From AIDs to Hostage Governments: The Rise of Ransomware


Ransomware today has become a major threat to every organization. It is now incredibly easy for criminals to access your tech stack - and profit greatly from your loss. And it’s such a powerful extortion tool that criminals nowadays don’t even need to encrypt your data - just hold you at the knifepoint of a massive data breach. This modern threat requires an equally adaptive and reliable data security fabric throughout your organization.

The Rise of Ransomware

Ransomware was on computers before most of us were. The first documented piece of ransomware was the 1989 AIDS Trojan. Part-extortion and part-protest, this floppy disk was created by biologist Joseph Popp at the eve of the World Health Organization’s AIDS conference. Popp manually handed out 20,000 copies, labeled as “AIDS information - introductory diskettes” each of which included leaflets that warned that the software would “adversely affect” the victim’s device.

Once inserted, the AIDS ransomware mechanism would count the number of boot cycles the computer goes through. Once it hit 90, the software would hide the computer’s various directories and encrypt the names and contents of any C-drive hosted files. To regain access to their files, the users were asked to send $189 to a PO box in Panama, registered under the company of PC Cyborg Corporation. The ransomware trojan was pretty easy to undo thanks to its simply symmetric cryptography patterns, and it caused relatively little stir: soon thereafter, tools were widely commercially available that decrypted affected files.

However, a lot has changed since 1989. In the three decades since, ransomware has become a globally-feared method of extortion. This is broadly chalked up to the main auxiliary component of ransomware: the ability of cybercrime groups to be paid anonymously. Enter, the cryptocurrency. Bitcoin - and more recent, fully anonymous, coins such as Monero.

Modern Ransomware is Holding Governments Hostage

Compare the AIDS attack with a recent crippling attack on the Colonial Pipeline. The pipeline itself is unhackable: it’s just 5,500 miles of pipe that provides fuel to almost the entirety of the East coast of the US. It’s one of the most substantial and vital oil transport mechanisms within the U.S. Opened in 1962, the pipeline originally helped move oil from the Gulf of Mexico to the East Coast states. The infrastructure supporting this logistical powerhouse is substantial, however, and in 2021 it attracted the attention of a Russian cryberterrorism group.

The DarkSide gang targeted the business network in May 2021. The attack first became evident when the attackers stole 100 GB of data within the first two hours. From there, the attackers implanted ransomware within the Colonial Pipeline IT network. This spread like wildfire, affecting a number of critical devices and computers within the department - special attention was paid to the tech stack surrounding billing and accounting. These systems tracked the line’s fuel distribution in order to accurately bill consumers, without which Colonial Pipeline was left with one choice.

The pipeline was shut down, citing a requirement to prevent the ransomware from spreading. The FBI, the Cybersecurity and Infrastructure Security Agency; US Department of Energy; and the Department of Homeland Security were all notified of the incident, and the pressure to resolve the issue as soon as possible hit a boiling point.

On the ground, the news that the pipeline had been temporarily closed ignited a frenzy of panic-buying. Petrol stations began to run low on gas and diesel - and people sought even more extreme methods of hoarding. Buckets and plastic bags were becoming such common carrying methods that the US government was forced to issue a warning not to use unsafe transport methods. As the 7th May began to draw to a close - the crisis and losses deepening every hour - Colonial began to waiver. After an initial statement that claimed no payment would be made, the company initiated the process of paying out the $4.4 million extortion sum.

In the post-mortem analysis, it was discovered that attackers gained access into the infrastructure-critical network thanks to an exposed password for a company VPN account. This VPN account had previously been involved in a data breach, which led to the password and email being sold on a dark web marketplace.

From rapid-fire, random ransomware attacks to finely-tuned, state-coordinated attacks, ransomware has come a long way from its roots.

A Nightmarish Masterclass in Persuasion

If you’re eagle-eyed, you may have noticed that DarkSide began their attack not with a deployment of ransomware, but by stealing 100 gigabytes of company data.

This is thanks to a few factors: one of which is the underground markets that cybercriminal groups operate within; another is the added weight that a data breach places upon a non-committal organization.

Many ransomware gangs - such as the now-defunct REvil - choose to exfiltrate data from their victims first. This process creates a wicked one-two punch for their victims. With older ransomware, companies had to make the difficult decision between losing access to their data, or forking over large sums of money to regain access. Now, however, companies are faced with the issue of losing access to many critical files as well as having that data publicly leaked and resold on dark web marketplaces. This not only opens up customers and business partners to attacks of their own, but also severely risks lawsuits against the business for failing to adequately protect customer data.

In fact, holding company data hostage is such a powerful extortion tactic that many attackers are simply choosing to rely on that - without even bothering to encrypt the company’s files.

Managing the Ransomware Threat

The main rule of data security is - if they can’t access the data, they can’t encrypt or steal it. Password protection and regular password resets are vital - remember that the Colonial Pipeline breach occurred after account details were sold on the dark web. Any time that a cyberattack occurs either directly to your organization, or to an adjacent business partner, mandate credential changes. Employee credentials should be kept separate from their private details - passwords included - which further minimizes the attack surface.

To truly protect your data, however, you need to have a thorough understanding of what assets you’re protecting, and where each piece of the data puzzle is. If you don’t know where all your customers’ data is, then your business is not compliant, and your risk is severe. This is where a high-quality automated and continuous discovery process can massively help manage data security by identifying and categorizing risky data storage procedures.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Shabodi Accelerates Adoption of Network-Aware Applications with CAMARA API Enterprise Reference Implementation

By: Special Guest    2/16/2024

Shabodi, an Application Enablement Platform (AEP) provider unleashing advanced network capabilities in LTE, 5G, 6G, and Wi-Fi 6, announced they have l…

Read More

How Much Does Endpoint Protection Cost? Comparing 3 Popular Solutions

By: Contributing Writer    2/2/2024

Endpoint protection, also known as endpoint security, is a cybersecurity approach focused on defending computers, mobile devices, servers, and other e…

Read More

What Is Databricks? Simplifying Your Data Transformation

By: Contributing Writer    2/2/2024

Databricks is an innovative data analytics platform designed to simplify the process of building big data and artificial intelligence (AI) solutions. …

Read More

What Is Blue/Green deployment?

By: Contributing Writer    1/17/2024

Blue/green deployment is a software release management strategy that aims to reduce downtime and risk by running two identical production environments…

Read More

The Threat of Lateral Movement and 5 Ways to Prevent It

By: Contributing Writer    1/17/2024

Lateral movement is a term used in cybersecurity to describe the techniques that cyber attackers use to progressively move through a network in search…

Read More