Ransomware evolution: From lockers to data leaks

This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance USA.

Ransomware is one of the most unnerving phenomenon in the cyber threat landscape. It has been front-page news for almost a decade, with jaw-dropping ups and dramatic downs accompanying its progress.

Although most people think of ransomware as a malicious application that encrypts data and holds it for ransom, the concept is much more heterogeneous. It also spans mild-impact screen lockers, disguised data wipers, infections that overwrite the master boot record, and most recently, attacks that threaten to expose victims’ personal data.

Ransomware came into existence in 1989 as a primitive program dubbed the AIDS Trojan, which was spread via 5.25-inch diskettes. However, its real-world impact was close to zero. Several marginal blackmail threats in the mid-2000s similarly failed to gain significant traction. The Archiveus Trojan from 2006 was the first to use an RSA cipher, but it was reminiscent of a proof of concept and used a static 30-digit decryption password that was quickly cracked. It wasn’t until the release of CryptoLocker in 2013 that ransomware went truly mainstream, and it has since transformed into a major dark web economy, spawning the likes of the Sodinokibi, Ryuk, and Maze lineages that are operating on a huge scale today.

Let’s look at the strains that were the driving forces of the ransomware evolution.

2012 – 2013: “Police” lockers booming

During this period, the ransomware ecosystem was dominated by Trojans that locked the screen or web browser with fake alerts impersonating law enforcement agencies. These warnings would state that the victim had committed a felony such as copyright violation or distribution of child pornography. The message pressured the user into paying a fine via a prepaid service like MoneyPak, Ukash, or Paysafe, saying that otherwise the case would go to court.

These “police” ransomware campaigns were backed by a sophisticated Trojan called Reveton. It allowed malefactors to align the infection with the victim’s geographic location so that the local law enforcement agency was mimicked in the lock screen. This quirk made the attack more believable and added a degree of flexibility.

FBI-themed ransomware was one of the most prolific infections. It surfaced in November 2012 and thousands fell victim each day. Its lock screen included the victim’s IP address, precise location, ISP name, and Windows version. The average ransom was $300–$500 in prepaid cards. Fortunately, the ransomware was generally easy to remove. All it took was restoring the system to its earlier state or resetting the affected web browser. This explains why “police” lockers were soon superseded by more complex infections.

2013 – 2015: Data-encrypting ransomware kicks in and perseveres

Emerging in September 2013, CryptoLocker was a game-changer, paving the way for hundreds of file-encrypting menaces. The threat leveraged 2048-bit RSA encryption and stored the public-private key pair on its command-and-control (C2) server. Victims were given three days to pay the ransom using Bitcoin or prepaid cards (Ukash, CASHU, MoneyPak, or paysafecard). Early versions of CryptoLocker demanded $100 for decryption, but this rose to $600 per computer by December 2013.

The ransomware was distributed via spam generated by the Gameover ZeuS botnet, which was launched in 2011 as a toolkit for stealing victims’ banking credentials before being repurposed for malware propagation. The success of CryptoLocker gave rise to several copycats, including PClock, CryptoLocker 2.0, Crypt0L0cker, and TorrentLocker.

The CryptoLocker wave went into decline in June 2014 as a result of Operation Tovar, an initiative orchestrated by law enforcement agencies from multiple countries. It took down the Gameover ZeuS botnet, stopping the ransomware distribution in its tracks.

However, this did not put an end to the extortion epidemic. Instead, ransomware became more complex and thwarted attempts to attribute attacks to specific malicious actors. In July 2014, extortionists started setting up their C2 infrastructures and ransom payment sites on The Onion Router (Tor) anonymity network, which allowed them to hide their online footprint. Furthermore, the payment channels became isolated to untraceable Bitcoin transactions. The emergence of CTB-Locker in 2014 and CryptoWall in 2015 fully demonstrated this multi-pronged shift.

2015 – 2018: RaaS, the biggest outbreaks ever, and a nosedive

Another fundamental development was the onset of RaaS (ransomware-as-a-service) in May 2015. This is an affiliate model where different cyber crime groups execute the attack and share their earnings with ransomware authors. Specially crafted RaaS dashboards provide the criminals with advanced infection tracking tools and allow them to build a custom variant of the malicious code in a snap.

This came alongside some of the biggest and longest-running ransomware campaigns of all time. In July 2015, the TeslaCrypt strain appeared, hitting up to 2,000 computers a day. The infamous Locky ransomware was first spotted in February 2016. Harnessing and spreading malicious Microsoft Word macros, at its peak it infected more than 400,000 PCs around the world in only a few hours.

The notorious Cerber ransomware appeared around the same time and caused mayhem for more than a year. CryptXXX, another major family discovered in April 2016 and later rebranded UltraCrypter, relied on exploit kits that used software vulnerabilities to infiltrate systems. CrySiS, or Dharma, has also been around since 2016 and continues to be active, and the first viable Mac ransomware, KeRanger, was spotted in the spring of that year.

The WannaCry and NotPetya outbreaks in May and June 2017 respectively were the most devastating in history. Although both lasted mere days, hundreds of thousands of computers were affected. The campaigns used leaked NSA exploits called EternalBlue and DoublePulsar, which made the attacks inconspicuous and therefore almost impossible to prevent. The attacks have since been attributed to state-funded threat actors.

The GandCrab RaaS that appeared in early 2018 was one of the last high-profile threats targeting individuals on a large scale. It vanished from the radar in June 2018, when events took another sharp turn.

Late 2018 – the present day: A focus on the enterprise and data breaches

The plummeting price of Bitcoin in 2018, combined with the growth of users’ overall security awareness and better protection practices, forced ransomware operators to rethink their strategies. Instead of using the “spray and pray” technique, they zeroed in on enterprise networks.

The big names that pioneered these targeted attacks are Sodinokibi (aka REvil) and Ryuk. The logic of the raid mainly comes down to using unsecured RDP ports or spear phishing to infiltrate networks and gain a foothold in them. In many cases, the crooks hack managed service providers and use this access to compromise partnering organizations.

Local governments, small and medium-sized businesses, international corporations, health care facilities, and educational institutions are common targets. Some perpetrators even continued targeting hospitals during the COVID-19 pandemic. Depending on the number of infected computers, ransoms can reach millions of dollars.

In November 2019, the criminals behind the Maze ransomware started a popular new trend, adding data theft to the classic encryption scenario. This enhances the blackmail as the attackers threaten to leak the stolen files via publicly accessible sources such as hacker forums if the victim refuses to cough up the ransom.

In early 2020, several cyber crime groups followed suit. Some have even created special websites for data dumps. This type of extortion has become the norm for such lineages as DoppelPaymer, Sodinokibi, Nemty, Nefilim, and Clop. Clop hit the headlines in late April 2020, when its operators leaked sensitive files stolen from the U.S. pharmaceutical giant ExecuPharm.


Ransomware is a dynamic and increasingly hybrid segment of cyber crime. It has evolved from rudimentary screen lockers to uncrackable file-encrypting threats equipped with data theft capabilities. Some researchers thought that the 2018 downturn in these campaigns signaled their demise. However, this was just the calm before the storm as attackers overhauled their modus operandi.

What does the future hold? Only time will tell. In the meantime, both businesses and individuals should be proactive in terms of their defenses and maintain data backups to minimize the potential impact of a ransomware attack.

How IT Governance USA can help

The cyber threat landscape is constantly changing, with new threats and vulnerabilities emerging all the time. In order to ensure that the information your organization relies on is adequately protected, you need a cyber security strategy. Part of that strategy should include the development of a robust cyber security framework.

Designed and developed by experienced information security specialists, this toolkit contains expert guidance, advice and fully customizable documentation templates to help you implement such a framework.

Cybersecurity Toolkit by IT Governance USA
Cybersecurity Toolkit