Ransomware is major business around the world, with millions of attacks attacking corporations each day. Not every attack is financially successful, but with careful attention to detail, attackers have (and continue to) fine-tune tactics, making ransomware a dominant and extremely profitable global economy.

According to recent research, ransomware payments will total $1 billion USD by 2023. Alarmingly, the global economic impact of ransomware far outweighs ransom payments, which are estimated at $30 billion USD – this amount includes direct losses due to operational delays, expenses, indirect costs such as reputational damage, and influence on company valuations.

Every firm, regardless of size or industry, is vulnerable to an assault. According to the 2023 Verizon Data Breach Investigation Report, ransomware is one of the most common action types seen in breaches. And it’s not surprising. Ransomware assaults are increasingly employing evasive strategies that can easily circumvent typical defense measures.

While ransomware assaults are common now, they have been a persistent danger for several decades, evolving as attackers improved their techniques. Defense strategies and technologies have also altered. While there is presently no silver bullet, new technology can prevent attacks before they begin.

This is the first of a series of blog posts that will look at the history and future of ransomware. Understanding the lifecycle of ransomware allows defenders to acquire an advantage and respond proactively from a position of strength, rather than reacting to damage control.

History of Ransomware

1989 – The AIDS Trojan (also known as PC Cyborg)

Generally considered the first instance of ransomware, it was distributed via floppy disks and encrypted file names on the infected system, demanding payment for decryption.  

2004-2006  – Gpcode, TROJ.RANSOM.A, Archiveus

This period saw the emergence of more sophisticated ransomware using stronger encryption methods, making it harder to recover files without paying the ransom.  

2013  – CryptoLocker

A significant leap in ransomware sophistication, CryptoLocker used military-grade encryption and was spread through email attachments and existing botnets. Its success spawned many variants and inspired a new wave of ransomware development.  

2016 – Locky, Petya

These ransomware variants spread through phishing emails and exploited network vulnerabilities. Petya was one of the first widely recognized ransomware strains to deviate from the then-standard practice of encrypting individual files. Instead, it targeted the entire disk volume by overwriting the Master Boot Record (MBR) to prevent the operating system from booting until a ransom was paid, effectively holding the entire system hostage.  

2017  – NotPetya (Ukraine and Wiper Malware) & WannaCry

NotPetya initially masqueraded as a ransomware attack but was later identified more as a wiper with the intent to cause disruption. Although it demanded a ransom, the payload was primarily designed to irrecoverably damage data. NotPetya initially targeted Ukraine, affecting its government, financial, and energy institutions before spreading globally. The use of wiper malware in this geopolitical context marked a significant evolution in how cyber tools were used in state-sponsored activities and cyber warfare.

NotPetya and WannaCry both used the EternalBlue exploit, developed by the United States National Security Agency (NSA). WannaCry affected more than 300,000 computers across 150 countries before being disabled using a kill switch.  

2019 – Maze Ransomware

This attack introduced the concept of “double extortion,” where attackers not only encrypted files but also threatened to publish stolen data unless an additional ransom was paid.  

2020 – EKANS (Snake) Ransomware

The first ransomware was dedicated primarily for targeting of OT (operational technology) and ICS (Industrial Control System) infrastructures.  

2020-2021 – LockBit – Emergence of Ransomware-as-a-Service (RaaS)

RaaS platforms allowed cybercriminals to rent ransomware infrastructure and tools, lowering the entry barrier for conducting ransomware attacks and leading to a proliferation of attacks. RaaS boosts the resilience of ransomware operators, as observed with limited success of law enforcement agents to takedown their infrastructures, only to see them emerge with newer generations and evolutions.  

In February 2023, the LockBit management portal was temporarily taken down by law enforcement agencies.  With its vast RaaS infrastructure and affiliates, reports of new LockBit victims returned within days (Source: UK National Crime Agency) 

2020-2021 – Conti Ransomware Group Adopts Exfiltration-First Tactics

The Conti ransomware group, known for its aggressive extortion tactics and rapid operational tempo, began to increasingly focus on data exfiltration as a primary method of extortion. In some instances, they would infiltrate networks, exfiltrate a significant amount of sensitive data, and then demand a ransom not for decrypting data (as the data might not even have been encrypted) but for not releasing the stolen data. 

2023  – BlackCat/ALPHV, AvosLocker -Triple Extortion Ransomware-as-a-Service

This evolution of RaaS involved not just encrypting data and threatening its release but also incorporating additional extortion methods like DDoS attacks as part of a comprehensive service offering or reporting to the SEC on a compromised victim. This approach has made ransomware attacks even more complex and harder to defend against, with attackers continuously innovating to find new ways to leverage their malicious software. 

Read Also: The Top Cybersecurity Certifications for Professionals

This timeline shows how enemies’ sophistication and inventiveness have increased practically exponentially throughout time. This innovation extends to the ransomware payment model, which reduces transactions and rebrands sanctioned ransomware groups, as well as a support strategy that employs self-service help desks.

Defensive tactics and technology have evolved throughout time to keep up with ransomware’s increasing sophistication. Tactics have evolved since the early days of improved antivirus software with heuristics and behavioral detection, frequent data backups, application whitelisting, and network segmentation, to more advanced solutions such as next-generation antivirus, antimalware scan interface, and endpoint detection and response.

Modern sophisticated evasion and double extortion attempts are best addressed by combining zero trust architecture with Automated Moving Target Defense (AMTD), a contemporary technology that dynamically alters the attack area. It confuses and impedes attackers by constantly altering the assault surfaces, making systems more difficult to attack.

Steps to Help Prevent & Limit the Impact of Ransomware

Ransomware attacks can occur anywhere, from small local governments to major businesses. It is up to all of us to assist keep these attacks from succeeding.

Ransomware is a type of virus that encrypts files on a system or device in order to compel the user into paying a ransom. Threat Actors (TAs) can also alert users to files that have been leaked, destroyed, or rendered unavailable. TAs will drop ransom notes claiming responsibility and encouraging the victim to respond through the method they provide, such as encrypted chat or email. Ransomware can be particularly destructive when it targets hospitals, emergency call centers, and other essential infrastructure since a successful infection might interrupt access to systems and data necessary for providing life-saving medical treatment and maintaining public safety.

To protect against ransomware, you need a comprehensive, all-hands-on-deck, defense-in-depth strategy that involves your entire business. The following are four approaches to get started in your efforts to prevent attacks and mitigate the consequences of ransomware. We’ve linked each step to the relevant security best practices from the CIS Critical Security Controls® (CIS Controls®), so you can learn more about each topic.

1. Develop Policies and Procedures

Create a scalable and practical incident response strategy so that you and your team understand your roles and communication protocols during and after a cyber incident. IT, legal, and administrative departments should be included in your incident response strategy, but are not the only ones. You should also include a list of contacts, such as partners, insurance providers, or vendors who must be contacted.

These plans should go through a test procedure or “tabletop exercise” to evaluate their implementation, discover any gaps, and then revise them accordingly. We recommend reviewing the strategy regularly to account for organizational growth and changes such as end-users/staff, IT assets, and infrastructure.

2. Maintain Backups

Backing up important data is the single most effective method for recovering from a ransomware outbreak. There are a few things to consider. Backup files should be appropriately safeguarded and stored offline or out-of-band so that attackers cannot target them. You can use cloud services to assist alleviate a ransomware outbreak because many of these providers keep prior copies of files, allowing you to restore an unencrypted version.

Make careful to test backups on a regular basis to ensure their effectiveness. In the event of an attack, ensure that your backups are not infected and secure your backups shortly afterward. It is also critical to ensure that the integrity of the backups is preserved and to confirm before rolling back.

3. Know Your Attack Surface and Harden Your Network

You can’t defend what you don’t know about, so your first step here is developing asset inventories for your enterprise assets and software. You can do so using Control 1 and Control 2. Once you understand your attack surface, you can then move on ensuring your systems are configured with security in mind. Secure configuration settings can help limit your organization’s threat surface and close security gaps left over from default configurations.

Toward that end, you can use the secure recommendations of the CIS Benchmarks™, industry-leading, consensus-developed configurations that are freely available to all. Keep reading to explore several examples of effective hardening methods you can consider when reviewing the current security posture of your organization.

• Review Port Settings

Many ransomware variants take advantage of Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) port 445. Consider whether your organization needs to leave these ports open and consider limiting connections to only trusted hosts. Be sure to review these settings for both on-premises and cloud environments, working with your cloud service provider to disable unused RDP ports.

Control 4 describes different ways your organization can control network ports, protocols, and services.

• Keep Systems up to Date

Make sure all of your organization’s operating systems, applications, and software are updated regularly. By applying the latest updates, you’ll make progress in closing security gaps that attackers are looking to exploit. Where possible, turn on auto-updates so you’ll automatically have the latest security patches. In some environments, out-of-date software is necessary to utilize based on operational need. Strongly consider addressing those systems that contain particularly vulnerable software and deprecate/update as soon as possible.

• Network Visibility

Prior to an incident, it is important to consider the overall visibility of your network and user accounts. You can improve your visibility by maintaining up-to-date network diagrams and storing them so they can be retrieved from secure containers. This also includes visibility of your end-user accounts. Review Active Directory for accounts that can be removed or no longer needed while implementing a strict naming convention and heavily discouraging the use of shared accounts, which would generate a system of accountability when assigning vendor accounts.

• Access Control

Examine your organization’s overall security posture by reviewing its access control policy and implementation. Examine how your end users connect to your network and resources, both internally and externally, and put safeguards in place, such as multi-factor authentication (MFA) on solutions like your virtual private network (VPN) client and any portals or resources that end users can access remotely. Other factors to consider are the lockout policy, password age and complexity restrictions, and security challenge questions.

• Implement an IDS

An Intrusion Detection System (IDS) searches for harmful behavior by comparing network traffic logs to signatures that recognize known malicious activity. A strong IDS will frequently update signatures and promptly notify your organization if it identifies suspected malicious behavior.

Albert Network Monitoring Management, an IDS system specialized to US State, Local, Tribal, and Territorial government agencies, was developed by the Center for Internet Security® (CIS®). It employs a bespoke set of signatures that are updated on a regular basis to assist SLTTs in detecting malicious behavior before a ransomware outbreak occurs.

• Defend Your Endpoints

You can add an additional layer to your ransomware defenses by investing in endpoint protection. Ransomware is constantly evolving, which means you can’t rely solely on signatures alone for your defense. You also need to monitor your endpoints to quickly identify and block malicious activity, even in instances where no one else has seen that exact activity before.

That’s the logic behind CIS Endpoint Security Services (ESS). CIS ESS uses Next Generation Antivirus (NGAV), Endpoint Detection and Response (EDR), and more to protect your endpoints against both known (signature-based) and unknown (behavior-based) malicious activity. ESS can also kill or quarantine files effectively stopping a ransomware attempt before it develops into an infection.

4. Train the Team

Security awareness training is essential for stopping ransomware in its tracks. When your staff can identify and prevent malicious emails, everyone contributes to the organization’s security. Security awareness training can help team members understand what to check for in an email before clicking on a link or downloading an attachment. However, keep in mind that not all security awareness training options are the same. Cost does not drive effectiveness. You can base campaigns on real-world samples and ask end users to indicate areas for improvement.