The story of ransomware is the story of discovery, professionalization, and growth of the targeted attack extortion model. Before 2016 saw a significant increase in the number of end users that ransomware campaigns targeted. In this “spray-and-pray” business model, quantity was valued over quality, so ransomware actors were less concerned with applying pressure to a specific victim and more concerned with reaching as many victims as possible. Ransomware did not make a ton of money until the very end of this time. It did not draw as much talent or activity as it would in the years to come because it was a second-tier avenue of cybercrime.
Between 2013 and 2016, ransomware saw its first sustained growth as improved ransomware payloads, the emergence of virtual currencies, and improved anti-fraud controls from banks and cybersecurity vendors made digital extortion more lucrative than other common forms of cybercrime. What followed is still unknown, but with more activity focusing on ransomware, it appears that criminals learned how simple it was to extort businesses before realizing how profitable these attacks could be. Established cybercriminal gangs flooded the targeted ransomware market between 2016 and 2019.
Until the summer of 2021, cybercriminals spent increasing time and money refining the targeted extortion model. Digital extortion increased profitability during this time because cybercriminal gangs and the markets for cybercrime refocused on the virtually unstoppable demand for targeted ransomware. Additionally, as criminals honed their methods for best-stealing money from victims, they launched more disruptive ransomware attacks.
Before 2016, lengthy negotiations and complex pressure tactics were rarely used in ransomware attacks. While ransomware demands were a take-it-or-leave-it scenario, criminals used crude methods of price discrimination among victims by using Internet protocol (IP) addresses for geolocation. Depending on the malware and the victim, most ransoms were in the $75–$750 range.
Scale represented the main way ransomware groups could maximize revenue as long as ransomware demands remained low. Take CryptoLocker, one of the earliest and most effective ransomware campaigns ever. In the winter of 2013, CryptoLocker produced an astounding $27 million in just two months. A strong encryption algorithm and the use of Bitcoin as a payment method were two innovations in the malware that would later come to define modern ransomware. However, only 30% of the CryptoLocker victims paid the ransom in the $300–$750 range.
Because the creators of CryptoLocker also had control over one of the biggest botnets in the world at the time, they had unmatched access to a sizable victim pool. They could distribute the malware through that botnet with a speed and scope that few criminals could match. In other words, access to a sizable victim pool was more important in the early stages of ransomware than a flashy payload or slick payment system.
Thusly motivated, ransomware groups before 2016 paid less attention to creating cutting-edge extortion schemes or more destructive payloads. The majority of ransomware families at the time lacked “sophisticated destructive capabilities,” and many “encrypt[ed] or delete[d] the victim’s files using only superficial techniques,” according to one study of over 1,000 ransomware samples gathered between 2006 and 2014. The second team of researchers discovered that several ransomware variants still had fundamental cryptographic flaws as recently as 2018, allowing data to be recovered. Since many users lacked the time, resources, or know-how to deal with a ransomware attack, early ransomware groups could get away with it.
Early ransomware was less profitable as well as less disruptive. According to a 2018 study by Google researchers, the two most common families of pray-and-spray ransomware at the time, Locky and Cerber, made over $7.8 million and $6.9 million, respectively. However, eight of the top ten ransomware organizations in 2020 made more than $10 million. REvil, one of them, is rumored to have made $100 million.
Compared to their successors, early ransomware gangs did not amass as much wealth or cause as much damage. Most people lacked the status and funds necessary to hire top-tier cybercrime talent. This era’s most sophisticated cybercrime gangs focused primarily on bank fraud because it offered them more lucrative rewards.
Between 2016 and 2019
After a rapid growth in pray-and-spray ransomware attacks, some companies were estimated to have reached a $1 billion industry by 2016, and ransomware attacks became more specifically targeted. The growth of one type of digital extortion likely sparked the next development: as more criminals entered the ransomware market, they grew bolder, more cunning, and perhaps even luckier.
The margins for traditional, fraud-based forms of crime were squeezed throughout the 2010s by strengthened anti-fraud defenses at significant financial institutions and an exponential rise in the volume of stolen data on the underground cybercrime market. For instance, the cost of a stolen credit card decreased from $25 to $6 between 2011 and 2016.
In contrast, following the release of CryptoLocker, criminal organizations began to more frequently imitate the lucrative business model that the combination of file encryption, payments through virtual currency, and at-scale malware delivery offered. Between 2011 and 2015, when the number first passed 100, a yearly increase in new ransomware strains was observed. During this time, criminals created more efficient ways to pressure victims, encrypt data, deliver payloads, and receive payments.
Changes made by significant antivirus providers in the middle of the 2010s lessened the impact of end-user ransomware campaigns. Ransomware gangs reacted by gaining more privileges inside a network, which allowed them to disable organizations’ enhanced edge defenses, claims Trend Micro’s Robert McArdle, a cybercrime expert. McArdle theorizes that once hackers discovered how simple it was to gain administrator-level access to a company, it was only a matter of time before they spread ransomware from the center of a network, encrypting thousands of machines at once.
SamSam, the first ransomware organization to only target specific targets, debuted in the winter of 2015. It may have taken some time for SamSam’s strategy to spread outside of the Eastern European cybercrime scene because the people behind it are not from there. But copycats quickly join in when news of a lucrative form of cybercrime spreads in the unregulated world of cybercrime.
Targeted ransomware replaced end-user ransomware as the preferred attack in the digital extortion market in 2017. Enterprise ransomware attacks surpassed consumer attacks for the first time in 2017. By 2018, 81 percent of ransomware attacks targeted businesses.
The targeted ransomware game was also entered by elite cybercrime gangs between the summer of 2017 and April 2019. The Dridex botnet’s operators developed BitPaymer in July 2017; the TrickBot banking malware developers developed Ryuk in August 2018, and REvil was developed by the former GandCrab ransomware developers in April 2019 after they split off. Targeted extortion was a specialty of all three organizations.
Cybercrime markets adjusted to meet the rising demand for resources to be used in targeted ransomware attacks as top-tier cybercrime groups entered the ransomware market and revenues increased. Therefore, far more so than their predecessors, modern ransomware actors have access to a wide range of goods and services and partners who can help them carry out their attacks.
The expansion of illicit access brokers and the markets where they trade is possibly the best indication of how much ransomware has altered the cybercrime landscape and how those markets have, in turn, helped ransomware grow. Criminals who gain access to an organization can sell that access to ransomware organizations or other cyber criminals through illicit access markets.
Even though these markets have existed in some capacity for a while, they have seen “meteoric growth” due to the rise in ransomware. Access brokers used to support a wider range of criminal activity, but now they primarily support targeted ransomware attacks. Indicators of how much a company might pay in a ransomware incident and how much work criminals would need to do to launch one, for instance, are now advertised in listings on initial access markets along with the level of access that is available and the revenue of the organization that a criminal has access to.
The first phase of a ransomware attack can be outsourced so that the ransomware group can concentrate on moving inside the company. The escalating frequency of targeted ransomware attacks can be attributed partly to this specialization. Recorded Future, a cybersecurity company, predicts that ransomware groups will carry out 65,000 targeted ransomware attacks in 2020. Ohne underground forums, according to ransomware expert Allan Liska, that number is not possible.
The development of the ransomware-as-a-service model is also consistent with the rise in ransomware specialization across various stages of the ransomware life cycle (RaaS). A core group of criminals manages the ransomware payload in a RaaS structure while contracting out the ransomware deployment to alleged “affiliates.” With affiliates now attracting more and more attention from law enforcement, the model has the dual benefit of allowing ransomware groups to scale their operations and off-load risk. A member of the REvil ransomware gang claimed in an interview that the organization once had sixty affiliates carrying out attacks on its behalf. Eight of the most well-known ransomware groups were using an affiliate model as of October 2021 to launch attacks.
Ransomware groups have accessed growing war chests and external partnerships to fortify their organizations from within. Some of the wealthiest ransomware organizations rent access to botnets, which gives them a steady stream of victims and spares them the necessity of participating in open-access markets. Ransomware organizations have also spent more money on hiring top talent after experiencing past financial success. The REvil group initially advertised investing $1 million as part of a new hiring drive.
Internal communications from the Conti ransomware group were recently exposed, illustrating how years of consistent income have transformed ransomware groups into something that resembles a legitimate company. According to the leaks, the organization reportedly employed between 65 and 100 salaried workers over the last two years, paying them twice monthly in virtual currency. The organization had a human resources department, a 24/7 support staff, and vacation policies for its employees. The company invested profits into its core business, studying flaws in well-known cybersecurity products, looking into fresh vulnerabilities and exploits, and finding useful partners with an eye toward the future.
The market for targeted ransomware attacks has gradually become more professionalized, which has profoundly impacted the digital extortion sector, whether measured in terms of attack volume or attack effectiveness. From less than $25 million in 2016, when mass ransomware predominated, to roughly $692 million in 2020, when targeted ransomware had become standard, the total value of cryptocurrency received by ransomware addresses increased. The number of ransomware complaints made to the Federal Bureau of Investigation’s Internet Crime Complaint Center increased by 65.7 percent between 2018 and 2020, while victim losses increased by 705 percent during the same period.