A

You're listening to the Cyberwire Network, powered by N2K.

B

From nuisance attacks to billion dollar criminal enterprises, ransomware has transformed the cybersecurity landscape over the past decade. The tactics have changed, the targets have changed, and the stakes have never been higher. I'm Dave Buettner. In this special edition of the Cyberwire podcast, I'm joined by Maria Vermazes for a look back at ransomware's evolution over the last 10 years. We'll explore how attackers adapted their methods, how defenders responded, and what the history of ransomware can teach us about the threats organizations face today. That's ahead on this Cyberwire special special edition.

A

All right, well, welcome back, everybody. It is my pleasure yet again to welcome Dave Bittner, host of the Cyber Wire Daily, to speak with me today. Hi, Dave.

B

Hello. Good to be back.

A

Yes, good to see you, Dave. And we are, as we have been this past year, celebrating 10 years of the Cyber Wire Daily, which again, what a feat. Congratulations, Dave.

B

It's hard to believe time flies when you're having fun.

A

Oh, that's so sweet. So 10 years is a decent amount of time. Blink of an eye for some and quite an age for others. And when I think of the last 10 years, I'm pretty sure I've said this every conversation we've had. But to me, the true story of the last 10 years in the cybersecurity realm has been ransomware. That is the number one thing that I think of. So we're gonna dedicate our time today to talking about ransomware, how it has changed extraordinarily over the last 10 years. And you've watched it all happen. So if we do our Wayne's world going back 10 years, ransomware was like back in 2016, 2017. How would you have described it back then for those that maybe have forgotten or weren't there for this?

B

Well, I mean, when I started doing this every day. So 10 years ago, ransomware had been around for a while. The idea of it had been around for a while, but it becoming a business, people making their living off of it widely, was pretty new still. And my recollection is that in the early days, it was what we would look back at now and consider to be, you know, adorable small time street crime versions of ransomware. Right. Someone would, they were targeting individuals. It was like, you know, walking down the street and being mugged, except on your computer. People would get you for a hundred dollars or a couple hundred dollars. But it really wasn't gonna change your life very much. Chances are you'd pay the ransom, your files would be unlocked, you'd go about your business, and that's what it was.

A

Yeah. And there was often real money. They asked for actual denominations of coin, as opposed to crypto, right? It was actual money. Yeah. I mean, not crypto's. Not. But you know what I mean?

B

Yeah, yeah. And so that's the big. The thing that happened simultaneously, which I would label as the accelerant for ransomware, was cryptocurrency. To have this unregulated global source of money, a way to exchange money and to mix it and to trade it and to steal it. And all that stuff that you can do with crypto that you can't do with, you know, you can't do with Visa or MasterCard, made it possible.

A

Yeah, yeah. And there was also the accelerant of much more potent threats that were doing much more damage and casting a much wider net. And I would be remiss if I didn't just say the word wannacry. I mean, it makes me wanna cry. It made us all wanna cry. Do you remember hearing about WannaCry for the first time, or do you remember that story unfolding? Because that really was seismic.

B

It was, yeah, it was 2017, I believe that WannaCry happened, and I think that was really the moment that ransomware became generally present for the general public. People knew what ransomware was. It wasn't just a niche thing anymore. What did wannacry, what did it get? About a quarter million computers all over the world. But also what it got, you know, they disrupted hospitals and transportation systems and manufacturers. So it was hitting people where they live, shutting down people's work and that sort of thing. So really showed how ransomware could spread globally using unpatched vulnerabilities. And it was an eye opener for people all over the world. You know, I think it's also worth just taking maybe a half step back at that point of time. I remember right around that era, right around 2017, interviewing people, experts in cybersecurity who really thought ransomware was gonna be winding down.

A

Yes, yeah, right. Yep, I remember. It was just. It was a bit of a footnote in this, in the threat reports that were coming out. It was like, yeah, it's this thing, but don't worry about it, you're fine. Don't even think about.

B

And what they thought the real threat was going to be, crypto mining, because that was. I use air quotes. A victimless crime where you sneak into someone's computer and you have it run all Night mining bitcoin for you and they don't know doesn't really affect what they're doing. So you're not going to attract law enforcement because you're not really hurting anyone other than, you know, using up their electricity. But of course that didn't happen. It went completely the other way.

A

Yeah. Cause crypto mining takes some time and there are faster ways to acquire large amounts of cash, usually through crime. So yeah, WannaCry was. That was actually when I was in the hospital with my kid giving birth to my kid and the hospital systems were down, I remember.

B

Oh, the hospital systems were down while you were giving birth?

A

Yep. Holy smokes. Talking to the doctor and he was like, so what do you do for a living? And I remember saying, you won't believe this, but this kind of thing is the stuff I kind of am concerned about in my day job. So it was very funny. So for me, WannaCry was tied to a baby crying.

B

Literally.

A

Literally. Literally. Yeah. But I mean, WannaCry was moving on from the personal side. It really was not an opening salvo, but I mean it was that huge stone in the lake that just had that ripple effect that just kept going. And then we have mentioned NotPetya a bunch in the conversations we've had about the 10 year anniversary. Feels inevitable that we should bring that one up again as well because that was another huge one around the same time.

B

Right, right. And that one, you know, sort of blurred that line between ransomware and destructive cyber operations. You know, there are plenty of people who believe that that was more about disruption than actually profiting. And of course, you know, caused billions of dollars in damages. Global shipping was pro place, it hit hardest. And I think combining WannaCry with NotPetya, to extend my metaphor to the breaking point, this is where we transition from street crime to organized crime.

A

Right. And also nation state malfeasance potentially, which is quite a paradigm shift. And to me that really raises the stakes and kind of the scariness factor of it all, to be totally honest.

B

Yeah. I mean, countries like North Korea realize that they can fund big parts of their national operations by using ransomware on people. And it's become an effective. I'm sure it's a line item in their budget every year.

A

Now that's crazy to think about. And a point that you've made in the past. I'm just gonna bring up your own good point is also, please, what was considered a valid target for ransomware, whether or not they're actually specifically going after infrastructure like healthcare or just Saying, we're gonna get whoever we get. It felt like there were no holds barred at that point. And then it just became an all out war. Not to get too hyperbolic.

B

Yeah, I mean, I think, yes, you're right, but I think there's. It's important to look back at some of the nuance there because again, my recollection, which is certainly a bit fuzzy at this point, but in the very beginning, it seemed like as ransomware hunting got bigger and bigger and they were going after larger targets, there were times when they hit hospitals. In those initial first waves, if, for example, they hit a hospital, it seemed like that wasn't their intended target. Some of the groups were apologetic, immediately turned over the keys and said, this is not who we meant to hit. We're sorry, we won't do that again. And that didn't last very long before completely flipped the script and they realized hospitals need to be up and running. So who better to pay the ransom quickly than a place where there are actually lives on the line? And that continues to this day.

A

It sure does. And when we look back at the evolution of ransomware over the last 10 years, I think something that's also noted, noticeable is how the nature of the threat has evolved in. I hate calling it interesting because it's dangerous, but it is, as we analyze it, it's interesting from straight up extortion to extortion on several different levels. Not just I want your money, but also I have now your intellectual property. That is, to me, darkly fascinating that that's what we ended up with.

B

Yeah, you're absolutely right. I mean, we went from just locking up the files and saying, if you want the key, please send us some money, to both locking up and exfiltrating files. And now plenty of groups don't even bother to lock up the files. All they want to do is exfiltrate the files and then they'll say, hey, if you don't want these files leaked and you don't want to suffer the reputational damage, please pay us money. And, you know, just recently we saw the thing with Canvas where it seems like Canvas paid the ransom in order to get their files back. And people are. How do I describe this? They have, I guess, appropriate skepticism when the folks at Canvas are saying that the bad actors assured them and provided somehow proof that the files had been deleted. Like had a screen capture of someone emptying a trash can.

A

Yeah, you can't doctor that. That's just science. Yeah, right.

B

So I think that also, not to get too philosophical, and out of our range of conversation here. But it really does become a who can you trust conversation. Right now. You could say it's not in the ransomware operator's best interest to cheat you out of things because their business model is in part based on trust. People won't pay them if they don't believe they're going to get their file back or files back and things won't be shared. So that's certainly a component of it. But what a strange world where this has become a normal thing. We've seen some crackdowns with law enforcement, but have we really made a dent? There are no international treaties that say you can't attack hospitals. Right. There's no agreements over those sorts of things.

A

Cybersecurity wise. Yes.

B

Yeah. Right. Yes. Yeah. I mean, and how interesting that kinetic warfare has those limitations and cyber warfare so far does not.

A

Yeah, one of the many gaps in policy. The list is very long. But yeah, it's. Ransomware is just so fascinating to me when I think about how it has proliferated with, you know, kits that are making it just brain dead easy for it to be deployed and for these, these campaigns to, to work so well. You were mentioning Canvas and that it, it seems like they paid the, the ransom. In your recollection, has the advice at all changed in, in sort of common parlance about what to do when you're hit with this? Because the reason I ask is, is I want to say at the beginning it was a we don't negotiate with terrorists kind of thing. And then it shifted to it's just the cost of doing business. And now I'm not really entirely sure what the consensus is on this.

B

Yeah, I mean, your guess is as good as mine because I think there's a lot of stuff going on behind the scenes that we'll never see or never know about because there's a lack of mandatory reporting. You know, a plane crashes and there's a whole investigative regime that comes into place to find out what happened. Someone gets hit with ransomware and if they're not a public company, they don't necessarily have to disclose that it ever happened, though they quietly contact their insurance company, who they have a conversation, decide what's the cheapest way for us to get out of this, and away we go. There have been plenty of cases I'm sure you've heard of too, where something happens with a company and they go down for a few days and nobody says what's going on. And everybody assumes it's ransomware. But the Systems come back up and everybody just kind of moves on with their life and we'll never really find out what happened. So, you know, there's a lot of that.

A

And truly, I suppose my question was unfair because it also matter. It depends on who's been targeted and in what nature. Right. I mean, there's all these, there's all this nuance that we can't possibly capture in a question. So. Sorry for a terrible question.

B

Oh, Maria, your questions are never terrible.

A

Well, I was just thinking, you know, if it's, if it's a business where nobody wants their IP compromised. No, nobody wants this, obviously. But if, you know, if, if it's some. If it's data that potentially gets locked up, that you get unlocked, I'm putting this broadly, that's one thing. If it hits critical infrastructure, that's going to really material impact, materially impact someone's lives. So hospitals, energy, we've seen that before with the Colonial pipeline ransomware. Right. And I just something where, you know, people are not going to be able to live as opposed to, oh, it's just a business problem.

B

Right.

A

Then the calculus is of course going to be completely different. I don't know where I'm going with this, so.

B

Well, I mean, so if you. I've certainly played through this in my mind many times, as I know you have as well. I think if you're a ransomware operator, you don't want to be the person who accidentally turns out the lights of the entire US Eastern seaboard. Right. Because that's how you get a missile through your front door. Right.

A

But the street cred, Dave, the street cred.

B

Yeah. You will live in infamy. That's.

A

You sure will. Yeah. Yeah.

B

Right. You know, the flip side of this is I have half jokingly wondered, and I know I've shared this with you before, how many people in Info secretly have a backup plan if retirement doesn't work out for them, that they're just gonna adopt low level nuisance ransomware to fill the gap in between, to make ends meet.

A

Listen, if AI is coming for all our jobs, you know.

B

Right. So I call it nuisanceware. Just not enough to get law enforcement involved, but enough to make a difference in an individual person's life. And I joke about it, but who knows?

A

Yeah. The flip. Living in the gray zone. Living between the white and the black. It's a whole philosophical discussion that can get very interesting. Yeah, yeah. Anyway, that's a different rabbit hole. We can go down that one for a different conversation. I know that we're getting close to time. So your thoughts on where it's going with ransomware? Not that you necessarily know better than anybody else, but I'm curious your thoughts on this?

B

Well, it seems like it's trending in a good way, or maybe at least it's not. Doesn't seem to be getting worse anymore. The numbers are going down in terms of the number of attacks and

A

the

B

amount of money that the bad guys are getting. It's still a lucrative business. I wonder how much of the decrease is due to the fact that so many people have updated their basic hygiene that the low hanging ransomware fruit just isn't there anymore. It takes a much larger investment through social engineering to make this happen. So you kind of, you've weeded out a lot of the ransomware operators who are just doing it for giggles, and now we've got these groups that are organized crime who are financed either independently or by nation states, and they're still doing their thing, still going after the big whales. But is it, can we say that an upside to ransomware is that it forced everyone into better basic hygiene? Like how many people have multi factor authentication because of the fear of ransomware or because they actually got hit by ransomware?

A

What a terrible success story that is. If that's.

B

Yeah. Unintended consequence.

A

Yeah, well, I'll take that one. That's a good unintended consequence or intend. Yeah. On their part. Unintended.

B

Right.

A

But wouldn't, I mean, truly, the criminals are looking for the quickest buck or quickest coin. So if there are other methods that are now just so much easier for them to do, maybe they're also just walking away from ransomware because social engineering with AI is now so much easier.

B

True.

A

Yeah. I wonder if something's taking its place. I'm sure there is something.

B

Right. And you know, Maria, I don't have to run faster than the bear. I only have to run faster than you.

A

That's right. And I don't run very fast. As all our hacking humans listeners know. I click all the links. So, you know,

B

I am no speed demon myself.

A

Well, Dave, as we reflect on, on ransomware, anything that you wanted to close out with? Any thoughts there?

B

No, I think that's a great place to, to, to ransom it up, to wrap it up. That's a great place to wrap it up. Yeah. I mean, look, it's here to stay, certainly for the short term, and we'll. It'll be interesting to see how much AI actually affects it. But hold on to the bar because here we go. We're going. We're heading up the lift hill. And that's a look back at a decade of ransomware. My thanks to Maria Vermazes for joining me for the conversation. Thanks for listening. For more cybersecurity news, analysis and podcasts, check out our website, TheCyberWire.com. i'm Dave Buettner. We'll see you back here next time.