It’s the year 1989, and unbeknownst to everyone – an evolutionary biologist, Joseph Popp, utilized the AIDS epidemic as a ruse to create the world’s first piece of ransomware. Joseph Popp crafted a computer-based survey, the AIDS trojan, to help researchers assess a patient’s risk of contracting the AIDs virus. Joseph then distributed 20k floppy disk copies of this ransomware around the world. The AIDs trojan acted as a PC cyborg virus, released via floppy disks. It would hold encrypted files hostage in exchange for cash sent through the postal service to Popp (Waddell). This rudimentary form of ransomware was only the beginning and has been evolving ever since.
Fast forward to 2005, and we see the limited yet wild first glimpses of modernized ransomware threats. In 2010, the sample size of said modern ransomware techniques increased to 10,000 and by 2014, to 250,000 with the first appearance of CryptoLocker, which utilized 2048-bits encryption keys. The year 2017, saw the proliferation of NotPetya & WannaCry ransomware by sponsored nation states combined with worm-like self-expanding/lateral movement techniques to spread worldwide (Baker).
Today the ransomware trend has evolved into Big Game Hunting (BGH) with criminals using multi-faceted methods, (i.e., targeting specific organizations, nation state sponsored attacks on infrastructure, ransomware-as-a-Service, and even coaxing employees to install ransomware for a share of the extortion money). Big Game Hunting incentivizes cyber criminals to focus their time and effort on one specific major pay load instead of smaller dispersed attacks. The most recent example of this is the Carbon Spider/Darkside attack on a crucial U.S. fuel pipeline (Baker).
Furthermore, recent studies show that cybercrime competitors are now collaborating in heists. In June 2020, a MAZE CARTEL was formed by three organizations TWISTED SPIDER, VIKING SPIDER, and LockBit Ransomware. Shortly thereafter, the newly formed MAZE CARTEL began deploying ransomware utilizing common virtualization software, a tactic originally created by VIKING SPIDER (Baker).
What does this tell us?
Cyber criminals could continue to team up and refine their ransomware tactics, thereby producing increasingly complex exfiltration tooling to be scaled/distributed. Additionally, this trend could lead to more automated data exfiltration tactics by searching for exfiltrated sensitive data by keyword (Baker).
Let’s continue to better understand the anatomy of a ransomware attack and how it affects our organizations…
To be continued…
- Waddell, Kaveh. “The Computer Virus That Haunted Early Aids Researchers” The Atlantic, Atlantic Media Company, 10 May 2016.
- Baker, Kurt. “A Brief History of Ransomware: Crowdstrike”, .com 21 June 2021.