Ransomware attacks have evolved as threat actors continually seek ways to expand the scope of their operations and increase profitability.
The ransomware-as-a-service (RaaS) model became popular because the use of affiliates enables ransomware operators to attack more victims with little effort. It also created opportunities for threat actors with limited technical skills to benefit from the ransomware economy. Name-and-shame attacks increased potential for financial gain by combining threats of data disclosure and file encryption to extort victims. Although law enforcement response to a high-profile attack on U.S. critical infrastructure prompted ransomware operators, affiliates, and owners of various underground forums to rethink their strategies, Secureworks® Counter Threat Unit™ (CTU) researchers have observed the threat actors adapting tactics and continuing operations.
A brief history of ransomware Ransomware emerged in the late 1980s when a medical researcher attempted to extort other researchers via malware delivered on floppy disks. Subsequent ransomware evolution was slow. Deployment did not become common until the mid-2000s, when threat actors extorted payment by denying victims access to their own services and systems.
Campaigns in the mid-2010s relied on indiscriminate distribution to a large number of victims. An automated “fire-and-forget” approach leveraged phishing campaigns and vulnerability scanning to deploy ransomware to a single host or a small number of hosts. While this approach targeted many victims, the attacks were often unsuccessful. The ransomware’s propagation lacked control and did not cause sufficient disruption to compromised networks. As a result, victims rarely complied with the extortion demands. Ransom demands were relatively low by today’s standards.