At its rudimentary stage, online extortion was all about bluff and did not use cryptography at all. It hinged upon screen lockers stating that the FBI caught users violating copyright or distributing NSFW content. Victims were instructed to pay a fine via a prepaid service such as MoneyPak or Ukash.
Things have changed dramatically over time. Ransomware operators rethought the range of their intended victims, switching to the enterprise as juicier prey than individuals. In recent years, they also added a data leak strategy and DDoS threats to their genre. As a result, online extortion has matured into one of today’s most detrimental cybersecurity perils.
Ransomware went pro in 2013
The first mainstream file-encrypting ransom Trojan called CryptoLocker made its debut in September 2013. It used an asymmetric 2048-bit RSA cipher to lock down data and stored the decryption keys on its command-and-control (C2) server. The size of the ransom initially amounted to $100 worth of prepaid cards or bitcoins but grew to $600 in only three months.
This campaign came to a halt in June 2014 due to a law enforcement crackdown called Operation Tovar. Although the infection was short-lived, it played its evil role by demonstrating the viability of the extortion model with cryptography at its heart.
A series of predatory programs, including CTB-Locker and CryptoWall, followed in the footsteps of CryptoLocker shortly afterward. Their makers targeted different types of operating systems and took the dodgy tactics further by hosting payment sites and C2 infrastructures on the Tor anonymity network.
In 2016, threat actors gave their schemes another boost by launching a ransomware deployment mechanism that resembled a garden-variety affiliate marketing framework. Known as Ransomware-as-a-Service (RaaS), this approach drew a line between the authors and distributors of the offensive programs.
This milestone in ransomware evolution allowed black hats to extend their reach. By outsourcing the distribution to “affiliates” in exchange for a cut from every ransom payment, the developers could focus on fine-tuning their harmful code.
The emergence of RaaS co-occurred with a boom in this segment of cybercrime. Massive outbreaks of the Locky and Cerber strains in 2015-2016, followed by the 2017 WannaCry and NotPetya snafus, wrought havoc around the world and caused jaw-dropping financial losses.
Data leaks and DDoS for extra pressure
The game-changing shift toward hunting down business networks gave rise to a new strategy that involves data breaches. In late 2019, a ransomware lineage called Maze pioneered in stealing data from infected organizations. Its operators threaten to divulge these files if a victim refuses to pay for decryption.
More than a dozen ransomware families, including the notorious Sodinokibi and CL0P, were quick to follow suit. Criminals are also setting up “public shaming” sites where they spill stolen data in case of non-payment.
In 2020, extortionists started to demand money for not swamping enterprise networks with DDoS attacks. The problem escalated in August when several high-profile cybercriminal groups, including Lazarus Group and Armada Collective, torpedoed thousands of companies worldwide with such blackmail threats. Their ultimatum is as follows: pay ten bitcoins (about $106,000) or get knocked offline.
What does the future hold?
Judging from how lucrative the mix of encryption and data theft is, ransomware gangs will undoubtedly continue to zero in on the enterprise with double extortion attacks like that. The average size of the ransom (estimated at $111,605 in Q1 2020) will be increasing, with more companies succumbing to crooks’ demands to avoid reputational risks and service recovery costs.
A more science fiction-ish prediction is that ransomware targeting IoT devices may become the new black sometime soon. If it goes beyond existing proofs of concept, coughing up a ransom for disabling an automatic door lock or turning off a remotely subdued smart thermostat at home won’t look like a far-fetched scenario.