Ransomware is a type of malicious software designed to deny access to computer files, systems, or data until a ransom is paid often using a combination of encryption and data theft to extort payment from victims. While ransomware represents a distinct threat within the broader category of malware, which includes various forms of malicious software aimed at disrupting, damaging, or otherwise gaining unauthorized access to computer systems, files, and data, ransomware attacks are increasingly observed to incorporate other types of cyberattack such as disruptive Denial-of-Service (DoS) as cybercriminals seek to maximise coercive pressure on victims to cave in to ransom demands today.
As recent reporting has shown, ransom payment never guarantees that a victim’s systems and data can or will be restored however, nor indeed does payment provide any guarantee that the victim won’t be further targeted for extortion in the very same incident by another threat actor, such is the nature of the ransomware ecosystem today in which multiple actors may be behind any single successful breach. These elements in the evolution of the ransomware threat are further outlined below.
While ransomware has really risen to prominence as a threat over the past decade or so, its inception dates back to over 30 years ago. The first ever ransomware attack is generally considered to be the AIDS Trojan which appeared in 1989, its name a reference to its targeting of attendees of a conference on AIDS held by the World Health Organisation. Also known as PC Cyborg, the program was distributed via floppy disks mailed to intended victims in dozens of countries worldwide from London. The attack, which involved the encryption of file names rather than files themselves, and hiding of certain directories, included a ransom note in the form of a purported license renewal for which victims had to send $189 to a PO box in Panama in order to have access restored. Some notable outcomes of the attack were the advent of the first freely distributed ransomware decryption tools for victims, and the introduction in the UK of the Computer Misuse Act.
Ransomware would not gain widespread public notoriety however until nearly 30 years after the AIDS Trojan incident with globally significant attacks such as WannaCry in 2017. WannaCry targeted computers using Microsoft Windows, encrypting data and demanding payment in the cryptocurrency Bitcoin. Affecting hundreds of thousands of computers worldwide and causing billions of dollars in damages, the attack was initially suspected of having spread via an email phishing campaign but proved to have involved the exploitation of vulnerabilities in Windows’ management of the Server Message Block (SMB) protocol. Since a patch for the key vulnerability in question had actually been made available by Microsoft several months before the incident, the attack served to highlight the critical importance of regularly updating systems, and the habitual failure of many organisations to apply available security patches especially. Indeed today, SMB vulnerabilities continue to prove exploitable by attackers for this very reason.
NotPetya, which also came spectacularly to light in 2017 in what continues to be regarded as the most destructive cyberattack on record, is notable for having been disguised to look like a ransomware attack, but which proved to be purely destructive in intent, primarily targeting Ukraine. The attack, which is estimated to have cost upwards of $10 billion in damages worldwide, bore some similarity to the aforementioned WannaCry (not to mention the Petya ransomware from which it takes its name), but had significantly greater capability to spread, specifically to non-vulnerable machines. In addition to demonstrating the sheer extent of potentially destructive impacts of such attacks, NotPetya also highlights the fact that paying a ransom can prove entirely futile for victims, and today this frequently holds true even where ransomware, rather than wiper malware as was the case with NotPetya, is deployed by attackers and their demands met.
Ransomware attacks have become more sophisticated, often more targeted, and very often more coercive especially in recent years. In addition to employing more advanced encryption methods today, ransomware attackers now also execute ‘multiple extortion’ attacks. This can take the form of a ‘double extortion’ attack where the theft or encryption of victims’ data is accompanied by a threat to leak sensitive data if the ransom is not paid, increasing pressure on the targeted organisation. A ‘triple extortion’ attack, sometimes referred to as the ‘Triple Threat’ of ransomware, typically involves an additional element of disruption such as a Denial of Service (DoS) attack against a website, for example, to further maximise pressure to pay the ransom sum. As the complexity of cyberattacks generally has increased, the ransomware attack ecosystem has also evolved to see different actors specialise in different stages in the overall progression of an attack today. At the same time, the rise of ransomware-as-a-service (RaaS) has further expanded the threat, enabling so-called affiliates of ransomware gangs to non-technical execute ransomware attacks without requiring the same level of expertise by using pre-developed tools sold to them on a subscription basis.
Effective response to ransomware attacks involves several critical steps:
At Teichmann International (IT Solutions) AG, we offer a uniquely comprehensive range of ransomware response and risk mitigation services. Providing experts equipped to handle the technical and legal complexities of ransomware attacks, our services help to ensure a rapid, strategically-aligned response vital to minimising the impact, and mitigating the risks, costs, and wider harms that can arise both in the short term and over the long term aftermath of a ransomware attack today.
We offer emergency Incident Response services both as a fully managed service, or working closely with your security teams to identify and isolate affected systems, implement containment measures, and ultimately remediate the threat. TI IT’s Incident Response uniquely comprises a combined cyber-legal crisis management service enabling organisations to respond coherently, comprehensively, and above all quickly, while maintaining clear communications to all relevant stakeholders throughout, which is crucial to minimising the potential costs and wider harms arising from ransomware attacks both in the short term and in the long run. Click here to find out more.
A core element of our crisis management support, we can conduct negotiations on your behalf in the event of extortion and can also represent you before authorities and courts if necessary. To this end, the identification, localization, and analysis of digital traces of attack are captured and prepared in a form of evidence that can be used in court, where required. Click here to find out more.
Our Cyber Extortion Risk Management services offer proactive security posture improvement by helping organizations to prepare for and mitigate the risk of ransomware attacks before the fact. This service combines a range of specialised advisory and technical solutions, including: strategic risk assessments, development of response plans, delivery of best-of-breed ransomware protection and wider cyber threat detection solutions, as well as the provision of training to enhance and to optimise your organization’s overall resilience against ransomware threats over time. Click here to find out more..