Podcasts
Special Editions
Ep 98
Special Editions 5.31.26
Ep 98 | 5.31.26

CyberWire Daily at 10: The evolution of ransomware.

Show Notes
Transcript

Dave Bittner: From nuisance attacks to billion-dollar criminal enterprises, ransomware has transformed the cybersecurity landscape over the past decade. The tactics have changed, the targets have changed, and the stakes have never been higher. I'm Dave Bittner. In this special edition of the CyberWire podcast, I'm joined by Maria Varmazis for a look back at ransomware's evolution over the last 10 years. We'll explore how attackers adapted their methods, how defenders responded, and what the history of ransomware can teach us about the threats organizations face today. That's ahead on this CyberWire Special Edition. [ Music ]

Maria Varmazis: All right. Well, welcome back, everybody. It is my pleasure, yet again, to welcome Dave Bittner, host of the "CyberWire Daily," to speak with me today. Hi, Dave.

Dave Bittner: Hello, good to be back.

Maria Varmazis: Yes, good to see you, Dave, and we are, as we have been this past year, celebrating 10 years of the "CyberWire Daily," which again, what a feat, congratulations, Dave.

Dave Bittner: It's hard to believe. Time flies when you're having fun.

Maria Varmazis: Oh, that's so sweet. Ten years is a decent amount of time. You know, blink of an eye for some and quite an age for others. When I think of the last 10 years, I'm pretty sure I've said this every conversation we've had, but to me, the true story of the last 10 years in the cybersecurity realm has been ransomware. That is the number one thing that I think of, so we're going to dedicate our time today to talking about ransomware, how it has changed extraordinarily over the last 10 years, and you've watched it all happen. If we do our Wayne's World, going back 10 years, ransomware was, like, back in 2016, 2017. How would you have described it back then for those that maybe have forgotten or weren't there for this?

Dave Bittner: Well, when I started doing this every day, so 10 years ago, ransomware had been around for a while. The idea of it had been around for a while, but it becoming a business, people making their living off of it widely, was pretty new still. My recollection is that in the early days, it was what we would look back at now and consider to be adorable, small-time street crime versions of ransomware, right? Someone would -- they were targeting individuals. It was like, you know, walking down the street and being mugged, except on your computer. People would get you for a hundred dollars or a couple-hundred dollars, but it really wasn't going to change your life very much. Chances are you'd pay the ransom. Your files would be unlocked, you'd go about your business, and that's what it was.

Maria Varmazis: Yeah, and it was often real money they asked for, actual denominations of coin, as opposed to crypto, right? It was actual money. Yeah, I mean, not that crypto's not, but you know what I mean.

Dave Bittner: Yeah, yeah, and so that's the big -- the thing that happened simultaneously, which I would label as the accelerant for ransomware, was cryptocurrency. To have this unregulated global source of money, or way to exchange money, and to mix it and to trade it and to steal it and all that stuff that you can do with crypto that you can't do with -- you know, you can't use -- you can't do with Visa or MasterCard, made it possible.

Maria Varmazis: Yeah, yeah, and there was also the accelerant of much more potent threats that were doing much more damage and casting a much wider net, and I would be remiss if I didn't just say the word, WannaCry. I mean, it makes you want to cry. It made us all want to cry. Do you remember hearing about WannaCry for the first time, or do you remember that story unfolding, because that really was seismic?

Dave Bittner: It was, yeah. It was 2017, I believe, that WannaCry happened, and I think that was really the moment that ransomware became generally present for the general public. People knew what ransomware was. It wasn't just a niche thing anymore. What did WannaCry, what did it get, about a quarter-million computers all over the world? But also, what it got, you know, they disrupted hospitals and transportation systems and manufacturers. It was hitting people where they live, shutting down people's work and that sort of thing, so really showed how ransomware could spread globally using unpatched vulnerabilities, and it was an eye-opener for people all over the world. You know, I think it's also worth just taking maybe a half-step back at that point of time. I remember right around that era, right around 2017, interviewing people, experts in cybersecurity, who really thought ransomware was going to be winding down.

Maria Varmazis: Yes, yeah.

Dave Bittner: Right?

Maria Varmazis: Yep, I remember it was just a bit of a footnote in the threat reports that were coming out. It was like, yeah, it's this thing, but don't worry about it. You're fine. Don't even think about it.

Dave Bittner: Right, and what they thought the real threat was going to be crypto mining, because that was, I use air quotes, "a victimless crime" where you sneak into someone's computer, and you have it run all night mining bitcoin for you, and they don't know it. It doesn't really affect what they're doing, so you're not going to attract law enforcement because you're not really hurting anyone other than, you know, using up their electricity, but of course, that didn't happen. It went completely the other way.

Maria Varmazis: Yeah, because crypto mining takes some time, and there are faster ways to acquire large amounts of cash, usually through crime. So yeah, WannaCry was -- that was actually when I was in the hospital with my kid, giving birth to my kid, and the hospital systems were down. I remember --

Dave Bittner: Oh, the hospital systems were down while you were giving birth?

Maria Varmazis: Yep.

Dave Bittner: Holy smokes.

Maria Varmazis: I remember talking to the doctor, and he was like, so what do you do for a living? I remember saying, you won't believe this, but -- [laughter]

Dave Bittner: Wow.

Maria Varmazis: This kind of thing is the stuff I kind of am concerned about in my day job, so it was very funny. For me, WannaCry was tied to a baby crying in my head.

Dave Bittner: Literally.

Maria Varmazis: Literally, literally.

Dave Bittner: Wow.

Maria Varmazis: Yeah, but I mean, WannaCry was -- moving on from the personal side, it really was the, not an opening salvo, but I mean, it was that huge stone in the lake that just had that ripple effect that just kept going.

Dave Bittner: Right.

Maria Varmazis: Then we have mentioned NotPetya a bunch in the conversations we've had about the 10-year anniversary. It feels inevitable that we should bring that one up again, as well, because that was another huge one around the same time.

Dave Bittner: Right, right, and that one sort of blurred that line between ransomware and destructive cyber operations. There are plenty of people who believe that that was more about disruption than actually profiting, and of course, you know, caused billions of dollars in damages. Global shipping was probably the place that hit hardest, and I think, you know, combining WannaCry with NotPetya, this is -- to extend my metaphor to the breaking point -- this is where we transition from street crime to organized crime.

Maria Varmazis: Right, and also nation-state malfeasance, potentially --

Dave Bittner: Yes, yeah.

Maria Varmazis: -- which quite a paradigm shift, and to me, that really raised the stakes and kind of the scariness factor of it all, to be totally honest.

Dave Bittner: Yeah, I mean, countries like North Korea realize that, you know, they can fund big parts of their national operations by using ransomware on people, and it's become an effective -- I'm sure it's a line item in their budget every year now.

Maria Varmazis: It's crazy to think about, and a point that you've made in the past -- I'm just going to bring up your own good point, is also --

Dave Bittner: Wait --

Maria Varmazis: -- what was considered a valid target for ransomware. Whether or not they're actually specifically going after infrastructure like healthcare or just saying we're going to get whoever we get, it felt like there were no holds barred at that point, and then it just became an all-out war, not to get too hyperbolic.

Dave Bittner: I mean, I think it -- yes, you're right, but I think there's -- it's important to look back at some of the nuance there, because, again, my recollection, which is certainly a bit fuzzy at this point, but in the very beginning, it seemed like as ransomware hunting got bigger and bigger and they were going after larger targets, there were times when they hit hospitals in those initial first waves. If, for example, they hit a hospital, it seemed like that wasn't their intended target. Some of the groups were apologetic, immediately turned over the keys and said, this is not who we meant to hit. We're sorry. We won't do that again. That didn't last very long before they completely flipped the script, and they realized hospitals need to be up and running. Who better to pay the ransom quickly than a place where there are actually lives on the line? That continues to this day.

Maria Varmazis: It sure does, and when we look back at the evolution of ransomware over the last 10 years, I think something that's also noticeable is how the nature of the threat has evolved in -- I hate calling it "interesting" because it's dangerous, but it is as we analyze it. It's interesting, from straight-up extortion to extortion on several different levels. Not just, "I want your money," but also, "I have now your intellectual property," that is, to me, darkly fascinating that that's what we ended up with.

Dave Bittner: Yeah, and you're absolutely right. I mean, we went from just locking up the files and saying, if you want the key, please send us some money, to both locking up and exfiltrating files. Now, plenty of groups don't even bother to lock up the files. All they want to do is exfiltrate the files, and then they'll say, hey, if you don't want these files leaked and you don't want to suffer the reputational damage, please pay us money. Just recently, we saw the thing with Canvas where it seems like Canvas paid the ransom in order to get their files back. People are -- how do I describe this? They have, I guess, appropriate skepticism when the folks at Canvas are saying that the bad actors assured them and provided, somehow, proof that the files had been deleted. They had a screen capture of someone emptying a trash can.

Maria Varmazis: Yeah, you can't doctor that. That's just science.

Dave Bittner: [Laughter] Right, so I think that also, not to get too philosophical and out of our range of conversation here, but it really does become a who can you trust conversation, right? Now, you could say it's not in the ransomware operators' best interest to cheat you out of things because their business model is, in part, based on trust. People won't pay them if they don't believe they're going to get files back and things won't be shared, so that's certainly a component of it, but what a strange world where this has become a normal thing. We've seen some crackdowns with law enforcement, but have we really made a dent? There are no international treaties that say you can't attack hospitals, right? There's no agreements over those sorts of things.

Maria Varmazis: Cybersecurity wise, yes.

Dave Bittner: Yeah. Yeah.

Maria Varmazis: Yeah.

Dave Bittner: Right. Yes. Yeah, I mean, and how interesting that kinetic warfare has those limitations and cyberwarfare, so far, does not.

Maria Varmazis: Yeah, one of the many gaps in policy that -- the list is very long, but yeah, it's -- ransomware is just so fascinating to me when I think about how it has proliferated with, you know, kits that are making it just brain-dead easy for it to be deployed and for these campaigns to work so well. You were mentioning Canvas and that it seems like they paid the ransom. In your recollection, has the advice at all changed in sort of common parlance about what to do when you're hit with this? Because -- the reason I ask is I want to say at the beginning, it was a "We don't negotiate with terrorists" kind of thing, and then it shifted to it's just the cost of doing business. Now, I'm not really entirely sure what the consensus is on this.

Dave Bittner: Yeah, you're -- I mean, your guess is as good as mine because I think there's a lot of stuff going on behind the scenes that we'll never see or never know about because there's a lack of mandatory reporting. You know, a plane crashes, and there's a whole investigative regime that comes into place to find out what happened. Someone gets hit with ransomware, and if they're not a public company, they don't necessarily have to disclose that it ever happened. They quietly contact their insurance company, who they have a conversation, decide what is the cheapest way for us to get out of this, and away we go. There have been plenty of cases I'm sure you've heard of, too, where something happens with a company, and they go down for a few days and nobody says what's going on and everybody assumes it's ransomware, but the systems come back up and everybody just kind of moves on with their life and we'll never really find out what happened, so, you know, there's a lot of that.

Maria Varmazis: Truly, I suppose my question was unfair because it also matters -- it depends on who's been targeted and in what nature, right? I mean, there's all these -- there's all this nuance that we can't possibly capture in a question, so sorry for the terrible question, Dave.

Dave Bittner: [Laughter] Oh, Maria, your questions are never terrible.

Maria Varmazis: Well, I was just thinking, you know, if it's a business where nobody wants their IP compromised, nobody wants this, obviously, but if -- you know, if it's some -- if it's data that potentially gets locked up that you get unlocked -- I'm putting this broadly -- that's one thing. If it hits a critical infrastructure, that's going to really materially impact someone's lives, so hospitals, energy. We've seen that before with the Colonial Pipeline ransomware, right? I've just -- something where, you know, people are not going to be able to live as opposed to, oh, it's just a business problem.

Dave Bittner: Right.

Maria Varmazis: Then the calculus is, of course, going to be completely different. I don't know where I'm going with this, so --

Dave Bittner: Well, I mean, so if you -- I've certainly played through this in my mind many times, as I know you have as well. I think if you're a ransomware operator, you don't want to be the person who accidentally turns out the lights of the entire U.S. Eastern Seaboard, right, because that's how you get a missile through your front door. [ Laughter ]

Maria Varmazis: But the street cred, Dave, the street cred.

Dave Bittner: Yeah, you will live in infamy, that's for sure.

Maria Varmazis: You sure will, yeah, yeah.

Dave Bittner: Right? You know, the flip side of this is I have half-jokingly wondered, and I know I've shared this with you before, how many people in InfoSec secretly have a backup plan if retirement doesn't work out for them, that they're just going to adopt low-level nuisance ransomware to fill the gap in between to make ends meet?

Maria Varmazis: Listen, if AI is coming for all our jobs, you know.

Dave Bittner: Right. I call it "nuisanceware." Just not enough to get law enforcement involved, but enough to make a difference in an individual person's life, and I joke about it, but who knows? Yeah.

Maria Varmazis: The flip, the living in the gray zone, living between the white and the black, it's a whole philosophical discussion that can get very interesting.

Dave Bittner: Right, right.

Maria Varmazis: Yeah, yeah, anyway, that's a different rabbit hole. We can go down that one for a different conversation. I know that we're getting close to time, so your thoughts on where it's going with ransomware? Not that you necessarily know better than anybody else, but, you know, I'm curious, your thoughts on this?

Dave Bittner: Well, it seems like it's trending in a good way, or maybe at least it's not -- it doesn't seem to be getting worse anymore. The numbers are going down in terms of the number of attacks and the amount of money that the bad guys are getting. It's still a lucrative business. I wonder how much of the decrease is due to the fact that so many people have updated their basic hygiene, that the low-hanging ransomware fruit just isn't there anymore. It takes a much larger investment through social engineering to make this happen, so you've weeded out a lot of the ransomware operators who are just doing it for giggles, and now we've got these groups that are organized crime, who are financed either independently or by nation-states, and they're still doing their thing, still going after the big whales, but can we say that an upside to ransomware is that it forced everyone into better basic hygiene? Like, how many people have multi-factor authentication because of the fear of ransomware, or because they actually got hit by ransomware?

Maria Varmazis: Yeah, what a terrible success story that is if that's --

Dave Bittner: Yeah, unintended consequence.

Maria Varmazis: Yeah, well, I'll take that one. That's a good unintended consequence, or on their part, unintended. Truly, the criminals are looking for the quickest buck or quickest coin, so if there are other methods that are now just so much easier for them to do, maybe they're also just walking away from ransomware because social engineering with AI is now so much easier.

Dave Bittner: True.

Maria Varmazis: Yeah, I wonder if something is taking its place. I'm sure there is something.

Dave Bittner: Right, and you know, Maria, I don't have to run faster than the bear. I only have to run faster than you.

Maria Varmazis: That's right, and I don't run very fast. [ Laughter ] As all our "Hacking Humans" listeners know, I click all the links, so, you know? [ Laughter ]

Dave Bittner: I am no speed demon myself. [ Laughter ]

Maria Varmazis: Well, Dave, as we reflect on ransomware, anything that you wanted to close out with, any thoughts there?

Dave Bittner: No, I think that's a great place to ran- -- to ransom it up -- to wrap it up. That's a great place to wrap it up. Yeah, I mean, look, it's here to stay, certainly for the short term, and it'll be interesting to see how much AI actually affects it, but hold on to the bar, because here we go. We're going we're heading up the lift hill. [ Music ] That's a look back at a decade of ransomware. My thanks to Maria Varmazis for joining me for the conversation. Thanks for listening. For more cybersecurity news, analysis, and podcasts, check out our website, thecyberwire.com. I'm Dave Bittner. We'll see you back here next time. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Maria Varmazis is a podcast producer and journalist specializing in space, cybersecurity, and emerging technology. She translates complex industry developments into clear, engaging conversations and thoughtful storytelling that connects technical subjects to the people and ideas shaping the future. Maria is the host of T-Minus: Space-Cyber Briefing and co-host of Hacking Humans.
Creator: N2K Networks, Inc.