Ransomware or ransom program is a type of malicious software that encrypts user files, databases, or entire computer systems, making them inaccessible, or blocks system access, and then demands a ransom for decryption of this data or restoration of system access. Ransomware is considered one of the most dangerous and economically damaging cyber threats of the modern era.

History and Development

The history of ransomware dates back to the 1980s. The first ransomware attack was carried out in 1989 under the name "AIDS Trojan" or "PC Cyborg." This malicious program was distributed via floppy disk and hid files while demanding a ransom of $189. However, ransomware became a real threat after the mid-2000s.

In 2005-2006, the first modern ransomware samples emerged and began using strong cryptographic algorithms. In 2013, the CryptoLocker ransomware was created, marking the beginning of a new wave of ransomware attacks. CryptoLocker used RSA encryption and made files virtually unrecoverable.

In 2015-2016, the ransomware industry grew rapidly. TeslaCrypt, Locky, Cerber, and other ransomware families were created. 2017 was the peak year for ransomware attacks - in May, the WannaCry ransomware spread globally and infected over 200,000 computers in more than 150 countries. The same year, NotPetya (or ExPetr) ransomware emerged and caused major damage especially to Ukrainian and European companies.

Since 2018, ransomware attacks have become more targeted in nature. Cybercriminals began targeting large corporations, government agencies, hospitals, and critical infrastructure facilities instead of small users. In 2019-2020, the "big game hunting" strategy became popular - where attackers target large organizations to obtain millions of dollars in ransom.

In 2020, the "double extortion" tactic became widespread. In this strategy, attackers steal files before encrypting them and threaten to make the data public if the victim doesn't pay the ransom. In some cases, "triple extortion" also exists - where attackers threaten to pressure customers or partners as well.

Types of Ransomware

1. Crypto Ransomware (Encrypting Ransomware) - Encrypts user files using strong cryptographic algorithms (AES, RSA). This type of ransomware targets documents, images, videos, databases, and other important files. After the encryption process is complete, restoring access to files is nearly impossible.
2. Locker Ransomware (Screen Locker Ransomware) - Completely prevents user access to the device by blocking the computer's operating system or screen. Files are not encrypted, but the system becomes unusable.
3. Scareware - Fake antivirus or cleaner programs that scare users by claiming there is a virus on the system and demand payment for "cleaning."
4. Doxware or Leakware - A type of ransomware that threatens to release personal or confidential information to the internet. This type is especially dangerous for companies.
5. RaaS (Ransomware-as-a-Service) - Malicious software sold as a ransomware service. Cybercriminals rent ransomware infrastructure and pay a percentage of the revenue earned. This model has led to mass distribution of ransomware.
6. Mobile Ransomware - A type of ransomware that targets mobile devices (smartphones, tablets). It is more commonly found on Android devices.
7. IoT Ransomware - Ransomware targeting Internet of Things (IoT) devices. It infects smart homes, cameras, and other connected devices.

Operating Principle

A ransomware attack occurs in several stages:

1. Infection - Ransomware enters the system (via email attachment, malicious link, exploited vulnerability).
2. Execution and spread - The malicious program activates and spreads throughout the system, sometimes even across the network.
3. Establishing connection - The ransomware establishes contact with command-and-control (C&C) servers and obtains encryption keys.
4. Encryption - The program finds important files and encrypts them with strong cryptography. Some ransomware types also search for and destroy backups on the system.
5. Ransom note - After encryption is complete, a ransom note appears on the screen or in files. This note contains the ransom amount, payment instructions, and contact information.
6. Payment demand - Payment is usually demanded in Bitcoin or other cryptocurrencies. A specific time period (24-72 hours) is given.
7. Decryption (or not) - In some cases, a decryption key is provided after the ransom is paid, but there is no guarantee.

Distribution Methods

Ransomware spreads through various methods:

• Phishing emails - The most common distribution method. Emails containing malicious attachments or links are sent.
• Malicious advertising (Malvertising) - Malicious code placed in advertisements on legitimate websites.
• Drive-by downloads - Programs that download automatically when a user visits a malicious site.
• RDP (Remote Desktop Protocol) attacks - Brute-force attacks on RDP connections with weak passwords.
• Exploiting vulnerabilities - Using security gaps in software.
• Infected software updates - Malicious code disguised as legitimate software updates.
• USB and other storage devices - Distribution via physical storage devices.

Targets

Ransomware attacks target various victims:

• Healthcare sector - Hospitals and clinics are frequently targeted as they work with critical data.
• Government agencies - Municipalities, schools, universities, and other government organizations.
• Financial sector - Banks and financial institutions.
• Manufacturing enterprises - Shutting down factories and plants causes major losses.
• Small and medium businesses - Often targeted due to weak security systems.
• Individual users - Personal files and photos are encrypted.

Economic Impact

The economic damage from ransomware attacks increases year by year. In 2021, global ransomware damage was approximately $20 billion. In 2023, this figure exceeded $30 billion. The average ransom amount was $170,000 in 2020 and reached $1.5 million in 2023. However, the ransom amount paid is only a small portion of the damage - the main costs go toward system recovery, data loss, business disruption, and reputation damage.

Examples of notable ransomware attacks:

• Colonial Pipeline (2021) - One of the largest fuel pipelines in the US was attacked by DarkSide ransomware, and a ransom of $4.4 million was paid.
• JBS Foods (2021) - The world's largest meat producer paid $11 million ransom due to REvil ransomware.
• Kaseya (2021) - REvil ransomware carried out a supply chain attack affecting thousands of companies.

Protection and Security Measures

A multi-layered security strategy must be implemented to protect against ransomware:

1. Backups - Creating regular and automatic backups is the most important protection measure. Backups should be stored offline.
2. Software updates - All software and operating systems should be regularly updated.
3. Antivirus and antimalware - Strong security programs should be installed and kept active.
4. Email filtering - Spam and phishing email filtering systems.
5. Network segmentation - Dividing the network into separate segments limits the spread of ransomware.
6. User training - Increasing cybersecurity awareness among employees.
7. MFA (Multi-Factor Authentication) - Multi-factor authentication system.
8. RDP security - Protecting or disabling RDP connections.
9. Principle of least privilege - Granting users only the minimum access rights necessary.
10. Incident response plan - A plan defining what to do in case of an attack.

Response to Ransomware Attack

When a ransomware attack occurs:

1. Immediately disconnect infected devices from the network.
2. Do not turn off the device - evidence may be lost.
3. Identify the ransomware type.
4. Notify law enforcement and cybersecurity experts.
5. Restore from backups.
6. Do not pay the ransom - it encourages attacks and provides no guarantee.

Future Trends

The ransomware threat continues and evolves. Ransomware types using artificial intelligence and machine learning, more targeted attacks, increased attacks on critical infrastructure, and targeting of mobile and IoT devices are among future trends. International cooperation and strengthening cybersecurity measures are essential in combating this threat.