Ransomware has evolved from low-key sporadic attempts to gain money into an organised ‘mafia-like’ ecosystem that harnesses tech talent to launch calculated attacks against businesses and individuals.
So claimed Martin Potgieter, co-founder and technical director at Nclose, who delivered a presentation about the growth of ransomware at the ITWeb Security Summit 2023, hosted last week in Johannesburg.
Potgieter reflected on a timeline of ransomware’s evolution, beginning with the AIDS Trojan, the first threat commonly recognised as ransomware. Potgieter said the Trojan was developed by a biologist and researcher at a university and was spread via floppy disk that was delivered by post.
“Internet was in its infancy, but the Trojan infected quite a few PCs… it would lock you out of the computer and demand something for the return of access, hence the term lockerware,” Potgieter explained.
Over the past 20 years, there have been different variants of ransomware, including leakware, which is when data is leaked or lost, and the victim is pressured into paying money to get the data back.
“These variants have been relatively unsuccessful in comparison to what we have today; the attacks were sporadic, infecting a single PC or a few PCs. It was largely experimental,” Potgieter added.
However, they did force people to sit up and take notice.
“2013 was another milestone, when the first ransomware demand was for Bitcoin, and so we saw the emergence of crypto-currency,” Potgieter continued. “Crypto-currency was a catalyst in driving ransomware; criminals demanded larger sums of money and there was less risk in being caught.”
He said attackers often work in foreign countries and use compromised infrastructure, which reduces the chance of getting caught. “If a Bitcoin wallet is compromised, it’s not completely untraceable – but it’s very difficult.”
According to the Nclose executive, it was in 2016 when ransomware as a service (RaaS) came into the picture. It was then that organised groups mobilised and orchestrated hi-tech campaigns.
“Before this, it was really only highly technical and skilled people who had the capability to launch attacks, those with programming and coding skills. But RaaS lowered the barrier for criminals to get into syndicated ransomware. Today, there are specialised groups with programmers and other members who look after negotiation.”
Potgieter singled out the arrival of the WannaCry virus as a significant moment. “We all know where we were when WannaCry hit… I have never seen people patch that quickly in my life! Now ransomware could move laterally by itself. And many people were not patched up."
Nclose said ransomware has exploded over the past five years. Markets have responded by improving backups, and when criminals then attacked and deleted backups, businesses began to invest in non-deletable backups – or backups with embedded functionality that prevents them from being deleted.
“But it’s a cat-and-mouse game and just in the last two months, attacks have escalated and now resort to double or triple extortion,” said Potgieter.
This was largely as a result of victims refusing to pay. “Some governments have implemented strict policies, which dictate that victims do not pay ransom demands. So attackers have resorted to double or triple extortion, which means they put pressure on business partners and suppliers to convince their chosen victim to pay the ransom.”
Looking ahead, Potgieter noted interest and investment in crypto-currency will continue, but more governments will focus on regulation and control.
He said cloud adoption is also on the increase, especially in SA, and cyber criminals will look to exploit this space. AI is expected to continue to be used by cyber criminals, especially in attempts to exfiltrate data.
Potgieter added that supply chain attacks will continue to be an attractive mechanism for attackers.
Reputational damage is expected to become a growing concern for markets, particularly because of privacy regulation that is being implemented to force disclosure by businesses or organisations that are attacked.
“Transparency is a good thing, but it also helps cyber criminals,” Potgieter said.
Nclose has advised businesses to create board awareness of cyber security risks, focus on improving cyber security maturity and practise proactive response.