IEEE reflects on the 35th anniversary of the first ever ransomware attack

The disc was one of 20,000 sent in the mail to attendees of the World Health Organization’s (WHO) AIDS conference in Stockholm across 90 countries in December of 1989. Once inserted into a system, the floppy disk would hijack AUTOEXE.BAT and alter it to count the number of reboots of the system. Once the counter reached 90, the programme would prompt the user to renew a license to continue using the system.

Kevin Curran, IEEE senior member and professor of cyber security at Ulster university reflects on this and outlines how ransomware has evolved since then: “Newer strains have emerged since then. Whilst threat actors have changed their tactics, their motives remain the same – money and disruption. Ransomware to this day, is one of the biggest cyber security threats to enterprises. Threat actors have gone to a great effort to remain under the radar and bypass even the strongest security protocols. Some have adopted a 'radio silence' technique, through a sophisticated monitoring of system processes, where malware knows when to stay silent or lie dormant; 'stealth mode' techniques have been adopted by malware to evade detection.

“With the earlier forms of ransomware, the impact was downtime or unavailable data. Now there are far more aggressive strains; double or even triple-extortion tactics. Seven years ago, WannaCry became one of the first examples of a worldwide cyber -attack, ultimately establishing ransomware as a major cyber  threat vector. Then there was of course, the 2021 attack on the Colonial pipeline in the USA, which revealed the damage ransomware can pose to critical national infrastructure (CNI) as it disrupted an asset which controls 50% of the fuel supply in North America.

“Sadly, cybercrime has steadily become an industry where some groups have cybercrime units typical of any large legitimate business, such as partner networks, associates, resellers, and vendors. In fact, they even have dedicated call centres which are typically used to help with requests from ransomware victims. Ransomware-as-a-service (RaaS) has also become more prominent now, where threat actors offer franchises – predeveloped ransomware or malware in the form of ‘pay-for-use’ – or even training.

“There are new ‘masterminds’ now too. Black Cat, LockBit, Cl0p, Revil, and Conti are main ransomware groups at the moment, each have their own tactics and are responsible for conducting some of the most devasting attacks; they are constantly refining their methods to enhance their effectiveness and reach. Sadly, the question is no longer ‘if’ an organisation will be targeted, but when. Organisations must adopt a ‘secure-by-design’ methodology and follow the advice from authorities like the UK's National Cyber Security Centre (NCSC) ensuring that they adopt the most robust cyber security measures to mitigate these risks.”