attribute the attacks to specific malicious actors. In July 2014, extortionists started setting up their C2 infrastructures and ransom payment sites on The Onion Router (TOR) anonymity network, which allowed them to hide their online footprint efficiently. Furthermore, the payment channels became isolated to untraceable Bitcoin transactions. The newsmaking emergence of CTB-Locker in 2014 and the CryptoWall ransomware in 2015 fully demonstrated this multi-pronged shift.

RaaS rollout

2015 – 2018. Another fundamental tweak was the onset of Ransomware-as-a-Service (RaaS) in May 2015. It is kind of an affiliate model where different cybercriminals groups execute the distribution part and share their earnings with ransomware authors. Specially crafted RaaS dashboards provide the criminals with advanced infection tracking tools and allow them to build a custom variant of the malicious code in a snap.

This change co-occurred with some of the most massive and longest-running ransomware campaigns of all time. In July 2015, the TeslaCrypt strain appeared, hitting up to 2,000 computers per day. The infamous Locky ransomware was first spotted in the wild in February 2016. Harnessing malicious Microsoft Word macros to spread, it infected more than 400,000 PCs around the world in only several hours at its peak.

The infamous Cerber ransomware made its appearance around the same time and was spreading mayhem for more than a year. CryptXXX, another major family discovered in April 2016 and later rebranded as UltraCrypter, relied on exploit kits that used software vulnerabilities to infiltrate systems. CrySiS, also known as Dharma, has been around since 2016 and continues to be active at the time of this publication. The first viable Mac ransomware called KeRanger was spotted in the spring of 2016.

The WannaCry and NotPetya outbreaks in May and June 2017, respectively, were the most devastating in history. Although they both lasted for mere days, the victim count reached hundreds of thousands of computers. The main reason why these campaigns exploded so dramatically was that they used previously leaked NSA exploits called EternalBlue and DoublePulsar, which made the attacks absolutely inconspicuous and therefore almost impossible to prevent. WannaCry and NotPetya cyber-attacks have since been attributed to state-funded threat actors.

The GandCrab RaaS that appeared in early 2018 was one of the last high-profile threats targeting individuals on a large scale. It vanished from the radar in June 2018, when the ransomware plague took another sharp turn.

Targeting enterprises

Late 2018 – present day. The plummeting price of Bitcoin in 2018, combined with the growth of users’ overall security awareness and better protection practices, caused ransomware operators to rethink their strategies. Instead of using the “spray and pray” technique, they started zeroing in on enterprise networks.

The big names that pioneered in these targeted attacks are Sodinokibi (aka REvil) and Ryuk. The logic of the raid mainly comes down to using unsecured RDP ports or spear-phishing to infiltrate networks and gain a foothold in them. In many cases, the crooks hack managed service providers (MSPs) first and then use this access to compromise the partnering organizations.

Local governments, small and medium-sized businesses, large international corporations, healthcare facilities, and educational institutions are the common targets. Depending on the number of infected computers, ransoms can reach millions of dollars. The most disgusting part of this activity is that some perpetrators continue to infect hospitals during the COVID-19 pandemic.

In November 2019, the criminals behind a ransomware species called Maze started a new trend that is currently gaining momentum on the dark web. They added data theft to the classic encryption scenario. This tactic enhances the blackmail as the attackers threaten to leak the stolen files via publicly accessible sources such as hacker forums if the victim refuses to cough up the ransom.

In early 2020, several cybercriminals groups followed suit. To top it off, some of them have created special websites for data dumps. Aside from the Maze ransomware, this extortion quirk has become the norm for such lineages as DoppelPaymer, Sodinokibi, Nemty, Nefilim, and Clop. The latter hit the headlines in late April 2020, when its operators leaked sensitive files stolen from the U.S. pharma giant ExecuPharm.

Forward outlook

Ransomware is a dynamic and increasingly hybrid segment of cybercrime. It has evolved from rudimentary screen lockers to uncrackable file-encrypting threats equipped with data theft capabilities. Some researchers thought that the 2018 downturn in these campaigns would eventually bring the menace to a halt.

However, these perspectives turned out to be premature. It was just a lull before the storm and another milestone in the ransomware timeline preceding an overhaul of the attackers’ modus operandi.

What does the future hold? Time will tell. In the meanwhile, both businesses and individuals should be proactive in terms of their defenses and maintain data backups to minimize the impact of a potential ransomware attack.

About the essayist. David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone