The History 
of Ransomware

For many people the Colonial Pipeline ransomware attack was a wakeup call about the dangers of ransomware, but ransomware itself has been around, and disrupting—if not completely devastating—people’s lives, since 1989.
Home » What Is Ransomware? » The History of Ransomware

In This Section

How We Got Here: A History of Ransomware

By Thursday, May 6, 2021, most people had heard of ransomware and some had a vague awareness of it as a growing worldwide problem. But by Monday, May 10, most of the world awoke to an understanding of just how destructive and impactful ransomware can be.
You see, May 6 was the day that a relatively low-level ransomware actor, or one of that actor’s affiliates, found an old username and password to a virtual private network (VPN) for a company’s ex-employee. That ransomware actor used those old credentials, which should have been disabled, to gain access to the network of Colonial Pipeline, a company that delivers gasoline to much of the East Coast of the United States. The ransomware actor then exploited their breach to get access to other parts of Colonial Pipeline’s IT network, but not its Operational Technology (OT) network. The OT network is the network actually responsible for controlling the pipelines. Had the ransomware actor gained access to the OT network, they could've caused significantly more damage. Instead of a gasoline shortage along the East Coast caused primarily by panic buying, there could've been a real shortage of gasoline for weeks or longer. The actor used common tools, used by many ransomware actors, to get administrative access to Colonial Pipeline’s network, eventually taking over the Active Directory servers.
Once the ransomware actor had control of the Active Directory servers, the actor was able to push the DarkSide ransomware to thousands of machines on Colonial Pipeline’s network, leaving the organization crippled. The news of the ransomware attack didn’t get picked up until Friday evening, and even then, for most people, it just caused a power outage. But by Saturday everyone knew Colonial Pipeline had been hit by ransomware. It was on the front page of The Washington Post, The New York Times, and The Wall Street Journal. The Colonial Pipeline ransomware attack led the news on CNN, FOX, and MSNBC, as well as the nightly news on NBC, ABC, and CBS.
The rapid news cycle, along with serious gas shortages the following week, caused Colonial Pipeline’s inability to deliver gas, and kept the attack in the headlines. Colonial Pipeline finally got much of its network back online by May 12, and gasoline delivery resumed soon thereafter. The May 12 announcement did little to quell the panic buying of gasoline that was occurring all up and down the East Coast.
For many people the Colonial Pipeline ransomware attack was a wakeup call about the dangers of ransomware, but ransomware itself has been around, and disrupting—if not completely devastating—people’s lives, since 1989.

The Evolution of Ransomware

Because the various technologies we call “ransomware” vary a great deal in tactics, techniques, and procedures (TTPs)—and even in the ways in which they gain initial access, move around the network, and whether they encrypt files or don’t—we have to look at the many types of ransomware that have evolved over time. This timeline shows many of the important points in the history of ransomware, many of which are covered in this section and throughout this site.

The First Instance of Ransomware

1989

The AIDS Trojan 
(aka PC Cyborg)

- Created by Dr. Joseph Popp and distributed to 20,000 attendees at the World Health Organization (WHO) AIDS conference
- Released on 5¼” floppies
- Demanded $189 ransom
Read More About AIDS Trojan

GPCoder

2004/2005
- Message displayed on a user’s home screen, directing them to a .txt file posted on their desktop. The file contained details of how to pay the ransom and unlock the affected files
- Demanded $200 ransom
Read More About GPCoder

Archiveus Trojan

2006
- Primarily a Windows-based attack
- Encrypted the MyDocuments directory
- First ransomware to use RSA encryption
Read More About Archiveus

Locker ransomware (FBI
MoneyPak)

2009
- A category of ransomware that hit mobile devices
- Prominent examples: WinLock, Reveton
Read More About Locker

CryptoLocker

2013
- First ransomware to demand
payment in bitcoin
Read More About CryptoLocker

CryptoWall

2014
- Leveraged a Java vulnerability
- Nearly 1,000 victims; estimated losses of at least $18 million

Locky

2016
- First widespread ransomware
- As many as 500,000 phishing emails per day were sent out
- Other ransomware made its debut in 2016 as well, including:
* Cerber
* Jigsaw
* TeslaCrypt
* SamSam
* Petya
Read More About Locky

WannaCry and NotPetya

2017
- WannaCry attacked an estimated 200,000 computers in 15 countries
- Prominent examples: WinLock, Reveton
- U.S. and U.K. officials claimed North Korea was behind the WannaCry attack
- NotPetya was a variant of Petya that targeted victims in Ukraine, including the National Bank of Ukraine
- U.S. officials estimated damages from the
NotPetya ransomware at more than $10 billion
Read More About WannaCry

DarkSide

2021
- Colonial Pipeline attack
- Pipeline was shut down for six days
- Colonial paid a $4.4 million bitcoin ransom

Share This Timeline

Embed the "Timeline of the History of Ransomware" on your site or blog by copying and pasting this code:

Share this Image On Your Site

The Shifting Definition 
of "Ransomware"

For an industry that's so much “online,” the information security community is often surprisingly bad at documentation. That's the case with the term ransomware. The term seems to have appeared first in 2005, but it’s hard to confirm that.
There are two possible contenders ...... for the first publicly documented use of the term ransomware (undoubtedly there are others missed). The first, the one cited by Wikipedia, is in a September 2005 Network World article by Susan Schaibly called “Files for Ransom.”
The second nominee is the Symantec Security Response whitepaper, “The Evolution of Malicious IRC Bots,” written by John Canavan. This paper was presented at Virus Bulletin 2005. Virus Bulletin 2005 ran from Oct. 5-7, 2005, and therefore after Shaibly’s article, but the whitepaper was clearly written before the article came out, so the question is just when it was distributed. 
(Symantec has since been acquired by another company and its archives wiped.) The whitepaper contains this sentence in the conclusion, almost as an afterthought:

“With the recent emergence of Trojan.GPCoder, the door is open for the emergence of more complex ‘RansomWare’ threats.”
Once the term was widely adopted, it first came to mean a piece of malware that encrypted files, which is the definition widely understood today. However, as locker ransomware superseded crypto ransomware in popularity, the term came to mean malware that locked a victim’s screen to prevent access to the system. 
This definition was so prevalent that a 2012 report from Symantec Security Response entitled “Ransomware: A Growing Menace” clarified the definition as follows:

“Ransomware, which locked a screen and demanded payment, was first seen in Russia/Russian-speaking countries in 2009. Prior to that, ransomware was encrypting files and demanding payment for the decryption key.”
Unfortunately for the authors, the definition of ransomware was set to change again, the following year.

The AIDS Trojan: 
The First Ransomware Attack

The AIDS Trojan, also known as PC Cyborg, was created by Joseph Popp and distributed to 20,000 attendees at the 1989 World Health Organization (WHO) AIDS conference (hence the name) via floppy disk. Much like many malware variants distributed today via USB drive, the AIDS Trojan did not rely on any sort of exploit, but simply on the curiosity of researchers about what was on the disk.
The floppy disk contained a questionnaire about AIDS. When scientists, researchers, and other conference attendees installed the program, everything ran fine on their machines until the 90th reboot of the computer. On the 90th reboot, the AIDS Trojan would encrypt the victim’s filenames—although not the contents of the files—and demand a licensing fee of $189 for the PC Cyborg Software, to be paid by cashier’s check or international money order sent to a P.O. Box in Panama, as shown in the screenshot below.

Although the Trojan worked ...

... the attack wasn’t very effective in terms of generating payment. Very few victims sent a check or money order to Dr. Popp. Instead, a decryptor called CLEARAID was developed by Jim Bates, editorial advisor for Virus Bulletin, which allowed victims to restore files without paying the ransom. Despite the overall lack of success of the attack, there were reports that the AIDS Trojan caused some victims to wipe and rebuild their infected machines, often losing years of AIDS research.

Lessons Learned 
from the AIDS Trojan

Chances are many readers are familiar with the AIDS Trojan story. It seems every ransomware book, long-form article, or history of ransomware reporting feels compelled to retell this story.

Today when a threat actor pulls off a novel attack ...

... we expect copycats to quickly follow. That wasn’t the case with the AIDS Trojan. Even though the attack drew enough attention to make an appearance in The New York Times, there were no copycat attacks, at least not on the same scale.

Today’s ransomware attacks look nothing like the AIDS Trojan attack, but still, there are some eerie parallels between the AIDS Trojan ransomware attack and today’s ransomware attacks:
The AIDS Trojan relied more on the unwitting researchers than on sophisticated attack methods
The first version wasn’t very good
The security community rallied to help victims
Many of the victims were left devastated, losing years of work
The attacker did not see himself as a criminal, but as someone trying to prove a point
Healthcare workers were targeted in the attack
These story lines play out over and over again throughout the history of ransomware. As this page discusses modern ransomware families, some of the same themes will be on display.

GPCoder and Archiveus

The next set of ransomware attacks would not come until late 2004/early 2005. The GPCoder ransomware was identified by Symantec in its September 2005 Internet Security Threat Report as a Trojan that “encrypts data files such as documents, spreadsheets, and database files on the compromised computer,” although it was not labeled as ransomware. Like some modern ransomware, GPCoder left a note in each directory and demanded a $200 ransom payment. The ransom was expected to be paid either via Western Union or premium text messages.

In 2006, the Archiveus Trojan tried a slightly different tactic.

It only encrypted files in the “My Documents” folder. In order for victims to decrypt their files, they had to make purchases from certain sites. It’s interesting to see how much modern ransomware notes have ripped off directly from the Archiveus Trojan’s note, including this bit:
"Do not try to search for a program that encrypted your information—it simply does not exist in your hard disk anymore. System backup will not help you to restore files. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information."
Food for thought

Ransomware? What's in a Name?

The original F-Secure article linked in this section for the Archiveus Trojan includes this quote, “The MayArchive.B trojan is a so-called ‘ransomware.’” Even though ransomware is a well-established and accepted name at this point, there was a lot of debate about the use of the term early on. Many felt that “ransomware” was too catchy and had too much of a marketing feel. These observers preferred terms such as cryptovirus or cryptoviral extortion. In the end, ransomware won out and now we accept it as standard terminology.

Ransomware Is 
Blockbuster Video's Fault

The big problem with a lot of ...

... ransomware attacks early on was that getting paid was hard and keeping the money was really hard. Western Union, MoneyPak, and Premium Text charges were all traceable, and often reversible. Therefore, the attacker couldn't always rely on keeping their ransom. It was difficult to reverse these charges and victims were rarely successful, but the style of payment still presented a risk to the attacker.

It was thanks largely to ...

... Blockbuster Video that attackers figured out an alternative: gift cards. Neiman Marcus is actually credited with moving from traditional paper gift certificates to gift cards, but Blockbuster Video popularized gift cards in 1995 by prominently displaying them at its checkout registers. Starbucks followed suit, introducing refillable gift cards in 2001, and they really took off from there.

The development that really helped ...

... ransomware groups, and other threat actors, was when grocery stores began prominently featuring large endcap displays filled with gift cards from various stores, gaming vendors, and of course credit card companies. This meant that almost any victim in the United States needed just a quick trip to the grocery store or pharmacy to pay the ransom. The next wave of ransomware focused on collecting gift cards.

Locker Ransomware

These attacks that demanded gift cards as payment were not what we typically think of as ransomware attacks today: They were locker-style ransomware. Although it doesn’t make the news very often, locker ransomware is still very active today, mostly targeting mobile users. Locker ransomware started in 2009 in Russia and spread to the rest of the world in 2010. Initially, most victims of locker ransomware were home computer users, it wasn’t until later that this type of attack focused primarily on mobile devices. Locker ransomware such as WinLock and Reveton really jumpstarted this phase of ransomware.

Locker ransomware is generally installed when ...

... a victim visits a website that has malicious code or is serving up malicious ads (most of the time without the knowledge of the website administrator or advertising company). The code is generally JavaScript, although other client-side scripting languages are used. It runs on the victim’s device and creates a popup claiming that the computer has been locked and that the only way to unlock it is to pay a ransom, generally through gift cards or MoneyPak. The ransom note often includes suggestions on places to purchase the gift card or MoneyPak vouchers, making it even easier for the victim to pay.

On mobile devices locker ransomware is almost ...

... always disguised as an app, usually something innocuous, such as a calculator app. The user downloads and installs the malicious app from an app store and when the app runs it locks the phone. The majority of these attacks occur on Android-based mobile devices and the apps often reside outside of official app stores. Even though most of these apps pretend to be other common apps, that’s not always the case. During the COVID-19 pandemic, cybercriminals developed a COVID-19 “tracker” that turned out to be locker ransomware.
Sample of FBI MoneyPak ransomware
Most locker ransomware claimed to be from the FBI, NSA, or other government agency. As shown in this screenshot, the message often claimed to have discovered illegal images or other contraband on the infected computers, which is why victims had to “pay a fine” to regain access to their computers.
Unlike encrypting ransomware, locker ransomware simply makes it difficult for victims to get past the “locked” screen, but doesn’t actually touch any of the files on the system (other than to insert code so the locking screen reappears if the victim tries to reboot). If you know enough about computers, it’s trivial to quickly remove most locking ransomware, though it’s more difficult to remove locker ransomware on mobile devices. Therefore, it has generally fallen out of favor, but it does continue to linger on mobile devices because it’s harder to remove.

CryptoLocker, the Real Beginning 
of the Ransomware Scourge

2013 saw the advent of what's widely considered the current generation of ransomware.

There have been some changes in the way ransomware is delivered, who is targeted, and the amount of money ransomware groups make, but the current generation of ransomware can directly trace its lineage back to 2013 and the introduction of CryptoLocker.

Interestingly, CryptoLocker was a bit of a hybrid ...

in that the first version allowed victims to pay either through Bitcoin or MoneyPak. Subsequent copycats moved to all Bitcoin. From late-2013 through mid-2014, the threat actor behind CryptoLocker made $27 million from an estimated 234,000 victims around the world.

CryptoLocker also was a great example of law enforcement and private security companies working together ... 

to tackle a cybercriminal threat. In June 2014, law enforcement agencies around the world, working with a number of cybersecurity companies, took law enforcement action against the criminals behind CryptoLocker. Some of the law enforcement agencies involved in the takeover of CryptoLocker included the US-CERT, the National Police of the Netherlands, the Police Judiciaire of France, the Royal Canadian Mounted Police, and the Cyber Police of Ukraine. Law enforcement worked closely with a number of security companies, including Afilias, CrowdStrike, F-Secure, Microsoft, Neustar, and Symantec.

The criminal behind CryptoLocker was a Russian citizen named Evgeniy Mikhailovich Bogachev. 

He was indicted but never arrested, a pattern that continues to this day with ransomware actors. Despite the lack of arrests, the takedown was a success and original CryptoLocker infections were reduced to only a few each day. Unfortunately, the floodgates for further ransomware attacks of that kind were opened.

Locky and Friends

FIRST REPORTED

Locky ransomware was first reported in 2016 and quickly became one of the most widespread cyberthreats ever seen. At one point, Locky accounted for 6% of all malware observed, across all malware types, and the group behind Locky was sending out as many as 500,000 phishing emails a day in 2016. For context, in 2020 it was estimated that 122 billion phishing messages were sent across 241,000 separate campaigns. That means the average phishing campaign in 2020 sent approximately 500,000 messages the whole year, the same number that Locky was sending in a single day in 2016.

EXTORTED BILLIONS

Locky wasn’t alone in making 2016 the year that ransomware groups potentially amassed their first $1 billion USD in extorted ransom payments. Other ransomware such as Cerber, TeslaCrypt, Petya, and Jigsaw were also extremely prevalent.

GONE PHISHING

All of these variants were used in automated ransomware attacks that infected only a single machine. They were generally delivered via a phishing campaign, exploit kit, or malicious banner ad, often on very popular websites. There were so many ransomware variants popping up, all following that same model, that 2016 was repeatedly declared to be “the year of ransomware.”

Hidden Tear

"The Year of Ransomware" Got Worse 

Despite the breathless news stories about 2016 being the “year of ransomware,” it only got worse from there. One of the developments that helped push the growth of ransomware was the release of Hidden Tear ransomware source code.
Otku Sen, a security group from Turkey, published the source code for the Hidden Tear ransomware on GitHub in August 2015 with the intention of showing other security teams how ransomware works and how to defend against it. In a theme that will recur many times with ransomware, bad guys quickly seized upon the source code, made improvements, and used their new ransomware to launch millions of attacks. Over the course of several years, dozens of ransomware variants were built on the Hidden Tear source code. As recently as July 2020, almost five years later, new variants of ransomware were traced to the Hidden Tear source code. None of the variants were as prolific as Locky ransomware, but descendants of the Hidden Tear ransomware were used to infect millions of victims.

Governments Do Ransomware, Too:
WannaCry and NotPetya

It’s impossible to describe the impact of the WannaCry and NotPetya ransomware attacks in a single page, much less a single section of a page. Suffice it to say that no ransomware attack, until the Colonial Pipeline attack, had the same level of impact that WannaCry and NotPetya ransomware attacks had, especially coming on top of each other in May and June of 2017.
This image shows media coverage of ransomware in the United States between January 2016 and July 2021. The two bumps in 2017 are the coverage of the WannaCry and NotPetya attacks. Although ransomware had been well-known among technical and security professionals, WannaCry and NotPetya helped make ransomware mainstream for a wider audience. It would take another four years before widespread awareness of ransomware, but these attacks were a preview of what was to come. 

(Source: Media Cloud)

The WannaCry ransomware was launched .... 

... on May 12, 2017, and quickly spread around the world, infecting as many as 230,000 computers in 150 countries. If it weren’t for the quick thinking of researcher Marcus Hitchens, there would likely still be WannaCry infections happening today. As it is, many anti-virus companies still see attempted WannaCry infections on a regular basis, but they no longer try to encrypt because of the sinkhole that Hutchins created.

WannaCry was a worm that spread via the ...

... EternalBlue Server Message Block (SMB) vulnerability that was part of the cache of exploits stolen from the NSA in the Shadow Brokers dump. The ransomware demanded a ransom payment of $300 USD in Bitcoin but no encryption key was available, so victims who paid (and there were about 1,000 of those) weren't able to recover the files. In December 2017 the U.S. and U.K. governments jointly attributed WannaCry to North Korea.
Just over two months after the WannaCry attack, a second massive ransomware attack occurred. On June 27 companies all over the world were infected with a strain of malware, now known as NotPetya, that looked a lot like ransomware. While NotPetya encrypted files in the same manner as most ransomware, it also encrypted the master boot record (MBR), which meant that even if victims were given a decryptor, files could not be recovered. Rather than true ransomware, NotPetya was a type of destroyer ransomware. NotPetya was distributed through a trojanized update to the M.E.Doc accounting software. This software is required for any organization that does business in Ukraine. Attackers managed to gain access to M.E.Doc’s update server and replace the legitimate update with the malicious code. In February 2018 the U.S., Canadian, and Australian governments attributed the NotPetya attack to Russia.

SamSam Ushers in a 
New Era of Ransomware

Samsam Kandi is a rural village in the Northeastern part of Iran, and if security researchers were better at geography, the threat actors behind the SamSam ransomware may have been indicted a whole lot sooner.
SamSam first appeared in 2016, and it was different from the start. It wasn’t delivered via exploit kit or phishing. Instead, SamSam exploited vulnerabilities in JBOSS and looked for exposed Remote Desktop Protocol (RDP) servers to launch brute force password attacks to gain access (a technique still used by many ransomware actors today). Unlike contemporary ransomware groups, SamSam didn't install the ransomware on a single machine. Instead, it used a variety of tools and exploits to spread throughout the victim network once it had access to one host, and to install the ransomware on as many machines as possible.
Over several years SamSam managed to hit several high-profile targets, most notably Hollywood Presbyterian Medical Center in Los Angeles and the city of Atlanta. The ransomware attack against Atlanta took city services offline for weeks and cost as much as $17 million for recovery. During its multiyear run, it’s estimated that SamSam collected almost $6 million in ransom. In November 2018, the Department of Justice issued an indictment for two men in Iran who were believed to be behind SamSam: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri. Even though they were never turned over to the United States, the indictment was enough to stop SamSam ransomware attacks.
Unfortunately, other ransomware actors started copying the tactics used by SamSam, and “Big Game Hunting” ransomware attacks are now the norm. SamSam made $6 million over two years, but there are now regular news reports of ransomware attackers getting much more than $6 million from a single ransomware attack.

GandCrab Does 
RaaS Right

GandCrab was not the first ransomware family that had a Ransomware-as-a-Service (RaaS) offering. 

Several automated ransomware variants offered something akin to RaaS as far back as 2016, including Stampado, Goliath, and even Locky. The proposition behind the RaaS model is fairly attractive: Inexperienced cybercriminals, or cybercriminals with experience in other areas, can quickly jump into ransomware using established code created by someone who knows what they’re doing. RaaS significantly lowers the barrier of entry for ransomware. RaaS is discussed in greater detail on "The Importance of Cryptocurrency, RaaS, and the Extortion Ecosystem" page.

GandCrab changed all of that by creating a turnkey RaaS offering.

GandCrab included a back-end portal that affiliates (how they referred to their RaaS customers) could use to follow the status of an attack. GandCrab would even handle payments and then issue a payout to the affiliates (minus a cut, of course).

The problem with most of the early RaaS programs ... 

... is that, for their fee, the RaaS customer got only an executable. They still had to manage much of the attack such as initial access and collecting and processing payments This could be dangerous and difficult, especially for newer cybercriminals.
GandCrab launched in January 2018. It shut down its services in June 2019, claiming retirement and stating that it had made over $150 million during its 18-month run. GandCrab’s retirement didn’t last long. At least some of the group resurfaced shortly afterward and launched the REvil gang, which created the Sodinikibi ransomware which shared a lot of the codebase with GandCrab.

MAZE Thinks It Would Be a Shame 
If Your Data Were Exposed

In May 2019, much of the city of Baltimore was shut down by a ransomware attack. The ransomware used in the attack, RobbinHood [sic], was relatively unsophisticated ransomware, as was the threat actor behind the attack. Baltimore refused to pay, and the ransomware actor grew increasingly frustrated, taunting the mayor of Baltimore on underground forums and threatening to release sensitive data stolen during the reconnaissance phase of the ransomware attack. Unsurprisingly, because most people don’t have access to these underground forums, very little attention was paid to these threats.

FIRST DISCOVERED

MAZE ransomware was first discovered in May 2019, about the same time as the Baltimore ransomware attack. MAZE started as a typical hands-on-keyboard ransomware group with a RaaS offering. It had some early success, but didn’t stand out in a crowded field of RaaS offerings.

GAME CHANGER

Then, in November 2019, MAZE did something that would take ransomware to the next evolutionary step: It launched a leak site. The site went through several iterations and domains, but the most well-known was mazenews.top. Until this point, most security professionals considered ransomware attacks to be primarily data encryption attacks, not data theft attacks. MAZE changed that perception and codified the idea of double extortion: If victims wouldn’t pay to decrypt their files, maybe they would pay to not have their sensitive files published (or pay to take them down after publication).

HOW IT WORKED

The way the MAZE attacks worked, and that double extortion attacks continue to work, is as follows: While ransomware actors are in victim networks conducting reconnaissance prior to deploying the ransomware, they look for interesting files to steal. After the ransomware is deployed, victims are told that files have been stolen as well as encrypted, and the victim has a period of time (usually a week or two) to pay the ransom or the files will be published for all to see.

WHAT WAS ONCE NEW

As with other lucrative ideas, this one was quickly copied by other ransomware actors and expanded upon so that double, triple, and even quadruple extortion is now the norm in ransomware attacks.

THINKING LIKE A CYBERCRIMINAL

Motivation of 
Ransomware Actors

This seems like it should be a relatively short section. The motivation for ransomware actors is money. Right? Yes and no. Money is absolutely the primary motivation of most ransomware groups, particularly cybercriminals who engage in ransomware attacks. However, State-sponsored actors who launch ransomware attacks have more complex motivations.

RISK VS. REWARD

That motivation to make as much money as possible needs to be considered when measuring the risk of a ransomware attack. In August 2019 there was a lot of discussion around the potential for Canon DSLR cameras to be vulnerable to a ransomware attack.

WHY?

The analysis wasn’t incorrect: There was indeed a vulnerability in the Canon DSLR operating systems that could be exploited “over the air” to install ransomware. The question missing in all of the breathless coverage was: Why? Why would a ransomware actor rewrite their ransomware to infect cameras?

HOW?

Are the pictures on a camera so valuable that a victim would be willing to pay hundreds or thousands of dollars to get them decrypted? And, how would a decryptor on a MicroSD card even work? This type of “lab attack” is valuable for understanding vulnerabilities, but the cost/benefit analysis doesn’t make sense from the ransomware actor’s perspective.

THE GOOD GUYS?

Despite the still-too-common misconception that all hackers are “400-pound losers” who “live in their mom’s basement,” most ransomware groups see themselves as business people performing a valuable service. As with most people, ransomware groups think of themselves as the good guys in their own stories. If an organization falls victim to a ransomware attack, it’s really the organization’s own fault for not securing its network better.

IT'S NOT PERSONAL

This righteous self-perception repeats itself over and over again. In chats with victims, ransomware actors admonish the victims not to curse at them or call them names. In one chat a ransomware actor even said, “I have been nothing but professional with you, I would appreciate the same level of respect.” A common refrain during these chat-based negotiations is the need for a ransomware actor to “speak to my manager” to see whether a proposed deal from a negotiator is acceptable.

IT'S JUST A VENEER

Understand: Just because the ransomware actors adopt the veneer of respectability doesn’t mean they aren’t ruthless scumbags—that’s exactly what they are. But they don’t see themselves that way and victims need to have that mindset when approaching them. (Law enforcement, fortunately, doesn’t need to have the same mindset.)

FOR EXAMPLE

A great example of ransomware actors thinking of themselves as professionals comes from an interview by Dmitry Smilyanets in The Record with Unknown, the handle that the operator of the REvil ransomware used. Dmitry asks the question, “What makes REvil so special? The code? Affiliates? Media attention?” Unknown’s response, in part:

IT'S ALL ABOUT THE BRAND

“I think it’s all of that working together. For example, this interview. It seems like, why would we even need it? On the other hand, better we give it than our competitors. Unusual ideas, new methods, and brand reputation all give good results. As I said, we are creating a new branch of development for extortion. If you look at the competitors, unfortunately, many people simply copy our ideas and what is most surprising—the style of the text of our messages.” - (TheRecord.media)

THE BOTTOM LINE

A ransomware actor worried about brand reputation and referring to other ransomware actors as competitors is absolutely a sign that they think of themselves as professionals, even if the rest of the world knows the truth.

Who Are the Big Ransomware
Groups Today?

This is, undoubtedly, the most fluid section of this site. As demonstrated earlier, ransomware actors have changed their tactics many times, but those changes often take place gradually over several years. Ransomware groups, on the other hand, can pop up and shut down seemingly overnight.
There are a lot of reasons for this, but the biggest factor stems from the illegal status of ransomware. This means ransomware actors are often under the watchful eye of law enforcement, and while law enforcement certainly can move slowly (at least compared to what those of us in the information security community would like to see) it does move. 
In the first half of 2021 alone, law enforcement action was taken that brought down Netwalker Ransomware, Egregor Ransomware, and Cl0p Ransomware. 

Replacement banner on Egregor site after law enforcement seizure
In addition, law enforcement action against a Bitcoin exchange to pull back some of the paid Colonial Pipeline ransom was enough to send the ransomware group that conducted the attack, DarkSide, into rebranding (the actor behind DarkSide came out with a new ransomware in August called BlackMatter).
All this means that the ransomware threat actor landscape has drastically changed just in the first half of 2021. Make no mistake: The threat has not gone anywhere (this is discussed in more detail), but the main threat actors have changed.
Still, it’s worth having a conversation about the current biggest ransomware threats and what to expect from each of these ransomware variants.

STOP/DJVU

STOP

The STOP ransomware family has been continuously active since December 2017. There are more than 300 variants of this particular ransomware family, making it by far the most prolific ransomware family operating today. According to a report from Emsisoft, STOP ransomware accounted for more than 71% of all submissions to the ID Ransomware project or approximately 360,400 attacks—and those are only the submissions to ID Ransomware, so the actual number is much higher.

WHO IS STOP?

Given its longevity and proliferation, why doesn’t STOP ransomware make the headlines more often? Quite simply, it’s throwback ransomware. STOP ransomware installs itself only on the victim’s machine and doesn’t spread throughout the network. The ransom demand is also lower, usually between $500 and $1,200, compared to the millions demanded by other ransomware actors. It’s also relatively easy to defeat using traditional security tools, such us up-to-date anti-virus services.

THE VICTIMS

This means that most of STOP’s victims are small businesses, home users, or victims in less developed countries, so the attacks don’t get the attention lavished on the hands-on-keyboard attackers that go after larger targets, so-called "Big Game Hunting" attacks. That doesn’t mean these attacks are any less devastating to the victims than the larger attacks; they’re just not going to make the news.
NOTE TO READER

Definition of "Hands-on-Keyboard"

The term “hands-on-keyboard” ransomware means a ransomware variant that requires manual intervention by a human operator to be deployed. These tend to be ransomware attacks that impact dozens, hundreds, even thousands of computers within a single network. Automated ransomware, like STOP/DJVU, usually only infect a single machine and don’t require any human intervention to run.

Conti

CONTI

Conti ransomware first appeared in February 2020, but wasn’t seen extensively in the wild until June 2020. Conti is one of the most prolific hands-on-keyboard ransomware strains, with more than 450 known victims and undoubtedly many more that weren’t publicized. Conti uses the RaaS model and is considered to be a cousin of the Ryuk ransomware, as both are operated by subgroups of the Wizard Spider cybercriminal group.

THE VICTIMS

Some of Conti’s victims include the Health Service Executive (HSE) in Ireland, which is responsible for all healthcare services in that country, the Volkswagen Group, Cambria County in Pennsylvania, Pearson Foods Corp., and Adams County Memorial Hospital. The threat actors behind Conti are known for their ruthlessness. While many ransomware groups swore off going after healthcare facilities during the COVID-19 pandemic (it should be said with very “inconsistent” follow through on that pledge), Conti specifically targeted healthcare organizations in the hopes that the COVID-19 emergency would force victims to pay.

THE END OF CONTI

Despite Conti’s reported ruthlessness, there are limits to how much attention even it can withstand. After the attack against HSE crippled healthcare providers throughout Ireland for a week, Conti was forced to hand over the decryption key out of fear of government reprisal. Like many RaaS groups, the persona that Conti projects is one of brashness and boldness; it's “untouchable.” But, as history has repeatedly shown, ransomware organizations are very much touchable when they cross certain lines.

LockBit Ransomware

LOCKBIT

LockBit ransomware first appeared in September 2019 and has been incredibly prolific. In 2020, Emsisoft reported more than 9,600 submissions to ID Ransomware from infected LockBit victims, making it the second-most-prevalent hands-on-keyboard ransomware submitted to the site that year.

HOW IT WORKS

Like Conti, LockBit is a RaaS offering with dozens of affiliates, making it hard to catalog how it operates. Some LockBit affiliates use phishing campaigns to gain initial access, while others use exposed RDP servers and still others use exploitation of known vulnerabilities in common VPN or other edge infrastructures, such as SonicWall, Microsoft SharePoint, Microsoft Exchange, and more.

THE VICTIMS

After the disappearance of the REvil ransomware group, LockBit relaunched itself as LockBit 2.0 along with an updated affiliate program, in the hope of attracting ex-affiliates from REvil and other ransomware groups that have been forced to shut down. Some of LockBit’s victims include Yaskawa Electric Corp., Carrier Logistics Inc., Dragon Capital Group, and United Mortgage Corp.
One of the selling points of the newest version of LockBit is that it automates the deployment process for the RaaS affiliate (see screenshot). All the affiliate has to do is gain access to the victim’s Active Directory infrastructure and run a script. The ransomware deployment package will take care of everything else. Essentially, it’s an “easy button” for ransomware, a very dangerous proposition for victims.

LockBit 2.0 affiliate program advertisement

Ransomware Is Constantly Evolving

An important point to take from this page is that ransomware is constantly evolving and will continue to do so into the foreseeable future. Ransomware has gone from malware delivered via floppy disk to large-scale campaigns that exploit previously unknown vulnerabilities. Ransomware has gone from demanding payment in check or money to gift cards and millions of dollars in cryptocurrency. Finally, ransomware groups have gone from one person sitting behind a computer to large, complex organizations with specialized roles. With the possible exception of Business Email Compromise (BEC) attacks, ransomware is, by far, the most profitable type of cybercriminal activity, and with that kind of money to be made it's not going to disappear easily.

Want To Dominate Ransomware?
Download The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT CRYPTOCURRENCY, RAAS, AND EXTORTION
Label
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
apartmentmagic-wandflagbubblemustachemicarrow-downquestion-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram