The Evolution of Ransomware: From Consumer to Enterprise Attacks


These days, ransomware is in the news. A lot.

Every week, we hear about at least one successful attack on a giant corporation, like the one on Atlanta-based paper giant WestRock Co. Or we lose sleep over reports on new and improved ransomware threats, like the ability to hit companies with DDoS attacks to force them to pay a ransom.

Although news about ransomware has become commonplace, we can’t become desensitized to the very real dangers it poses to enterprise data security. It is important to recognize how ransomware evolved from a minor annoyance into a cybersecurity threat capable of bringing huge multinational corporations and entire governments to a screeching halt.

The Early Days of Ransomware

In the beginning (c. 1989), ransomware was not much more than an inconvenience. The technology used symmetric cryptography that was easy to decrypt. But even if you couldn’t decrypt the files yourself, the ransom payment was laughable by today’s standards. Victims were required to send a check for $189 to a PO box in Panama in exchange for the key.

However, things got a bit more serious in 2006, when the Archiveus Trojan was released. Archiveus was the first ransomware to use RSA (asymmetric) encryption, which encrypted everything in the infected machine’s MyDocuments directory. This ransomware strain required victims to purchase items from an online pharmacy in exchange for the decryption code.

During the mid-2000s, new ransomware variants didn’t encrypt files. Instead, they locked out users or displayed pornographic images until a small ransom was paid via premium SMS.

Ransomware Joins the Big League

Bitcoin changed the game in 2008. Now, instead of sending a check or wire transfer to cover a ransom, attackers could demand anonymous money transfers, which paved the way for larger, more expensive ransomware attacks.

By 2011, ransomware had established itself as a rapidly growing cybersecurity threat. One of the major factors fueling this growth was the release of a ransomware strain that mimicked the Windows Product Activation notice. Suddenly, it was much harder to tell the difference between legitimate software and malware.

These new attack strategies, combined with the availability of new ransomware toolkits that let almost anyone launch a ransomware campaign, led to an enormous surge in the ransomware infection rate. Reports show that in Q3 2011, about 60,000 new ransomware events were reported; by July 2012, there were more than 2,000 ransomware detections every day.

In 2013, ransomware operators found an easy “in” to enterprise networks. CryptoLocker was the first cryptographic ransomware spread by downloads from a compromised website or sent to businesses in the form of email attachments. Because it was a new strategy, many employees fell for the bait, which likely made ransomware protection solutions and employee security awareness training the hot boardroom topic of 2013.

Ransomware as a service arrived on the scene in 2015, making it easier than ever to break into the ransomware game. Tox—turnkey malware available to the masses—was ready to deploy for any aspiring cybercriminal willing to share 20 percent of their successful extortion attempts.

Ransomware Goes for the Jugular

By 2019, every company knew the importance of backing up and protecting company data. Then ransomware operators moved the goal posts again by releasing new ransomware strains specifically targeting backup files.

These attacks hit shared network drives and files with backup file extensions, synced with the cloud backup service, and encrypted the backup files. If the native files are encrypted and the backup files are encrypted ... there’s a really strong chance someone’s going to be paying a ransom.

In 2020, ransomware operators found even more ways to add insult to injury. A new strategy known as leakware or double extortion began gaining traction. Now, in addition to worrying about whether you will be able to decrypt your corrupt data, you have to worry about your stolen data being exposed to the public on “leak sites.”

Ransomware technology is evolving and improving constantly, so ransomware gangs are getting better at sneaking into systems undetected. The speed at which encryption takes place is increasing as well, which means there is very little time to neutralize an attack before the damage is done.

The Growing Impact of Ransomware on Businesses

Ransomware has come a long way since the first $189 ransom was paid back in 1989. Today, the cost of recovering from a ransomware attack is enough to drive some organizations out of business.

Sophos’s State of Ransomware 2020 report shows the average total cost of a successful ransomware attack—including downtime, technical recovery, lost business, and overtime—was $732,000 for organizations that refused to pay the ransom and $1,448,000 for those that did pay. And that’s just monetary costs. Those figures don’t include the potential long-term impact to your bottom line, such as reputational damage and lost customers.

A comprehensive ransomware protection strategy is no longer optional in today’s business environment. Ransomware attacks are now a matter of when, not if, and it is critical to take a proactive and holistic approach to minimizing the impact on business operations and revenue.

Download Ransomware's Stunning Impact on Consumer Loyalty and Purchasing Behavior to learn more.