Ransomware is here, and it is here to stay: let’s deal with it

| minute read

Ransomware is not a new phenomenon, but the evolution of criminals’ capabilities and execution has accelerated it’s impact on contemporary society. Governmental agencies and cybercrime groups have been involved in a cat-and-mouse game for a long time, and the reality is that this game is not likely to end anytime soon.

Recently, the FBI announced a major blow to one of the biggest cybercrime groups in the field: LockBit. Read on for a brief overview of the history of ransomware, how LockBit became a prominent player, and what you can do to reduce the probability of your company falling victim or deal with it effectively if it does.

The history of ransomware

Ransomware has changed significantly since its first recognised occurrence in 1989. Back then, the ‘AIDS’ malware (i.e. Trojan Horse) was executed through a floppy disk, encrypting the filenames on drive C:. Around 26,000 floppy disks were reportedly distributed to 90 countries. It’s creator, evolutionary biologist Joseph L. Popp, was associated with supporting research on AIDS. Fortunately, no one on the mailing list (attendees of the World Health Organization’s international AIDS conference) is known to have paid the extortion demand.

 

Figure 1 – The text prompt shown after infection, by Joseph L. Popp, AIDS Information Trojan author (Public Domain).

 

This early type of ransomware made use of simple symmetric encryption and the decryption key could be extracted from the code of the trojan. Some versions of the malware resembled a logic timebomb, given that it encrypted the hard drive after 90 reboots. Affected users were then confronted with a text message asking for a payment of at least $189, - to a fictional company.

Changing the game

As the internet became more widely available, so did ransomware. Instead of symmetric encryption, newer kinds of trojans were employing more sophisticated and asymmetric RSA encryption methods, along with increasing key sizes. Besides the internet, other technologies like the emergence of the blockchain and onion routing (a technique for anonymous communication over a computer network, where messages are encapsulated in layers of encryption) helped make ransomware attacks more effective. Cryptocurrency demands undermine traceability, and the existence of crypto mixers enable money laundering. In addition, anonymous communication through the Tor network makes it easier to stay under the radar.  

The game changed in 2013 when Cryptolocker came to the fore. This ransomware was the first to be spread through a botnet, and used 2048-bit RSA encryption to increase its reach and complexity.

 

Figure 2 - An example of how crypto mixing facilitates money laundering (Creative Commons).

 

Over the last decade, the scale and frequency of ransomware attacks have increased significantly, especially since 2020. There are several reasons for this trend. Firstly, Ransomware-as-a-service (RaaS) became a phenomenon, implying a branching-off in operations: different groups (‘brokers’) specialised and became responsible for different aspects of the cyber kill chain. This created a market in which specialised groups cooperate and compete with each other. In effect, this marketisation by RaaS programmes accelerates the development of sophisticated ransomware, including user dashboards, subscriptions, and even technical support. This, in turn, allows affiliates (including those without technical knowledge) to purchase and execute ransomware quicker and more efficiently than before, contributing to the growing frequency and impact of corresponding attacks.

Incidentally, in 2017 a hacker group named The Shadow Brokers leaked high-grade hacking tools that were developed by the NSA. One of these tools, EternalBlue, made it possible for malicious authors to infect many systems worldwide.

Ransomware initially threatened its victims to pay to unlock their data. However, the existence of (offline) backups allows companies to regain business continuity without having to pay the ransomware operators. This fact undoubtedly encouraged these operators to shift to another strategy: leaking sensitive data to the public. Given that companies are bound by privacy laws, which incur penalties for failure to comply (and have a reputation to take seriously), this strategy provides ransomware operators in the RaaS market with renewed leverage (double extortion) for their blackmailing campaigns.

The emergence of LockBit

Since 2019, LockBit has evolved as the most prolific RaaS group in the market. According to Flashpoint, 21 percent of worldwide ransomware attacks in 2023 were attributable to LockBit’s ransomware. Initially appearing as LockBit 1.0 or “ABCD” (where encrypted files received an ’.abcd’ extension), the malware developed to its current (2024) version, namely LockBit-NG-Dev (LockBit 4.0).

Several reasons are recognised for its infamous rise to the top of the game. One is its business-oriented approach, including a ‘bug bounty’ programme for internal and external innovation, a clear and generous affiliate programme, and accounting for the data privacy laws applicable to its targets, so as to maximise its potential revenue. Another is the fall of other notable cybercrime groups (e.g. Conti in 2022), which created more traction for LockBit. Just as important is the continuous development of its ransomware, including technical features like faster encryption and with the latest iteration, functionality that randomises file names to frustrate restoration.

A major takedown

In February 2024, a collective operation led by the UK’s National Crime Agency (UK NCA) and the US’s FBI, culminated in a disruption of LockBit operations. This included a takedown of 34 servers, a freeze of 200 cryptocurrency accounts, several arrests and a takeover of a large data set that will be used in further investigations. UK NCA used this opportunity to ‘deface’ LockBit’s leak site (see the figure below).  

However, the alleged leader of LockBit, LockBitSupp, responded to the operation and attempted to downplay its impact. Even though a new version of LockBit has entered the scene, it is hard to predict the extent to which LockBit will retain its position, especially given its recognised problems even before the takedown. In any case, cybercrime groups and the businesses are intertwined in a continued cycle of co-evolution, which means that it is never a bad idea to take cyber maturity and resilience seriously.

 

Figure 3 - The seizure of the LockBit leak site as part of Operation Cronos.

Reduce risk or deal with it?

There are many steps businesses can take to reduce their risk of becoming a ransomware victim. Given the evolution of ransomware gangs and their methods, this should be at the top of any company’s priority list. Risk reduction is multi-faceted and consists of measures and controls relating to people, technology and processes.

In the case of ransomware, it is clear that initial entry most often occurs through phishing emails containing malicious links or attachments. At first glance, this justifies a focus on the people side of risk reduction, and awareness campaigns are generally considered an important first step. However, this is not a cure-all, and the reality is that attackers only need to find one vulnerability or phishing victim, and defenders need to keep the whole infrastructure protected. So, what to do when ransomware has entered the building?

Deal with it

This is where Sopra Steria company[nS1] , comes in. Besides our cybersecurity & compliance solutions to keep malicious actors out, we also want to make sure that your business has effective ways of dealing with malicious actors when they are in. We live in a world that is increasingly becoming more digital (consider the current developments of AI and Internet of Things (Io)T). This makes it more difficult to defend and manage your attack surface. Therefore, we believe that the Assume Breach mindset is the right stance.

Sopra Steria advises companies on effective methods of incident response. This can mean helping them set up a proper information security management system (ISMS) or facilitating a tabletop cyber crisis simulation. A ransomware simulation can turn out to be rather effective because it is a hands-on approach in which your business is confronted with a ‘pressure cooker’ that reflects the pressure of a real attack. Aiming to test and improve both your strategic and operational resiliency, several questions can be factored in.

Are the incident urgency and business impact clearly defined? Who is to communicate with the press, and when? Is there a plan for business continuity in place? What about your supply chain? Questions like these should be asked, and we are ready to help you answer them.

Author: Brandon Pakker
Technical Security Consultant

 

Search

prevent

protect

detect-respond

data

cybersecurity

Related content

The Reliable Government

Transforming public services for a citizen-centric future: robust, agile, effective, and connected. Discover how modernizing IT systems and fostering digital skills can transform government services.

Digital Banking Experience Report 2023 The AI-enabled banking era

Banks must leverage their trust capital if they are not to lose market share to tech giants broadening their offer into financial services. Our Digital Banking Experience Report 2023 outlines the key trends globally shaping banking in the hyper-connected era.