THE EVOLUTION OF RANSOMWARE
Often, the people who write the ransomware are not the people perpetrating the attacks. They prefer to keep their hands (and noses) clean. Indeed, complex attacks often begin with a broker, sometimes someone inside the organization selling some kind of initial access credentials.
Once that’s achieved, the attackers will, as stealthily as possible, probe internal networks to find important data (or further vulnerabilities). The ransomware itself, far from being some cobbled-together script written by a kid, might be provided as a service (RaaS). It might have a customized payload or even a dedicated page where buyers can monitor the damage, switch payloads or even receive technical support.
A new RaaS called ALPHV (aka. BlackCat) was found in December 2021 on underground forums. This seems to have been the first in-the-wild example of ransomware written in Rust. Advertising on the forums (which we’re sure any of our more determined readers will manage to find without
>> Programmed in Rust, with a nostalgic UI. This is getting silly now.
us naming them) promises 80-90 percent of the ransomware payout to ‘pentesters’ wishing to try out their latest badware.
The first ransomware on Linux we could find was named Erebus. Like RansomEXX, it appears to have been ported from Windows. But in 2017, it struck the servers (153 of them) of a
South Korean web hosting company, taking down over 3,000 websites. Such was the damage that the company paid just under 400 BTC, which was then worth $1 million in Bitcoin, making it the largest payout at the time. Bitcoin is worth around 20 times its 2017 value today so, hopefully, these fraudsters didn’t get to keep their earnings.