As the ransomware industry evolves, experts expect hackers to continue to find more and more ways to use technology to exploit companies and individuals.
Sexan Master | moment | Getty Images
Ransomware is now a billion-dollar industry. But they weren't always this big, and they weren't as prevalent a cybersecurity risk as they are today.
Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person's computer and demand payment to unlock them.
The technology – which officially turned 35 on December 12 – has come a long way, with criminals now able to manufacture ransomware much faster and spread it across multiple targets.
Cyber criminals He made $1 billion in extortionate cryptocurrency payments of ransomware victims in 2023 – a record number, according to data from blockchain analysis firm Chainalys.
Experts expect ransomware to continue to evolve, with modern cloud computing technology, artificial intelligence and geopolitics shaping the future.
How did ransomware appear?
The first event considered a ransomware attack occurred in 1989.
A hacker mailed floppy disks claiming to contain software that could help determine if someone was at risk of contracting AIDS.
However, when installed, the program hides directories and encrypts file names on people's computers after restarting them 90 times.
A ransom note will then be displayed requesting that a cashier's check be sent to an address in Panama for authorization to recover files and evidence.
The software became known to the cybersecurity community as the “AIDs Trojan.”
“It was the first ransomware and it came from someone's imagination. It wasn't something they read about or researched,” said Martin Lee, head of EMEA at Talos, the cyber threat intelligence division of IT equipment giant Cisco. He told CNBC in an interview.
“Before then, this was never discussed. There wasn't even a theoretical concept of ransomware.”
The perpetrator, a Harvard biologist named Joseph Pope, was caught and arrested. However, after he displayed erratic conduct, he was found unfit to stand trial and returned to the United States.
How ransomware has evolved
Since the emergence of the AIDs Trojan, ransomware has evolved significantly. In 2004, a threat actor targeted Russian citizens using criminal ransomware known today as “GPCode.”
The software was delivered to people via email – an attack method known today as “phishing.” Users, tempted by the promise of an attractive job offer, download an attachment containing malware masquerading as a job application form.
Once the attachment is opened, it downloads and installs the malware on the victim's computer, scanning the file system, encrypting files and demanding payment via bank transfer.
Then, in early 2010, ransomware hackers turned to cryptocurrencies as a means of payment.
In 2013, just a few years after Bitcoin was created, CryptoLocker ransomware appeared.
Hackers targeting people with this software demanded payment in either bitcoin or prepaid cash vouchers — but it was an early example of how cryptocurrencies are becoming the currency of choice for ransomware attackers.
Later, more notable examples of ransomware attacks that chose cryptocurrencies as the ransom payment method of choice included the likes of Wannacry and Petya.
“Cryptocurrencies offer many advantages to the bad guys, precisely because they are a way to transfer value and money outside of the regulated banking system in an anonymous and immutable way,” Lee told CNBC. “If someone pays you, it can't be undone.”
CryptoLocker has also become notorious in the cybersecurity community as one of the earliest examples of a “ransomware-as-a-service” operation — that is, a ransomware service that developers sell to more novice hackers for a fee to allow them to carry out attacks.
“In early 2010, we saw this increase in professionalism,” Lee said, adding that the gang behind CryptoLocker had been “very successful at running crime.”
What's next for ransomware?
As the ransomware industry develops further, experts expect hackers to continue to find more and more ways to use technology to exploit companies and individuals.
By 2031, ransomware will be used It is expected to cost victims a combined $265 billion annuallyThis is according to a report issued by Cybersecurity Ventures.
Some experts worry that artificial intelligence has lowered the barrier to entry for criminals looking to create and use ransomware. Generative AI tools, like OpenAI's ChatGPT, allow ordinary Internet users to enter text queries and requests and get sophisticated, human-like answers — and many programmers use them to help them write code.
Mike Beck, chief information security officer at Darktrace, told CNBC:Squawk Europe FundThere is a “huge opportunity” for artificial intelligence – whether in weaponizing cybercriminals or improving productivity and operations within cybersecurity companies.
“We have to arm ourselves with the same tools that the bad guys use,” Beck said. “The bad guys will use the same tools that are being used alongside all this kind of change today.”
But Lee doesn't think AI poses as big a ransomware risk as many think.
“There are a lot of hypotheses about AI being very useful for social engineering,” Lee told CNBC. “However, when you look at existing attacks that clearly work, it tends to be the simplest attacks that are most successful.”
Targeting cloud systems
A serious threat to watch out for in the future may be hackers targeting cloud systems, which enable companies to store data and host websites and applications remotely from remote data centers.
“We haven't seen a huge amount of ransomware hitting cloud systems, and I think that's probably going to be the future as it moves forward,” Lee said.
We could eventually see ransomware attacks that encrypt cloud assets, block access to them by changing credentials, or use identity-based attacks to deny users access, Lee said.
Geopolitics is also expected to play a major role in the way ransomware evolves in the coming years.
“Over the past 10 years, the distinction between criminal ransomware and nation-state attacks has become increasingly blurred, and ransomware has become a geopolitical weapon that can be used as a geopolitical tool to disrupt organizations in countries perceived as hostile,” Lee said. .
“I think we'll probably see more of that,” he added. “It is amazing to see how a nation-state can co-opt the criminal world to do its bidding.”
Another threat that Lee sees gaining more attention is independently distributed ransomware.
“There is still room for more ransomware that spreads independently — perhaps not hitting everything in its path but limited to a specific domain or organization,” he told CNBC.
Lee also expects ransomware-as-a-service to expand rapidly.
“I think we will increasingly see the ransomware ecosystem become more professionalized, moving almost exclusively toward a ransomware-as-a-service model,” he said.
But even as the ways criminals use ransomware evolve, the actual makeup of the technology is not expected to change radically in the coming years.
“Outside of RaaS providers and those who benefit from stolen or purchased toolchains, credentials and system access have proven effective,” Jake King, security lead at internet search company Elastic, told CNBC.
“Until more barriers emerge for adversaries, we will likely continue to observe the same patterns.”
