Cyber Insight

One of the first ransomware attacks ever documented was the AIDS Trojan – also known as the PC Cyborg Virus. Conceived in 1989, it was released on 20,000 infected floppy diskettes labelled “AIDS Information – Introductory Diskettes” and disseminated to attendees at the World Health Organization’s AIDS conference in Stockholm.


The trojan hid directories and encrypted the names of the files on target computers. To regain access, victims were required to send $189 to the PC Cyborg Corporation.


The AIDS Trojan, designed and developed by Harvard-trained biologist Joseph Popp (who never faced legal consequences for his actions), is seen today as the prototype for all subsequent ransomware attacks.


With the popularisation of the Internet in the mid-2000s, cyber criminals realised that ransomware could be monetised on a much wider scale and they began using asymmetric RSA (Rivest–Shamir–Adleman) encryption as their encoding medium.


The GPcode, which initially spread via an email attachment purporting to be a job application, used a 660-bit RSA public key cryptosystem, while the GPcode.AK – following hot on its heels – appeared using a 1024-bit RSA key.


From 2011 ransomware attacks skyrocketed. Around 60,000 new ransomware variants were detected that year, a figure that doubled in 2012 and quadrupled by 2015.


Today there are countless strains of ransomware, although from 2016 onwards variants seem to have coalesced into two main categories, “crypto” and “locker”. More recently “double extortion” and ransomware as a service (RaaS) have grown in popularity within the cybercriminal fraternity.


Crypto ransomware variants are mainly spread via email. Generally, this is the attackers’ modus operandi: They first identify a target, probably an employee in a specific company.

They will undertake research. For example, if the criminals discover the target’s Facebook account, they might realise that he – or she – is an animal-lover and is interested in animal welfare.


It then becomes a straightforward task for the criminals to send a well-crafted email focusing on issues related to animal welfare to the target who, in many cases, will naively open its attachment (containing the ransomware) without realising the huge risks associated with this simple action.


Locker ransomware, on the other hand, does not encrypt files. It takes the distinctive route of locking its victims out of their devices. Cybercriminals will demand a ransom to simply reopen the virtual door.


The first hint of a further ransomware evolution came when cybercriminals began to encrypt network accessible resources. In 2017, WannaCry ransomware infected more than 200 000 computer systems in 150 countries, causing billions of dollars in damages.


It was the speed at which WannaCry spread that represented a watershed in the cybersecurity environment and marked the first of what became known as fifth-generation cyberattacks. Another fifth-generation variant was NotPetya, the first nation-state-sponsored ransomware attack.


Since these perceived achievements, cybercriminals have again raised their game, Double extortion malware is now able to launch devastating, multistage attacks on target organisations.


It works by first exfiltrating or removing and storing confidential data from the organisation – not encrypting or deleting it. If the target fails to meet demands, its data and the proprietary information contained therein is leaked online or sold to the highest bidder.

Fifth-generation ransomware and double extortion techniques are changing the threat landscape and priming it for RaaS.


RaaS, as described by cyberthreat researcher and author Jeff White, is “a business for criminals, by criminals”. RaaS businesses provide ransomware to affiliates, usually on the basis of monthly fees and agreements, “like a perverted version of a media streaming service delivering new content directly to their subscribers,” he explains.


White adds that through RaaS, cybercriminals are able to tailor their ransomware attacks to address certain target groups. “This flexibility increases their capabilities and allows them to adapt through trial and error until they find the right mix.”


Is the globe, thanks to RaaS, gearing up for a cybercrime apocalypse? And is your organisation in its path?


Reports highlight a number of industry sectors that have been preferred ransomware targets in 2021. Construction companies were hardest hit – according to one survey – largely as a result of lax cybersecurity in this sector. Also on the list are the manufacturing, consumer goods and services, finance, insurance, travel and hospitality, healthcare and education sectors.


According to Tiago Henriques, a director at cybersecurity insurance company Coalition, ransomware attacks are often successful because “bad actors know that causing business disruptions [particularly in these sectors] can be a strong motivator for companies to pay ransom demands to get back up and running.”