It's been less than a month since we heard the news of a new massive ransomware attack. Initially, the ransom was in the hundreds of dollars, but now it has reached millions of dollars. So how do we get to the point where we can keep our data and services for ransom? With a multimillion-dollar attack, should we hope that this process will always end?
History of Ransomware
Dr. Joseph L. Pope is credited, among his other achievements in biology, with the first use of computer software to demand ransom. In December 1989, Bob sent 20,000 floppy disks titled "AIDS Information - Preliminary Disk" to hundreds of medical research institutes in 90 countries using the postal service. Each tablet contained an interactive survey that measured a person's risk of AIDS based on responses. In addition to the survey, the first ransomware program - "AIDS Trojan" - encrypts encrypted files on a user's computer after restarting a certain number of times. Printers attached to the printer provide instructions for sending a draft, check box, or international money transfer of $189 to a mailbox in Panama. He was planning to distribute another two million AIDS tablets before he was arrested on his way back to the United States from a World Health Organization symposium on AIDS. Despite the evidence against Dr. Pope, he was not convicted of the crime.
In the early 2000s, cybercriminals had a ransomware prototype and access to three basic pieces of technology that Dr. Bob did not have.
(1) An efficient and high-speed delivery system that connects millions of computers around the world to the World Wide Web. (2) Access to more powerful asymmetric encryption tools for impossible-to-crack encryption. (3) A payment platform that provides speed, anonymity, and the ability to automate decryption tasks when paying, such as Bitcoin.
Put these together, and that's when the ransomware really goes away. Here is a summary of important events in the history of ransomware:2006 - Archiveus used RSA-1024 to encrypt files, making it impossible to unlock them. Victims were forced to buy goods from online pharmacies to get a decryption code. 2008 - With the invention of Bitcoin, ransomware attackers can now create a unique payment address for each victim, thus becoming the preferred payment method. 2011 - Bitcoin matures and the number of ransomware attacks increases dramatically: 30,000 infections are reported in the first two quarters of 2011. This doubled to 60,000 at the end of the second quarter.
2017 - WannaCry and Petya bring ransomware The ransom comes to the fore. WannaCry is a crypto worm that reproduces semi-autonomously through targeted system vulnerabilities and spreads automatically. WannaCry infected more than 250,000 devices worldwide in early 2017 - the largest ransomware attack in history with an estimated $4 billion in financial damage worldwide. NotPetya (kind of the first Petya 2016) is another secret worm that uses the same vulnerabilities in WannaCry despite the release of security patches. Both types of ransomware highlight the dangers of maintaining unsupported systems and the necessity of installing security patches. 2018 - "ransomcloud" proves that cloud email accounts like Office 365 are also vulnerable to ransomware. Fortunately, this is a proof of concept provided by a white hat hacker. Bitcoin anonymity is no longer guaranteed, and cybercriminals are starting to migrate to other cryptocurrencies. Newer variants such as Annabelle, AVCrypt and the new version of SamSam include advanced features to prevent and disable post-attack forensic detection. 2019 - Ransomware attackers launched two-stage attacks, combining malware followed by ransomware. Ransomware like MegaCortex is designed to target corporate networks using domain controllers for expansion. Security researchers recently reported that attackers use virtual machines to cover up ransomware encrypting activity on host files and folders, thus preventing antivirus software from detecting it. Evolution of Ransomware Tactics
In addition to using advances in technology to their advantage, ransomware attackers are more robust and are using innovative ways to improve the success of ransomware.
Cybercriminals have shifted their focus to critical infrastructure and larger organizations. In 2016, for example, several hospitals were attacked by ransomware, including Presbyterian Hollywood Medical Center, Ottawa Hospital and Kentucky Methodist Hospital, to name a few. In all cases, hospital devices were locked or medical records were encrypted, putting the patient's life at risk. Some hospitals have been lucky and have had strict backup and recovery policies. Unfortunately, others needed to pay a ransom as soon as possible to restore health services. Ransomware development timeline: 1989 - 2019
(Click to enlarge)
In March 2018, many online services of the city of Atlanta after the ransomware attack were offline. No payment Bitcoin ransom of $55,000, but initial estimates of recovery costs are around $2.6 million.
In May 2021, DarkSide ransomware destroyed key infrastructure responsible for providing 45% of gasoline consumption in 13 US countries. For a week, Colonial Pipeline, the victim of this particular attack, paid $4.4 million to restore its systems. Large payments like this make attackers try to find more creative ways to pay with ransomware.
The Colonial pipeline 5,500 miles away has been offline for several days After a ransomware attack compromised his computer network, the Darkside Group, a group of cybercriminals in Eastern Europe, was responsible. about the attack.
There is another tactic used called 'Encrypt and Withdraw'. The attackers found that the same network vulnerabilities that contribute to ransomware infection can be used to leak data. In addition to encrypting victims' files, attackers steal sensitive data and threaten to publish it if they do not pay the ransom. Therefore, even if an organization can recover with the backup ransomware attack, it cannot breach public data.
Vastamo, a Finnish psychotherapy clinic with 40,000 patients, is a victim of a new tactic called "triple coercion". And as usual, medical records are encrypted and a large ransom is demanded. The attackers also stole patient information, and shortly after the initial attack, patients received negative emails asking for a ransom to prevent public disclosure of personal therapy session notes, due to data breaches and damages. Financially, Vastaamo filed for bankruptcy and ceased operations.Future Ransomware
The Check Point Survey reports that attacks have increased by 57% since the beginning of 2021, with nearly $20 billion planned for jobs in 2020 alone, up 75% from 2019.< p> Ransomware attacks are highly targeted, they target organizations in industry like healthcare, water, electricity, insurance/law, they provide important services because they are likely to pay, big ransom. p>
Ransomware attacks in any organization based on industry data April 2021 by Check Point Research
About 40% of new types of ransomware include data breach components for double and triple use - extortion techniques. In addition, it offers a combination of RaaS, REvil, Distributed Attack, Denial of Service (DDoS), and VoIP as a free service to its affiliates (real attackers attacking a system) for more pressure offering victims to pay. Diat within the specified time frame.
Why the sudden increase in ransomware attacks?
Profitable! Even if a small percentage of ransomware attacks are successful, you will still generate significant returns on your investment. Consider, for example, the largest public ransom payment ever: CWT Global - Colonial Pipeline - $4.5 million - $4.4 million Brenntag North America - $4.4 million Travelex - $2.3 million University of California at San Francisco - $1.14 million p> However, these attacks only lead to a small number of successful ransomware campaigns. Unfortunately, such high-profile payments push attackers to constantly search for new ways to infect, spread, and extort money. In 2017, 55 traffic cameras in Victoria, Australia were attacked by WannaCry due to human error. While the impact of the attack was small, it refers to devices targeting cybercriminals. Given the slow pace of security updates and the growing number of vulnerable IoT devices around the world, this is likely to create opportunities for ransomware operators.
Experts also fear the rise of ransomware in cloud services, particularly Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) targets. A new proxy, a new generation of young people inspired by TV shows like Mr.Robot.They have access to more resources like Hack the Box than any generation before them.These newcomers are eager to learn and more eager to test their skills.Ransomware is at the heart of a complex and thriving underground economy with all the hallmarks of a business legitimate business.Imagine a community of highly skilled and collaborative malware developers, RaaS providers, categorized affiliates, IT and customer support teams, and even the operators responsible for “Invader” and “Trademark” press releases.We provide data to different service providers and rely on technology Our daily operations, and inadvertently enabling ransomware attackers to hijack and take us hostages. Therefore, we can only expect ransomware attacks to increase, and to be more creative and creative in ensuring ransom payments - perhaps requiring the first payment for data decryption and the second payment separately for not publishing. The light at the end of the crypto-tunnel that broke through the colonial pipeline hack highlighted the vulnerability of modern society. The attack led to widespread anxiety in the affected cities, resulting in panic over fuel purchases, fuel shortages and high fuel prices.
Ransomware costs not limited to ransomware. Data damage, downtime, reduced productivity after the attack, costs for forensic research, rebuilding the system, improving system security, and training employees are hidden and unplanned costs of tracking the attack. p>
In late 2020, the Ransomware Task Force (RTF) was launched. A coalition of more than 60 members from various sectors - industry, government, law enforcement and countries - is dedicated to finding solutions to prevent ransomware attacks. In April 2021, the RTF published the report "Fighting Ransomware: A Comprehensive Framework" which includes 48 priority recommendations for removing ransomware.
A concerted effort is paying off. While no arrests were made, the FBI recovered 63.7 bitcoin (2.2.3 million) ransom paid in the colonial pipeline attack. The FBI and other law enforcement agencies around the world were able to disable NetWalker ransomware as a service to communicate with victims. Earlier this year, the Emotet botnet, a major tool for delivering ransomware to victims through phishing, was also removed.
This may seem like a drop in the ocean compared to the number of ransomware attacks in the recent past. However, public, international, public and private organizations acknowledge and actively work to neutralize the ransomware threat, which is a very necessary step in the right direction. p>
Ransomware: its history, evolution and future