Ransomware is a global scourge that last year bilked businesses to the tune of $1.1 billion globally. And the bad actors behind it continue to gain in sophistication, scope, and ruthlessness.
But given ransomware’s 35th anniversary this month, it’s a perfect opportunity to examine its dubious history, dangerous present, and how organizations can counter its future impact.
“Ransomware, in my opinion, has evolved the most out of any cyberthreat in the past 10 to 15 years,” said Mick Baccio, global security strategist for Splunk, a Cisco company. “It may have started in 1989 with a floppy disc demanding a mail-in payment, but today it’s a global business with organized cybergangs and state-sponsored activity from places like Russia and North Korea.”
That global business accounted for 44 percent of all cases reported by the Cisco Talos Incident Response group from June 2023 to June 2024. And as it ravages and disrupts favored targets in health care, education, manufacturing, and critical infrastructure, its human toll — on progress, customer confidence, employee well-being, and so much more — is harder to quantify.
No one could have imagined all that back in 1989. The aforementioned floppy disc delivered primitive ransomware that was dubbed the AIDS Trojan. And its author, Dr. Joseph Popp, had a beef with the medical establishment but was easily apprehended.
“The chap who developed it was identified and caught while trying to collect the ransom from a PO Box in Panama,” said Martin Lee, EMEA lead for the Cisco Talos. “From a modern point of view, it was an incredibly unsophisticated and ham-fisted attempt.”
Unsophisticated, but not without future potential. As computers became connected to wider networks, other nefarious elements picked up the torch. Which brings us to another ominous anniversary: the first criminalization of ransomware, 20 years ago, in December 2004.
GPCode was an email attachment pretending to be a job offer — anticipating today’s sophisticated social-engineering manipulations. And thanks to email, it reached many more victims, mostly in Russia.
“That was when we first started to see ransomware distributed on a wider scale,” explained Nick Biasini, head of outreach for Cisco Talos. “But still, the financial gain was limited. It was basically, ‘Your system’s encrypted, go buy several hundred dollars in gift cards, share the codes with us, and we’ll decrypt your system.’”
GPCode’s impact may have been small, but as Lee added, “it’s really the genesis of ransomware as we know it today.”
Hidden payments, bigger targets
GPCode’s dependence on anonymous gift cards reveals one of the main challenges of ransomware: hiding the money trail. Enter cyptocurrencies. In the early 2010’s, bitcoin’s arrival was an answer to a ransomware actor’s dreams.
“That was really what gave way to the rise of a ransomware epidemic,” Baccio believes. “Bitcoin, when it first came on the scene, was a virtually untraceable, cross-border payment method. Up to that point, you were mailing your money, using gift cards, or depending on wire transfers. But with the introduction of Bitcoin, it became more and more anonymous.”
Soon, the targets would grow bigger. In 2016, the SamSam ransomware attacked larger enterprises. And not long after, cyber-cartels began to form.
“This is when we started seeing the ransoms get into the six and eventually seven figures,” said Biasini, “to where the damage and the impact really started to come through.”
Today, sophisticated groups specialize in particular industries, such as healthcare or financial services. And some, beginning with the Maze ransomware of 2019, apply extortion — threatening to publicly release exfiltrated data if they are not paid. Targets also include wide sweeps of smaller businesses, and critical infrastructure like water, power, and transportation systems. These often lack the proper technology and resources to combat a rising tide of threats.
“Often the organizations that are the least resourced are the ones that need the most help,” argued Baccio. “You have water treatment plants all across the Southern United States that just don’t have the people, skills, or resources to be able to shore up those defenses.”
Meantime, ransomware continues to evolve. In the last quarter, Cisco Talos Incident Response observed new RansomHub, RCRU64, and DragonForce variants, while continuing to respond to existing threats, such as BlackByte, Cerber, and BlackSuit.
How to fight back
Today’s ransomware picture may seem bleak, especially as nation-state actors and emerging technologies like AI up the ante. But it isn’t hopeless.
To start, cybercriminals love to exploit low-hanging fruit. And there are fundamental steps that organizations can take to make their jobs harder — and hopefully send them off looking for easier marks.
As Lee stressed, one key defense has been known for years but not always practiced properly.
“Ransomware has this enormous Achille’s heel: data backups!” he explained. “If your data is backed up, and the data on the hard disk gets encrypted by bad guys, you can just restore it.”
However, it’s not always as easy as it sounds.
“Even organizations that are backing up their data,” Lee continued, “sometimes find that the data from the backup has been corrupted, that it was not properly made, or that they don’t know how to restore it. So, yeah, it’s the No. 1 weakness of the bad actors, but it can be difficult to do.”
At the same time, improved software defenses, networking advances, and up-to-date patching can play a big role, as can segmenting networks to limit damage if an intrusion does occur.
Cisco is one of the largest security vendors in the world, and the scope of its end-to-end, AI-empowered cyber-defense offerings is all but unique, encompassing network, endpoint, email security, and more. All of which is topped off by the company’s powerful Talos threat intelligence organization.
“Just about everything happening on the internet any given moment is touching Cisco kit in some way, and we have access to all that telemetry,” Lee said of Talos. “It’s very difficult to do bad stuff on the Internet without leaving a trace somewhere with Cisco.”
With advanced detection, Cisco can alert the global security community to emerging threats — or sneak in patches without malicious actors even knowing it. And these capabilities are further supercharged with Cisco’s acquisition of Splunk, the AI and data-analytics powerhouse.
“I am so jazzed about the opportunity to work with the folks from Cisco and from Talos,” Baccio exclaimed. “From the firewall to XDR to endpoints, there are tons of Cisco products that will benefit. We’ll take all that data in the background and fuse it all together to give defenders a complete picture of what’s happening in their environment — so they can respond much faster.”
Lee is equally pleased, especially given the potential for early detection.
“I’m really quite excited about the Splunk acquisition,” he said. “Because we can take all that data that we collect and make it searchable and analyzable — automatically and with AI. So, we can identify the very earlier traces of an attack.”
The human element
Beyond technology, the human element is critical. Having a plan in place, in case a breach does occur, is another key element. Rapid coordination and response between teams can mean the difference between massive or minor impact on productivity and customer confidence.
But as defenses, detection, and responses grow stronger, ransomware actors are depending on distracted, unaware workers. That is, people who unwittingly respond to scam emails, phone calls, and other forms of social engineering. With large language models like ChatGPT at their disposal, cybercriminals can more easily trick their way into networks without the hard work of hacking.
“Especially as AI ramps up and we’re seeing things like deep fakes,” said Biasini, “it's going to be increasingly difficult to trust your eyes and your ears. So, ensuring that people are aware and planning for these kinds of attacks is essential.”
All three experts reiterated that while ransomware is a formidable threat, we are not powerless. But slowing its advance will take coordinated effort — and a more democratic distribution of defenses to protect vulnerable smaller businesses and public-sector organizations.
“The international cooperation between public and private sectors is growing all across the globe,” said Baccio. “And that gives me hope.”
From inauspicious beginnings, ransomware has exploded across the planet. But it may yet meet its match.
“I don't think ransomware is going away anytime soon,” concluded Lee. “But I think it will become incrementally more difficult for the bad guys as the IT community and our systems mature. We’ve all come through a period of enormous technological change, and we’ve needed to catch up on security. But I really believe it can be done.”
For more information on Cisco Talos and ransomware, check out:
It's the 35th anniversary of ransomware - let's talk about the major shifts and changes
