Where ransomware attacks come from: 3 origins worldwide

  • The top 5 ransomware targets by industry in 2024 include education, construction and property, central and federal government, media, entertainment and leisure, and local and state government.
  • Three origins of new ransomware strains are state-sponsored actors, criminal organisations, and security researchers who don’t always think things through.
  • Supply chain attacks, triple extortion, and ransomware as a service (RaaS) are the primary trends for ransomware in recent years.

Even though ransomware is not a brand-new cybersecurity risk, top governments worldwide are still paying close attention to this danger. The ability of people to purchase groceries, fill up their cars with gas, and receive healthcare has been impacted by ransomware.

In recent years, ransomware’s financial effects have also become more noticeable. Attacks against supply chains result in more extensive harm than attacks on a single person. To slow the spread of ransomware attacks, the government and tech companies have also stepped up their response.

History of ransomware attacks

Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.

In 1996, Columbia University’s Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Also read: How do autonomous vehicles work?

Targeted industries

Ransomware attacks usually target institutions and organisations that are mission-critical, such as healthcare, finance, manufacturing, and government organisations. In some cases, along with other impacts, ransomware attacks cause higher mortality rates in healthcare institutions. As manufacturing includes various kinds of production, such as metal products, automotive, and industrial equipment, it is also a highly targeted sector by ransomware. Financial institutions are also targeted quite often. In this case, the attackers still intend to steal money and a huge amount of sensitive user data. Until May 2024, according to the statistics from Camparitech, there are a total of 4013 tracks with an average ransom of 408,044$. The following are the top 5 ransomware targets by industry in 2024: Education, construction and property, central and federal government, media, entertainment and leisure, and local and state government.

Where do most ransomware attacks come from

Most ransomware isn’t spread by an individual; rather, certain malicious groups develop, refine and distribute the ransomware software. According to the Microsoft Digital Defense Report, a full half of these groups come from Russia. Iran and North Korea are other common hotbeds for ransomware groups, with the United States being the most common target.

Knowing the common origins of new ransomware strains can help organisations defend against an attack. Those are state-sponsored actors, criminal organisations, and security researchers who don’t always think things through. 

1. State-sponsored actors 

In this scenario, malicious actors receive monetary, technical, and other means of support from a governmental body to create a new ransomware threat. Those actors then use the ransomware to conduct an attack that advances the governmental body’s interests. As the governmental body didn’t launch the attack itself, it can try to leverage that fact for plausible deniability, thus raising the political costs should another state wish to retaliate.

In May 2021, The Hacker News wrote that security researchers had detected a state-sponsored ransomware campaign operated by Iran’s Islamic Revolutionary Guard Corps (IRGC). Those who spotted the campaign suspected IRGC was using it as a subterfuge technique to mimic the tactics, techniques, and procedures (TTPs) of financially motivated ransomware groups to make attribution more difficult.   

2. Digital criminal organisations 

Not every ransomware operation receives direct support from a governmental agency. But support can come in many ways. These “privateers,” as noted by Threatpost, act according to their financial agendas while enjoying some protections from governmental bodies. 

According to The Washington Post, REvil’s developers appear to be based in Russia, a country which has historically looked the other way at digital crime groups operating within its borders. The ransomware’s creators used that protection to form a RaaS scheme in which they took 20-30% of a ransom payment, with affiliates taking the rest for running the attacks, stealing the data, and detonating the crypto-malware. Through that arrangement, the REvil gang ended up making $100 million in two years. 

3. Security researchers who don’t think things through 

Over the years, security researchers have sometimes developed ransomware-like programs for “educational purposes.” Such was the case with Hidden Tear. At the time of its emergence in August 2015, its creator warned users to “not use it as ransomware,” clarifying that they “go to jail on obstruction of justice charges just for running hidden tears, even though you are innocent.” 

Also read: Who is Jeff Weiner? LinkedIn former CEO epitomises ‘compassionate management’

Ransomware trends that will continue in 2024

A few key ransomware trends have emerged in recent years that will likely continue into 2024 and beyond. Here are some of the primary trends for ransomware in recent years:

Supply chain attacks: Instead of attacking a single victim, supply chain attacks extend the blast radius. One such example was an exploit in the Moveit Transfer software product from Progress software that led to large-scale ransomware attacks by the Clop ransomware gang. Over the last several years there have been multiple such incidents, including the Kaseya attack, which affected at least 1,500 of its managed service provider customers, and the SolarWinds hack.

Triple extortion: In the past, ransomware was about attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. With triple extortion ransomware, attackers also threaten to leak data unless paid. Triple extortion has been used by multiple threat actors, including Vice Society in an attack against the San Francisco Bay Area Rapid Transit system.

Ransomware as a Service (RaaS): Gone are the days when every attacker had to write their ransomware code and run a unique set of activities. RaaS is pay-for-use malware. It lets attackers use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.

Ransomware is a type of malware that can either encrypt all of your data or lock you out of your computer. Ransomware won’t end anytime soon either. Ransomware will likely continue to evolve in a few different ways. The best way to defend against ransomware is to recognise and avoid phishing attempts, install antivirus software on your computer, and back up all of your files.


Fiona Huang

Fiona Huang, an intern reporter at BTW media dedicated in Fintech. She graduated from University of Southampton. Send tips to f.huang@btw.media.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *