The Roots and Future of Ransomware

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?

Substitute your digital space for your home and encryption for the safe, and you have what’s known as ransomware. Ransomware is a type of virus or malware. After the initial infection, your files are encrypted and a note appears demanding payment–usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.

The roots of ransomware can be traced back to 1989. The virus, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore access to their data.

Historically, ransomware targeted individual personal computer users. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.

Criminals know the value of business data and the cost of downtime. Managed services providers (MSPs) are now an especially attractive target because they service multiple SMB customers simultaneously. Therefore, a successful attack on an MSP magnifies the impact of attacks and the value of the ransom.

Primary ransomware attack vectors–with more detailed descriptions below–include:

• Phishing
• Cryptoworms
• Polymorphic malware
• Ransomware as a Service (RaaS)
• Targeted attacks

Phishing: Still the No. 1 Ransomware Threat

Ninety percent of all Ransomware infections are delivered through email. The most common way to receive ransomware from phishing is from a Microsoft Office attachment. Once such an attachment is opened, the victim is asked to enable macros. This is the trick. If the user clicks to enable the macro, then ransomware will be deployed to the user’s machine. Phishing remains a significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active phishing sites since 2019.

Cryptoworms

Cryptoworms are a form of ransomware that gain a foothold in an environment by moving laterally throughout the network to infect all other computers for maximum reach and impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries causing hundreds of millions in damages.

Polymorphic code

One of the more notorious forms of ransomware circulating today is polymorphic malware, which makes small changes to its signature for each payload dropped on machine–effectively making it a brand-new, never-before-seen file. Its ability to morph into a new signature enables it to evade many virus detection methodologies. Studies show that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities of polymorphic malware code. Today, nearly all ransomware is polymorphic, making it more difficult to detect with signature-based, antivirus technologies.

Ransomware as a Service (RaaS)

Ransomware has become so lucrative and popular that it’s now available as a “starter kit” on the dark web. This allows novice cybercriminals to