Ransomware has become one of the greatest threats to businesses globally. Successful attacks can be costly, both monetarily and reputationally, and defending against them is taking up an increasing amount of security professionals’ time, energy, and budget.
The stakes are high. A survey by cyber security firm Sophos found that the median ransom payment made by businesses it surveyed in the first half of the year was $400,000 (£323,200). While this is a significant chunk of money in its own right, 40% of respondents admitted to paying ransoms in excess of $1 million (£800,000), leading to a mean average of $1.54 million (£1.24 million). Even at the lower end, the cost of ransomware is getting more expensive for those who choose to pay up – only 34% of respondents paid less than $100,000 (£80,800) in 2023 compared to 54% the previous year.
Importantly, these figures don’t take into account the cost of cleaning up after the breach, from dealing with lost data to bringing in specialist teams to ensure attackers aren’t still lurking in the victim’s systems, to explaining what happened to customers and suppliers.
While the origins and motivations of ransomware actors may seem shadowy or just downright malign, as is so often the case there’s more to it than that.
The end of an era
When looking for the parents of cyber crime as we now know it, experts point to two key turning points in the 1990s: The fall of the Soviet Union and the widespread global adoption of electronic finance.
“The evolution of the cybercrime community began in basically 1995,” says Tom Kellerman, head of cybersecurity strategy at VMware and member of the Cybercrime Investigations Advisory Board for the United States Secret Service, in episode one of Sophos’ three-part video series Think you know ransomware?, Origins of Cybercrime.
“The central banking community of the world and the major financial institutions of the world moved to electronic finance. There was no longer a delay in when a payment would arrive at another institution, which allowed for greater liquidity in the markets. This is when money became digital.
“This was compounded,” he continues, “by a functional reality that you had a lot of computer scientists that used to be employed [in] the Soviet Bloc who were unemployed because the Soviet Union collapsed. And these folks harnessed their own skill sets to then bypass the encryption and the solutions employed by the banks to begin the largest theft in the history of the world: Cybercrime.”
Initially, these activities were often limited to what we would now call credential harvesting: Collecting people’s names, contact details, or email addresses and selling them on to marketing lists or purveyors of spam mail.
Over time, this has evolved into the cybercrime landscape we know today, with ransomware being the most costly, destructive, and damaging kind.
As Jeremy Sheridan, assistant director of the Office of Investigations of the United States Secret Service, puts it: “All cybercrime is about unauthorized access. But in terms of using that access to prevent the organization from being able to function and to hold it hostage, that has been a relatively recent phenomenon.”
From petty thieves to organized crime
Another inflection point in the evolution of cybercrime and the growth of ransomware came in 2008, in the wake of the global financial crisis.
Prior to this, ransomware attacks were often carried out by groups of just a handful of people who had to take care of everything themselves, from writing the malware to running the infrastructure and handling negotiations. Following the recession, however, ransomware gangs became more professionalized.
According to Kellerman, since the 2008/09 recession “the cyber crime community and these [cyber crime] cartels began to modernize their operations; their organizational structure became more sophisticated in how they delivered services”.
This in turn allowed them to not only carry out attacks more successfully and at a greater scale than before, but also to offer their services to inexperienced would-be extortionists.
“Ransomware is such a complex operation now that one person can’t do it all,” says Allan Liska, intelligence analyst at Recorded Future. “If I’m a novice bad guy, I don’t want to build out a whole ransomware infrastructure, so what I do is I choose one of these ransomware groups and say ‘Hey, I want to sign up for your ransomware as a service’.”
According to Allan, for this person it’s as simple as putting down a deposit, getting their own executable from the ransomware gang and then looking for potential victims. If any of these attacks are successful, everything from the negotiations to accepting the Bitcoin ransom payment is also handled by the gang, rather than the individual. The spoils are then divided up between the ‘novice’ and the professional cyber criminals, with each getting their cut.
The rise of state-sponsored attacks
There’s another leg to the story of ransomware that even those most removed from cyber security will likely have heard of, which is nation state, state sponsored, or patriotic hacking.
The link between these groups and the governments that harbor them is murky. While Western governments sometimes accuse others of having ‘cyber armies’, often these groups operate autonomously as criminal gangs. They’re tolerated on the understanding that they won’t attack businesses or infrastructure in the country in which they operate and that, if called upon, will direct resources to an attack on a named target.
Some of the most infamous state-linked ransomware campaigns include the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry outbreak.
Charles Debarber, a cyber intelligence professional who formerly worked for US Army intelligence, points to the Sony Pictures hack as being particularly notable for its severe and long-lasting impact.
“For a worldwide organization like Sony to be locked down, have films leaked that weren’t even released, have emails released that were very sensitive – that brought down careers – the impact of [the ransomware attack] lasted years after. And the problem just keeps getting worse,” he says.
This is the first in a series of three articles. To watch the whole of Origins of Cybercrime and learn more about how businesses can protect themselves from ransomware, click here.
