Ransomware evolution chronicles

Ransomware has instilled fear in individual users, businesses, nonprofits, and governments since the early 2010s. Nowadays, this ‘classic’ extortion tactic through malicious encryption is intertwined with things like DDoS (distributed denial-of-service) attacks and data leaks, which can have serious reputational implications for the victims.

This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance USA.

This article highlights the evolution of this cyber crime phenomenon. We also share best-practice tips to safeguard your organization and avoid falling victim to a ransomware attack.

Police Trojans splash onto the scene

Emerging in 2012, the first mainstream forms of ransomware did not use encryption. Instead, they were web redirects that used screen lockers mimicking the FBI or local law enforcement agencies. They stated that the victim had infringed copyright or distributed child pornography and demanded a payment of $100 in MoneyPak or Ukash prepaid cards. To make the attack convincing, they displayed the target’s IP address, operating system version, and location information on the lock screen.

Encryption becomes a game changer

In 2013, the threat landscape got an overhaul with the emergence of CryptoLocker, the first widespread ransomware that encrypted victims’ files. It was distributed through spam containing contagious attachments. The private key was kept only on the ransomware operator’s C2 (command and control) server, making data decryption nearly impossible without paying the ransom. The perpetrators accepted payment in either bitcoin or prepaid cards.

Extortion skyrockets with the onset of RaaS

RaaS (ransomware as a service) exploded onto the scene in 2015 and took the extortion world by storm. It was reminiscent of affiliate marketing, with ransomware authors outsourcing distribution to interested parties and getting a cut (usually 40%) of the ransom. RaaS platforms offered infection stats visualization, provided affiliates with exploit kits to boost the success rate of their attacks, and included flexible options to create custom ransomware payloads.

This scheme caused a surge in ransomware, with creators of the infamous Cerber and Locky strains quick to jump on board. It culminated in the 2017 WannaCry and NotPetya attacks, which harnessed leaked NSA (National Security Agency) hacking tools to contaminate hundreds of thousands of Windows computers around the world.

Data breaches kick in

In 2018, a dramatic decrease in the bitcoin price pushed ransomware operators to repurpose their campaigns by focusing primarily on enterprise networks. This transition to targeted attacks allowed crooks to rake in larger ransoms without relying on ‘spray and pray’ activity.

Malicious actors tweaked their tactics again in 2019 to encompass data encryption and data breaches in their attacks. In other words, perpetrators steal organizations’ files as part of their raids, threatening to leak the data via specially crafted sites or hacking forums to name and shame non-paying victims.

This strategy has been the driving force of extortion campaigns ever since. About two dozen ransomware groups, including the notorious Sodinokibi and LockBit, use this double-extortion method to pressure businesses into coughing up huge amounts of money.


Sometimes scammers impersonating ransomware actors try to fool users into thinking they are under attack when they are not. This is what happened in April 2020, when numerous webmasters received ransom notes stating that their WordPress sites had been compromised and the underlying databases had been copied to the attackers’ servers.

To keep the content from being released into the wild, the site owners were instructed to send $2,000 worth of cryptocurrency to the scammers within five days. Although these claims were all bark and no bite, several victims paid up.

Ransomware gangs collaborate

In June 2020, the malefactors behind the Maze, Ragnar Locker, and LockBit ransomware teamed up. In an unprecedented move, they began dumping stolen data on the same leak site, motivated by the prospect of sharing knowledge and network attack tools to take their assaults to the next level.

Extortionists contact victims over the phone

In early September 2020, a dental practice in Georgia got a phone call from a group purporting to have infiltrated the practice’s network and demanding a ransom. This was preceded by the discovery of strange changes in the company’s computer system. Although the server was subsequently wiped and reinstalled from a backup, it turned out the clinic had suffered a breach in late August. Shortly after the phone call, stolen files ended up on the dark web. Although the leaked files reportedly contained no sensitive patient information, and this incident did not have serious implications for the dental practice, it shows that ransomware actors were thinking outside the box.

DDoS as a scare tactic

DDoS is one more component of the contemporary extortion ecosystem. Threat actors warn an organization that they are about to flood the network with a huge amount of rogue traffic that will bring the digital infrastructure offline, coercing the organization to pay a ransom to avert disruption.

While many of these extortion attempts are a bluff, in some cases blackhats mount DDoS attacks so that their targets cooperate. In October 2020, for example, the criminals behind the SunCrypt ransomware punished a company that refused to pay up by causing a DoS condition.

Ads on social media for extra intimidation

In early November 2020, the Ragnar Locker ransomware group used an unorthodox method to pressure a victim into paying a ransom. The crooks ran a fraudulent Facebook ad campaign from a hacked account to spread word about an attack they had orchestrated against Campari Group, a popular Italian beverage maker. The ads had at least 7,000 views before Facebook terminated the campaign. This was the first known instance of ransomware operators using social media to publicize their attacks with extra publicity.

Ransom notes from printers

In mid-November 2020, the authors of the Egregor ransomware took a bizarre extortion route. After breaching the networks of Chilean retail company Cencosud, they made the receipt printers in its stores across the country incessantly print text reflecting their demands. Criminals know that such incidents can cause serious reputational damage and consequently make targets more willing to pay up. Therefore, these tactics could become more common.

IoT devices in the spotlight

In a one-of-a-kind extortion campaign that hit the headlines in early January 2021, male users of an Internet-enabled chastity device, Qiui Cellmate, ran into problems trying to unlock the adult toy after an attacker compromised the companion mobile app and remotely locked multiple associated gadgets.

The malicious code used has been dubbed the ChastityLock ransomware. Every hacked Qiui app user received a ransom note asking for 0.02 bitcoins (worth about $270 at the time) to unlock the device. Fortunately, the vendor posted a video on how to unlock the device manually, and it is believed that no one paid the ransom.

How to stay safe

The following tips will help protect you against increasingly sophisticated ransomware attacks:

  • Maintain backups. If you have an up-to-date backup of your files, you can easily get your systems back on track after a ransomware attack. However, keep in mind that this will not help if malefactors steal data in addition to encrypting it.
  • Take email security seriously. Malicious email attachments are common ransomware entry points, so configure your email service to filter out spam, phishing emails, and messages containing executable files.
  • Treat Microsoft Office macros with caution. If you receive an Office file over email that instructs you to enable macros to view its contents, ignore the message. Macros can fire up scripts that quietly download ransomware.
  • Secure your remote desktop services. This is important because many ransomware operators targeting an enterprise exploit crudely protected RDP (Remote Desktop Protocol) connections to get in networks. Enabling two-factor authentication, limiting the number of unsuccessful connection attempts, and setting up an IP whitelist should stop bad actors in their tracks.
  • Treat the most important data accordingly. Figure out which files matter the most and safeguard them. Backing up and encrypting these records should prevent attackers from accessing them or pressuring you into paying the ransom.
  • Use a firewall. A firewall will block rogue traffic between ransomware and its C2 server. As a result, the malicious software cannot receive cryptographic keys or send your files to its operators.
  • Protect your network against DDoS attacks. DDoS is increasingly used as a scare tactic in ransomware attacks. Consider leveraging a WAF (web application firewall) and a reputable DDoS mitigation service like Cloudflare.
  • Use security tools. Although antivirus or VPN solutions will not keep you entirely safe, they are very important security elements as they can protect against mainstream ransomware.
  • Keep your systems up to date. Not only do software updates bring new features but they also address known vulnerabilities that might be exploited by attackers to gain a foothold in digital environments.
  • Step up staff security awareness training. Make sure every employee knows how to tell a phishing email from a regular one and uses proper authentication practices to sign in to sensitive corporate accounts.