The precise origins of today’s ransomware are still up for debate but there is no doubt that a piece of malware called Reveton, which first emerged in 2012, was an important moment.
The world has a chance to re-assess this malware’s significance with the news that its alleged creator, Maksim Silnikau, was arrested in Spain in July 2024.
Rapidly extradited to the US a few weeks later, Belarusian Silnikau’s mistake seems to be that he didn’t get out of the game soon enough.
According to Britain’s National Crime Agency (NCA), his rap sheet stretches all the way back to Reveton all those years ago.
To anyone who can remember back that far, Reveton was an example of what was then termed the ‘police Trojan’. Users were locked out of their computers with an official (and entirely bogus) message demanding they pay a fine of $300 for committing a fictitious digital crime.
Reveton wasn’t the first or only malware to use this tactic but the people behind it seemed to have been among the first to understand the potential of holding computers to ransom on a large scale.
The insight was that it’s not users that count in extortion but the computers. Hijacking one computer is a problem for one person; hijack lots of computers and you can extort entire organizations.
Ransomware is born
Ransomware, of course, was far from a new concept in 2012. The first program to deploy the technique can be traced back to as early as 1989 (the infamous AIDS Trojan) while post-Internet ‘modern’ forms such as Cryzip were documented in small-scale attacks around 2006.
We think of evolution as a slow process (see ransomware.org’s timeline for more on that) but in computing there can also be sudden jumps in capability.
Reveton was an example of a jump, not because of the malware itself but the business model behind it, ransomware-as-a-service (RaaS). As the NCA explained the innovation of RaaS:
“Such services provide a suite of tools that allow low skilled offenders to launch effective ransomware attacks for a fee and are now widely used, meaning they have significantly lowered the barrier to entry into cybercrime.”
Reveton – or “J.P. Morgan” as police claim Silnikau called himself – understood that to generate serious money, the police Trojan racket had to find a way to scale.
The tactic of holding computers to ransom was succeeding but far beyond the ability of the hackers to process the victims and transactions. That’s probably why so many victims of early ransomware who paid ransoms never received an unlock key – there were just too many victims to cope with.
The answer was to sign up affiliates to an automated crime platform and make money by asking for a percentage of the ransom takings. Arguably, this is where modern ransomware really began.
Ransomware, then, isn’t simply a crime in which a victim is extorted. It’s the extraordinary scale on which it is done that tells us we’re living in the ransomware age.
Stayed in the game
Looking at the charge sheet, Silnikau’s downfall seems to have been that he stayed in the game, allegedly being behind a long line of malvertising campaigns distributing ransomware, scareware and exploit kits.
That money was too good to pass on. Reveton possibly made him around $400,000, peanuts by today’s cybercrime standards. The later activities, the NCA said, achieved a more impressive annual turnover of $34 million.
