Experts predict that as the ransomware industry evolves, hackers will find more and more ways to use the technology to exploit companies and individuals.
Master of Sex | Wait | Getty Images
Ransomware is now a billion-dollar industry. However, it was not always as large or as widespread a cybersecurity threat as it is today.
Ransomware, which dates back to the 1980s, is a form of malware used by cybercriminals to lock files on a user's computer and demand payment to unlock them.
The technology — which officially turned 35 years old on December 12 — has come a long way, and criminals can now launch ransomware much faster and deploy it for multiple purposes.
Cybercriminals collected $1 billion from fraudulent cryptocurrency payments from ransomware victims in 2023 – this is a record result, according to data from Chainalytic, a blockchain analysis company.
Experts expect ransomware to continue to evolve, with the future shaped by contemporary cloud computing technology, artificial intelligence and geopolitics.
How was ransomware created?
The first event considered a ransomware attack occurred in 1989.
The hacker physically mailed the disks, claiming they contained software that could help determine whether a person was at risk of developing AIDS.
However, once installed, the software hid directories and encrypted filenames on users' computers after they were restarted 90 times.
It would then display a ransom note asking you to send a cashier's check to an address in Panama to obtain a license to restore your files and directories.
The program became known to the cybersecurity community as the “AIDS Trojan.”
“It was the first ransomware that came from someone's imagination. It wasn't something you read about or was researched on,” Martin Lee, director of EMEA at Talos, the cyberthreat intelligence arm of IT equipment giant Cisco, told CNBC in an interview.
“Before, it just wasn't discussed at all. There wasn't even a theoretical concept of ransomware.”
The perpetrator, Harvard biologist Joseph Popp, was caught and arrested. However, after he demonstrated erratic behavior, he was found unfit to stand trial and returned to the United States.
How ransomware developed
Since the appearance of the AIDS Trojan, ransomware has evolved significantly. In 2004, the threat actor targeted Russian citizens with a criminal ransomware program now known as “GPCode.”
The program was delivered to people via email – an attack method now commonly known as “phishing.” Users, tempted by the promise of an attractive career offer, downloaded an attachment containing malware impersonating a job application form.
Once opened, the attachment downloaded and installed malware on the victim's computer, scanning the file system and encrypting files, and requesting payment via wire transfer.
Then, in early 2010, ransomware hackers used cryptocurrencies as a payment method.
In 2013, just a few years after Bitcoin was created, CryptoLocker ransomware emerged.
Hackers targeting people using the program demanded payment in bitcoin or prepaid bills – but this was an early example of cryptocurrency becoming the currency of choice for ransomware attackers.
Later, more famous examples of ransomware attacks that chose cryptocurrency as the preferred ransom payment method included: I want to cry AND Petya.
“Cryptocurrencies provide many advantages to criminals precisely because they are a way to transfer value and money outside the regulated banking system in an anonymous and immutable manner,” Lee told CNBC. “If someone has paid you, that payment cannot be reversed.”
CryptoLocker also gained notoriety in the cybersecurity community as one of the earliest examples of ransomware-as-a-service operations — that is, a ransomware service sold by developers to more novice hackers for a fee to enable them to carry out attacks.
“In the early 2010s, we saw an increase in professionalization,” Lee said, adding that the gang behind CryptoLocker “has been very successful in carrying out crime.”
What's next for ransomware?
As the ransomware industry continues to grow, experts predict that hackers will find more and more ways to use the technology to exploit companies and individuals.
By 2031, ransomware will be available they are projected to cost victims a total of $265 billion annually– according to a report by Cybersecurity Ventures.
Some experts fear that artificial intelligence has lowered the barrier to entry for criminals looking to create and exploit ransomware. Artificial intelligence tools like OpenAI's ChatGPT enable everyday Internet users to insert text queries and requests and get sophisticated, human responses in response – and many developers even use them to write code.
Mike Beck, chief information security officer at Darktrace, told CNBC: “Squawk Box Europe“there is a “huge opportunity” for artificial intelligence — both in weaponizing cybercriminals and improving productivity and operations at cybersecurity companies.
“We need to arm ourselves with the same tools that criminals use,” Beck said. “Bad people will use the same tools that are used today for all these types of changes.”
However, Lee doesn't think AI poses as serious a ransomware risk as many might think.
“There are a lot of hypotheses that artificial intelligence is very good at social engineering,” Lee told CNBC. “But if you look at the attacks that exist and that clearly work, the simplest ones are the most effective.”
Targeting cloud systems
A serious threat to watch out for in the future may be hacker attacks targeting cloud systems that enable companies to store data and remotely host sites and applications from remote data centers.
“We haven't seen a lot of ransomware attacking cloud systems, and I think that's probably going to be the future as the situation evolves,” Lee said.
According to Lee, we could eventually see ransomware attacks that encrypt cloud resources or block access to them by changing credentials or using identity-based attacks to deny users access.
Geopolitics is expected to play a key role in the evolution of ransomware in the coming years.
“Over the past 10 years, the distinction between criminal ransomware and nation-state attacks has become increasingly blurred, and ransomware is becoming a geopolitical weapon that can be used as a tool of geopolitics to disrupt organizations in countries perceived as hostile,” Lee said.
“I think we'll probably see more of that,” he added. “It's fascinating to see how the criminal world can be taken over by a nation-state to do its bidding.”
Another threat Lee sees is autonomously distributed ransomware.
“There is still the possibility of more ransomware emerging that spreads autonomously — perhaps not attacking everything in its path, but limited to a specific domain or a specific organization,” he told CNBC.
Lee also expects ransomware-as-a-service to grow rapidly.
“I think we will increasingly see the ransomware ecosystem become more and more professionalized, moving almost exclusively towards a ransomware-as-a-service model,” he said.
However, while the ways in which criminals use ransomware will continue to evolve, the actual makeup of the technology is not expected to change too dramatically in the coming years.
“Outside of RaaS providers and those using stolen or purchased toolchains, credentials and system access have proven to be effective,” Jake King, security manager at internet search engine company Elastic, told CNBC.
“Until further obstacles arise from adversaries, we will likely continue to see the same patterns.”