The criminals are reinvesting the profits in making bigger and bolder attacks, and there’s no end in sight

In the past five years, ransomware attacks have evolved from rare misfortunes into common and disruptive threats. Hijacking the IT systems of organisations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies – and they’re enjoying a remarkably low risk of arrest as they do it.

A current battleground is computer vulnerabilities. We keep trying to lock down our networks and they keep breaching the defenses. Ransomware only works when a security flaw is exploited, whether that flaw is in a human or a system. Ransomware is not the first and won’t be the last type of attack, it is just currently very common.

So long as the cost of paying a ransom is significantly less than not paying the ransom, organizations will continue to pay, even though such payments can be illegal.

Governments invest billions of dollars in making highways safe. Compare the cloverleaf intersections of the 1950’s, without merge lanes, to today’s interstate highway intersections; compare the double yellow lines of four lane roads then to today’s concrete dividers.

Ransomware is a lucrative form of cybercrime. It works by encrypting the data of the organisations that cybercriminals hack. The cybercriminals then offer organisations a choice: pay a ransom to receive a decryption code that will return your IT systems to you, or lose those systems forever. The latter choice means that firms would have to rebuild their IT systems (and sometimes databases) from scratch.

The frequency of those crimes is increasing rapidly. An EU report published in 2020 found that ransomware attacks increased by 365% in 2019 compared to the previous year, resulting in €10.1 billion (£8.7 billion) of losses in payouts alone. Since then, the situation is likely to have become much worse.Even hospitals have suffered attacks. Given the potential impact of a sustained IT shutdown on human lives, healthcare databases are in fact actively targeted by ransomware gangs, who know they’ll pay their ransoms quickly and reliably. In 2017, the NHS fell foul of such an attack, forcing staff to cancel thousands of hospital appointments, relocate vulnerable patients, and conduct their administrative duties with a pen and paper for several days.

The US government and Microsoft coordinated over such a attack in 2020, targeting the “Trickbot botnet” malware infrastructure – often used by Russian ransomware gangs – to prevent potential disruption of the US election. Australia is the only country to have publicly admitted to using offensive cyber capabilities to destroy foreign cybercriminals’ infrastructure as part of a criminal investigation.

Sustained operations of this kind could have an effect on cybercriminals’ ability to operate, especially if directed against the gangs’ servers  and the infrastructure they need to turn their bitcoin into cash. But unleashing offensive cyberwarfare tools against criminals also creates a worrying precedent.

Normalising the use of the armed forces or intelligence units against individuals residing in other countries is a slippery slope, especially if the idea is adopted by some of the less scrupulous regimes on this planet. Such offensive cyber operations could disrupt another state’s carefully planned domestic intelligence operations. They could also negatively affect the innocent citizens of foreign states who unwittingly share web services with criminals.

 Some ransomware gangs invest their ill-gotten gains into the research and development of better cyber-tools. Many cybersecurity researchers are concerned about the increasing sophistication of the malware used by leading cybercrime groups such as REvil or Ryuk, which are both thought to be based in Russia. Giving these ransomware groups more money will only enhance their ability to disrupt more and larger companies in the future.

Ransomware examples

While ransomware has technically been around since the ’90s, it’s only taken off in the past five years or so, largely because of the availability of untraceable payment methods like Bitcoin. Some of the worst offenders have been:

CryptoLocker, a 2013 attack, launched the modern ransomware age and infected up to 500,000 machines at its height.

WannaCry spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.

NotPetya also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.

TeslaCrypt targeted gaming files and saw constant improvement during its reign of terror.SimpleLocker was the first widespread ransomware attack that focused on mobile devices

Locky started spreading in 2016 and was “similar in its mode of attack to the notorious banking software Dridex.” A variant, Osiris, was spread through phishing campaigns.

Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Rather than encrypt files, it locks the home screen to prevent access to data.

SamSam has been around since 2015 and targeted primarily healthcare organizations.

Maze is a relatively new ransomware group known for releasing stolen data to the public if the victim does not pay to decrypt it.

Wysiwye, also discovered in 2017, scans the web for open Remote Desktop Protocol (RDP) servers. It then tries to steal RDP credentials to spread across the network.

Cerber proved very effective when it first appeared in 2016, netting attackers $200,000 in July of that year. It took advantage of a Microsoft vulnerability to infect networks.

BadRabbitspread across media companies in Eastern Europe and Asia in 2017.

Ryuk first appeared in 2018 and is used in targeted attacks against vulnerable organizations such as hospitals. It is often used in combination with other malware like TrickBot.

GandCrab might be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more then $2 billion in victim payouts as of July 2019.

Sodinokibi targets Microsoft Windows systems and encrypts all files except configuration files. It is related to GandCrab.

RobbinHood is another EternalBlue variant that brought the city of Baltimore, Maryland, to its knees in 2019.

Thanos is the newest ransomware on this list, discovered in January 2020. It is sold as ransomware as a service, It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.