As the ransomware industry continues to evolve, experts believe hackers will find more and more ways to use the technology to exploit companies and individuals.
Sexan Master | moment | Getty Images
Ransomware is now a billion-dollar industry. But it wasn’t always this big – nor was it the predominant cybersecurity risk that it is today.
Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person’s computer and demand payment to unlock them.
The technology – which officially celebrated its 35th anniversary on December 12 – has come a long way, with criminals now able to spread ransomware much more quickly and deploy it on multiple targets.
Cybercriminals extorted $1 billion in cryptocurrency payments from ransomware victims in 2023, a record high, according to data from blockchain analytics firm Chainalysis.
Experts expect ransomware to continue to evolve, with modern cloud computing technology, artificial intelligence and geopolitics shaping the future.
How did ransomware come about?
The first event considered a ransomware attack occurred in 1989.
A hacker physically mailed floppy disks claiming they contained software that could help determine whether someone was at risk of developing AIDS.
However, when installed, the software hid directories and encrypted filenames on users’ computers after rebooting them 90 times.
A ransom note was then displayed demanding that a bank check be sent to an address in Panama in order to obtain a license to restore the files and directories.
The program became known in the cybersecurity community as the “AIDs Trojan.”
“It was the first ransomware and it was created from someone’s imagination. It wasn’t something anyone had read or researched about,” says Martin Lee, EMEA head at Talos, the IT equipment giant’s cyber threat intelligence arm Ciscosaid CNBC in an interview.
“It was just never discussed before. There wasn’t even the theoretical concept of ransomware.”
The perpetrator, a Harvard-educated biologist named Joseph Popp, was caught and arrested. However, after exhibiting erratic behavior, he was found unfit to stand trial and returned to the United States.
How ransomware evolved
Since the emergence of the AIDs Trojan, ransomware has evolved significantly. In 2004, a threat actor attacked Russian citizens with a criminal ransomware program now known as “GPCode.”
The program was delivered to people via email – an attack method now commonly known as “phishing.”
Users, tempted by the promise of an attractive career offer, downloaded an attachment containing malware disguised as an application form.
Once opened, the attachment downloaded and installed malware on the victim’s computer, scanned the file system, encrypted files, and requested payment via wire transfer.
Then, in the early 2010s, ransomware hackers turned to cryptocurrency as a payment method.
In 2013, just a few years after Bitcoin was introduced, the CryptoLocker ransomware emerged.
Hackers who targeted people with this program demanded payment in either Bitcoin or prepaid cash vouchers – it was an early example of crypto becoming the currency of choice for ransomware attackers.
More prominent examples of ransomware attacks that chose crypto as the ransom payment method of choice later included companies like WannaCry and Petya.
“Cryptocurrencies offer many advantages to the bad guys precisely because it is a way to transfer value and money outside of the regulated banking system in an anonymous and immutable way,” Lee told CNBC. “Once someone has paid you, that payment cannot be reversed.”
CryptoLocker also became known in the cybersecurity community as one of the earliest examples of a “ransomware-as-a-service” operation – that is, a ransomware service that developers sell to more novice hackers for a fee to allow them to run it to enable attacks.
“In the early 2010s, we saw this surge in professionalization,” Lee said, adding that the gang behind CryptoLocker was “very successful in carrying out the crime.”
What’s next for ransomware?
As the ransomware industry continues to evolve, experts believe hackers will find more and more ways to use the technology to exploit companies and individuals.
Ransomware is expected to cost victims $265 billion annually by 2031, according to a report from Cybersecurity Ventures.
Some experts fear that AI has lowered the barrier to entry for criminals looking to create and use ransomware. Generative AI tools like OpenAI’s ChatGPT allow everyday internet users to insert text-based queries and queries and receive sophisticated, human-like answers in response – and many programmers even use it to help them write code.
Mike Beck, Darktrace’s chief information security officer, told CNBC’s “Squawk Box Europe” that there is a “huge opportunity” for AI – both in arming cybercriminals and in improving the productivity and operations of cybersecurity companies.
“We have to equip ourselves with the same tools that the bad guys use,” Beck said. “The bad guys will use the same tools that are used today in all of these changes.”
But Lee doesn’t think AI poses as big a ransomware risk as many think.
“There are a lot of hypotheses that AI is very good for social engineering,” Lee told CNBC. “However, when you look at the attacks that are out there and that seem to work, it tends to be the simplest ones that are the most successful.”
Cloud systems in sight
A serious threat to watch out for in the future could be hackers targeting cloud systems that allow companies to store data and host websites and apps remotely from far-flung data centers.
“We haven’t seen a lot of ransomware attacks on cloud systems yet, and I think that’s likely to be the future as we move forward,” Lee said.
Lee said ransomware attackers could encrypt or deny access to cloud assets in the future by changing credentials or using identity-based attacks to deny users access.
Geopolitics is also expected to play a key role in the development of ransomware in the coming years.
“Over the past decade, the distinction between criminal ransomware and nation-state attacks has become increasingly blurred and ransomware has become a geopolitical weapon,” Lee said. “I think we’ll probably see more of that,” he added.
Another risk that Lee says is becoming increasingly important is autonomously distributed ransomware.
“There is still scope for there to be more ransomware that spreads autonomously – perhaps not everything that comes their way, but limited to a specific domain or organization,” he told CNBC.
Lee also expects ransomware-as-a-service to grow rapidly.
“I think we will see increasing professionalization of the ransomware ecosystem, moving almost exclusively towards the ransomware-as-a-service model,” he said.
But while the way criminals use ransomware will continue to evolve, the actual architecture of the technology is unlikely to change too drastically in the coming years.
“Aside from RaaS providers and those using stolen or obtained toolchains, credentials and system access have proven effective,” Jake King, head of security at internet search company Elastic, told CNBC.
“Until more obstacles emerge for adversaries, we will likely continue to see the same patterns.”