Ransomware’s sixth epoch points to disturbing trend

Hartford Mayor Luke Bronin appears with David Wessel at a Brookings Institution event two years ago. Today’s columnist, Chester Wisniewski of Sophos, lauds Mayor Bronin for not paying the ransom when schools in Hartford were hit by an attack this past fall. (Credit: CC BY-NC-ND 2.0)

Ransomware attacks are dominating the security news headlines this year, and unfortunately, there’s no sign of these targeted attacks – or the stealthy cybercriminals behind them – slowing down.

As a cybersecurity researcher who has studied these threats for more than two decades, I’ve identified a disturbing new trend in how attackers carefully select their targets and calculate the most opportune times to launch their attacks.

Unscrupulous attackers are evolving their tactics like never before, and this year’s victims are proof that an attack can hit anywhere: Hospitals on the front lines treating critically ill COVID-19 patients, school districts working around the clock for a safe return to school, or IT organizations tasked with enabling thousands of employees to safely work remote.

We’re at a pivotal point in time – one that may very well mark the start of the sixth epoch of ransomware.

What history taught us

Looking back at the more than 30 years of ransomware, we can identify a few similar critical junctures where the techniques and motivations behind ransomware evolved into something a bit more sinister.

Of course, initially it was the invention in 1989 of the terrible idea itself by Dr. Joseph Popp when he wrote the world’s first Trojan Horse and ransomware named “The AIDS Information Trojan.” Dr. Popp was arrested and the malware was easy to defang, but a sinister idea was born.

Let’s refer to the second pinnacle as the “Russian bootlocker” epoch, which occurred in the mid-2000s as attackers tried to find new ways to steal money without being caught and sent to jail. Attacks usually involved replacing the boot sector on hard disks with ransom notes demanding victims to send an SMS to a premium rate number to obtain an unlock code. While clever, these attacks were fortunately primarily limited to Russian- speaking countries.

The third epoch hit like an atomic bomb. In early September 2013, the first copies of Cryptolocker began infecting victims, demanding a new kind of pseudonymous payment – Bitcoin. This brought ransomware to the masses. In only a few short weeks, millions of victims were demanded to pay $300 to unlock their files. The payment problem seemed to have been solved by decentralized libertarians.

By 2016, ransomware became a bit stale, as attackers milked $400-$700 from thousands of victims. The more skilled criminals were growing bored, and wanted more. Some (allegedly) Iranian chaps decided to go big game hunting and kick off the fourth epoch. They began targeting businesses and behaving much more like a nation-state attacker. By only locking up sensitive assets, the attackers behind SamSam ransomware could demand much higher ransoms, initially in the tens of thousands, and eventually netting $500,000 per victim on average.

Many criminal groups twigged onto the methods of SamSam, including Ryuk, GandCrab, WastedLocker, and others. Ransoms were approaching an average of $1 million and one group decided it was time to turn it up to 11. In late 2019, the fifth epoch began when Maze began not just holding data for ransom, but stealing the data before it was encrypted to use in an extortion scheme for additional leverage. This has led to some ransoms topping $30 million,  spurred by both the need to get the business running again and avoiding regulatory penalties and lawsuits from the loss of private information.

The sixth epoch

Are we headed toward a sixth epoch? It isn’t yet clear, but an unsettling pattern has emerged. On December 31, 2019, Travelex, a global foreign exchange firm, was held ransom by REvil (Sodinokibi) during the peak of the holiday travel season. It ultimately paid $2.3 million, and was later declared insolvent.

REvil struck again in March 2020, this time at 10x Genomics, a biotech firm researching COVID-19 immunity response to aid in vaccine development. While sensitive data was stolen, the company was able to isolate the source of the attack and restore operations.

In April 2020, Cognizant, an IT services firm, had much of its remote working systems crippled by ransomware, slowing its ability to properly accommodate thousands of remote workers during the pandemic. It’s estimated to have cost the company upwards of $70 million.

And at the start of the school year this fall in the United States, no less than three public school districts in the US were hit during week one. It’s entirely possible, if not likely, that these school districts were compromised weeks or even months ago and the criminals were patiently waiting for the right time to pounce and cause the most amount of pain – a common tactic in nation-state attacks.

Security researchers allege that Russia waited until the Christmas holidays on two separate occasions to conduct attacks on Ukraine’s power grid, known as Black Energy. North Korea also famously attacked Sony Pictures Entertainment to prevent the release of a film poking fun at their dear leader.

Will this lead us to further compromises of other verticals that are purposefully timed to make it “impossible to say no” to giving into the demands of the crooks? Aside from securing our systems, the best weapon to fight the epidemic of ransom demands is to simply stop paying.

If you’re a victim, to quote former first lady Nancy Reagan, “Just say no!” And if you’re not, stop shaming those who have made an error and been put into this impossible situation.

Now’s the time for us to band together and demand change. Let’s make those who turn the other cheek without paying into heroes instead of shaming them. When a ransomware attack stopped the reopening of schools in Hartford, Conn., in early September, Mayor Luke Bronin made it clear that no ransom was paid, nor does it plan to pay.

We applaud Mayor Bronin. We can all take a page or two from his playbook.

If your company falls victim, pick yourselves up, ask for help and rebuild as quickly as possible. If we all stop paying, the criminals will have to move on. It’s simple economics. Raise their cost of doing business until it isn’t economically feasible.

Chester Wisniewski, principal research scientist, Sophos

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.