Ransomware Has Not Just Been Around Since Yesterday

The first known ransomware in computer history, the “AIDS Trojan”, goes all the way back to 1989. Biologist Joseph L. Popp sent it on a floppy disk; once started, the software encrypted the names of the files and displayed a $189 charge on the screen. Fortunately, the key was in the code, so with its help the file names could be restored.

After that, things remained very quiet for a long time, but with the increasing penetration of the Internet, the heyday of blockers finally arose between 2007 and 2010. This rather simple type of malware blocked computers with a non-closable window, which could be removed upon payment.

From 2010 to 2011, crypto Trojans finally come back into fashion. By the end of 2011, more than 60,000 ransomware variants had already been discovered. In the third quarter of 2012, the figure was more than three times as high, reaching over 200,000. In 2013, Crypto Locker appeared, the first ransomware that demanded payment in Bitcoin. Locky and WannaCry followed in 2016 and 2017, respectively, just to name the well-known representatives of their kind.

In the meantime, the attack has evolved: ransomware no longer simply encrypts the systems of its victims; in many cases, it also leaks customer data or internal company information, with the victims then blackmailed with the threat of publication of this data. The CONTI ransomware, for example, was used to attack numerous companies, many of which faced ransom demands in the millions.

The professionalization of cyber attacks

These types of attacks are becoming increasingly sophisticated, and a highly professional criminal industry has become established in recent years. For the first time, in the case of the CONTI Ransomware, it is not the developers themselves who are acting as blackmailers. Instead, the ransomware and security vulnerabilities are provided here for purchase – Ransomware as a Service.

So the developers provide know-how and infrastructure, while the actual attack is carried out by less technically affine criminals. This shows how professionally this scene now operates, significantly increasing the potential danger. It is now possible for laypeople to launch attacks on companies using rented infrastructure, suitable tools, and easy-to-follow instructions.

Anyone can be affected by ransomware: from a small company to a large corporation, a municipality, or public authority. There are no exceptions here and the potential for damage is enormous. There is a risk of massive impairment of business operations and the loss of trust, not to mention the loss of sensitive data, confidential documents, and valuable know-how. In the event of damage, there is a threat of nothing less than the downfall of the company, or the months-long incapacity of authorities to function as required.

Damage caused by ransomware

For example, the problems experienced in the Anhalt-Bitterfeld district of Germany following a ransomware attack in early July 2021 have been ongoing for more than a year. Anhalt Bitterfeld had to declare a digital disaster for more than 200 days after the attack; so severe were the system impairments and the associated outages. At the end of August it became known that the Hanoverian automotive supplier “Continental” was the victim of an attack. Around 40 terabytes of data are said to have been stolen and the company was facing a ransom demand of an unknown amount.

The above examples make it clear that it is essential to take precautions against a ransomware attack and to have a coherent concept up your sleeve as a contingency plan. Although the German Federal Office for Information Security (BSI) and almost all experts recommend not paying ransoms, many companies do so regardless. In total, 42% of German companies, and 46% globally, whose data was encrypted paid a ransom to get their data back, a study by Sophos shows. An insurance company in the U.S. reportedly paid up to $40 million to regain control of its own systems. But for one thing, there is no guarantee that, after payment, the criminals will decrypt the data, or that they won’t sell it on to others. On the other hand, payment of ransoms further supports the criminals’ business model, allowing them to further develop their ransomware. 

Prevention and response to attacks

In the fight against ransomware, strong comrades-in-arms and intensive cooperation between public authorities and companies are required. It is important to act proactively in terms of suitable prevention, in order to prevent hackers from entering your own network, and at the same time to identify such security breaches as early as possible by means of suitable IT security. Incident response plans and recommendations for action in the event of an emergency must also be prepared in advance within the company to ensure an orderly response in the event of an emergency.

Together with our strong partners Microsoft, Rohde&Schwarz, and Sophos AG, we provide our know-how to support you and your company in the fight against ransomware. eco – Association of the Internet Industry, in cooperation with its members, has set itself the goal of informing you about how ransomware endangers your company and what measures can be taken against it. The Ransomware Initiative serves as a contact and information point for SMEs and connects them with security authorities and partners from the IT security industry.

Michael Weirich, Project Manager in the Cybersecurity division at eco, joined the association in 2012 as a Security Analyst.

From 2013, Michael took over the role of project manager for the technical deliverables within the ACDC project and subsequently the project management for the nrw.uniTS network at eco, focusing on the liaison between the industry and the other involved stakeholders, such as those from the academic and political areas. In addition, he mentored SIWECOS, a service that helps small and medium-sized enterprises to identify and fix security vulnerabilities on their websites, and is driving the eco Association's Anti-Ransomware initiative.