As the ransomware industry evolves, experts predict that hackers will only continue to find more ways to use technology to exploit businesses and individuals.
Seksan Mongkhonkhamsao | Moment | Getty Images
Ransomware is now a billion dollar industry. But it wasn’t always this big — nor was it the prevalent cybersecurity risk it is today.
Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on someone’s computer and demand payment to unlock them.
The technology — which officially turned 35 on December 12 — has come a long way, with criminals now able to launch ransomware much faster and deploy it to more targets.
Cyber criminals made $1 billion in extortion payments in cryptocurrency of ransomware victims in 2023 — a record high, according to blockchain analysis firm Chainalysis.
Experts expect ransomware to continue to evolve, with modern cloud computing technology, artificial intelligence and geopolitics shaping the future.
How was ransomware created?
The first event considered a ransomware attack occurred in 1989.
The hacker physically sent the floppies claiming they contained software that could help determine if someone was at risk of developing AID.
However, once installed, the software would hide directories and encrypt file names on people’s computers after they were rebooted 90 times.
It would then display a ransom message requiring a cashier’s check to be sent to an address in Panama for a license to restore the files and directories.
The program has become known in the cyber security community as the “AIDs Trojan”.
“It was the first ransomware and it came from someone’s imagination. It wasn’t something they read about or researched,” Martin Lee, EMEA head of Talos, the cyber threat intelligence division of IT equipment giant Cisco, said in an interview with CNBC.
“Before that, it was never discussed. There wasn’t even a theoretical concept of ransomware.”
The perpetrator, a Harvard biologist named Joseph Popp, was caught and arrested. However, after exhibiting unusual behavior, he was declared unfit to stand trial and returned to the United States.
How ransomware evolved
Since the appearance of the AIDs Trojan, ransomware has evolved greatly. In 2004, a threat targeted Russian citizens with a criminal ransomware program known today as “GPCode”.
The program was delivered to people via e-mail — an attack method now known as “phishing”. Users, lured by the promise of an attractive career offer, would download an attachment containing malware masquerading as a job application form.
Once opened, the attachment downloaded and installed malware on the victim’s computer, scanning the file system and encrypting files and demanding payment via bank transfer.
Then, in the early 2010s, ransomware hackers turned to crypto as a payment method.
In 2013, just a few years after the creation of bitcoin, the CryptoLocker ransomware appeared.
Hackers targeting people with this program demanded payment in either bitcoin or prepaid cash vouchers – but it was an early example of how cryptocurrency became the currency of choice for ransomware attackers.
Later, more prominent examples of ransomware attacks that chose crypto as a ransom payment method included the likes of WannaCry and Petya.
“Cryptocurrencies provide many advantages to the bad guys, precisely because it’s a way to transfer value and money outside of the regulated banking system in a way that’s anonymous and immutable,” Lee told CNBC. “If someone has paid you, that payment cannot be reversed.”
CryptoLocker also gained notoriety in the cybersecurity community as one of the earliest examples of a “ransomware-as-a-service” operation — that is, a ransomware service sold by developers to novice hackers for a fee to enable them to carry out attacks.
“In the early 2010s, we have this increase in professionalization,” Lee said, adding that the gang behind CryptoLocker was “very successful in running the crime.”
What’s next for ransomware?
As the ransomware industry continues to evolve, experts predict that hackers will only continue to find more ways to use technology to exploit businesses and individuals.
By 2031, ransomware is it is projected to cost victims a total of $265 billion annuallyaccording to a report by Cybersecurity Ventures.
Some experts worry that artificial intelligence has lowered the barrier to entry for criminals looking to create and use ransomware. Generative AI tools like OpenAI’s ChatGPT allow everyday internet users to insert text queries and requests and get sophisticated, human responses in response — and many developers even use it to help them write code.
Mike Beck, Darktrace’s chief information security officer, told CNBC “Squawk Box Europe” there is a “tremendous opportunity” for AI — both in weaponizing cybercriminals and improving productivity and operations within cybersecurity companies.
“We have to arm ourselves with the same tools that the bad guys use,” Beck said. “The bad guys will use the same tools that are used with all these changes today.”
But Lee doesn’t think AI poses as serious a ransomware risk as many might think.
“There are a lot of hypotheses about AI being very good for social engineering,” Lee told CNBC. “However, when you look at the attacks that are out there that clearly work, it’s mostly the simplest ones that are so successful.”
Targeting cloud systems
A serious threat to watch out for in the future could be hackers targeting cloud systems, which allow companies to store data and host websites and applications remotely from remote data centers.
“We haven’t seen a lot of ransomware attacking cloud systems, and I think that’s going to be the future moving forward,” Lee said.
According to Lee, we could eventually see ransomware attacks that encrypt or deny access to cloud assets by changing credentials or using identity-based attacks to deny users access.
Geopolitics is also expected to play a key role in the development of ransomware in the years to come.
“Over the past 10 years, the distinction between criminal ransomware and nation-state attacks has become increasingly blurred, and ransomware has become a geopolitical weapon that can be used as a tool of geopolitics to disrupt organizations in countries deemed hostile,” Lee said. .
“I think we’ll probably see more of that,” he added. “It’s fascinating to see how a nation-state could co-opt the criminal world to do its bidding.”
Another risk that Lee sees growing in popularity is autonomously distributed ransomware.
“There’s still room for more ransomware to emerge that spreads autonomously — maybe not attacking everything in its path, but limiting itself to a specific domain or a specific organization,” he told CNBC.
Lee also expects ransomware-as-a-service to expand rapidly.
“I think we’ll increasingly see the ransomware ecosystem become more professionalized, moving almost exclusively towards a ransomware-as-a-service model,” he said.
But while the ways in which criminals use ransomware will evolve, the actual makeup of the technology is not expected to change too drastically in the coming years.
“Outside of RaaS providers and those using stolen or procured toolchains, credentials and system access have proven effective,” Jake King, head of security at Internet search firm Elastic, told CNBC.
“Until new obstacles to adversaries emerge, we will likely continue to see the same patterns.”
