History of cybercrime: the era of modern ransomware – eGospodarka.pl

The second decade of the new millennium began with the growing popularity of ransomware and the use of cryptocurrencies to pay the ransom. In 2017, the world was shaken by WannaCry and Petya / NonPetya attacks, which paralyzed many companies and organizations. Fortinet experts present the fourth and final part of the history of cybercrime.

Also read:

History of Cybercrime: The Time of Organized Hacking Groups

2011/12: Reveton

Although Reveton became the benchmark for modern ransomware, it was not the first of its kind in the Internet age. Its appearance, the design of the lock screen, which contains detailed information about what happened, how to connect, pay the ransom and decrypt the files, inspired more cybercriminals.

2013: CryptoLocker – the emergence of cryptocurrency as a payment option
CryptoLocker was the first ransomware to require authors to pay with bitcoin. The price to decrypt the files in 2013 was two BTC between $ 13 and $ 1,100. Remember, this was a time when cryptocurrencies were still in their infancy. Getting non-technical victims not only to pay the ransom, but also to understand how to use cryptocurrencies in general has often been an insurmountable obstacle.

2013: DarkSeul and Lazarus
2013 was also a year of state-sponsored attacks. One of them was called DarkSeoul, which was used on March 20, 2013 to attack the Korean TV channel SBS and banking institutions in South Korea. At the same time, many users of Internet services, telecommunications companies and ATMs also suffered. The attack was linked to North Korea’s Lazarus organization, which attacked Sony in 2014, and stole classified information in response to a film “Interview” that mocked North Korean leader Kim Jong Un. The Lazarus team was also involved in the 2016 attacks on the Bank of Bangladesh. Although they tried to steal $ 951 million, they managed to get “only” $ 81 million.

2015: Browser Lock and Spoofing Fraud Support

The first technical support scams and browser lock options appeared in 2015. Such attacks mimic ransomware, causing victims to panic and call a technical support number provided to an organization in another country for technical support (as well as fraud) or simply pay in cryptocurrency to “fix” their system.

2016: The first IoT botnet is released
The popular Mirai was the first botnet to attack IoT devices, which were network routers as the main target. It was basically a DDoS botnet that was responsible for paralyzing much of the Internet after cutting off access to parts of services around the world.

Mirai was intrigued not only because she was innovative, but also because she was able to quickly build a global army of botnet members, which allowed her to redirect Internet traffic from infected systems to targeted sites around the world. This made it especially difficult to defend against him. Various variants of Mirai still work and, unfortunately, work well – also because the manufacturers of Mirai have made its code available to other criminals.

2017: ShadowBrokers (NSA), WannaCry, Petya / NotPetya
The leak of information from the US National Security Agency (NSA) caused by the ShadowBrokers group has had unprecedented and serious consequences – not only because it uncovered covert malware designed by people associated with the highest levels of the US government, but also because criminals used them effectively. These tools, code-named “Fuzzbunch”, formed the basis of operations developed by the NSA. Some used a malware known as DoublePulsar – a backdoor that includes the infamous EternalBlue operation.

It was then used to spread WannaCry and Petya / NotPetya ransomware with disastrous results. These options were so devastating that they shut down manufacturing facilities around the world. To date, no one has been able to attribute the breach / leak of ShadowBrokers membership to anyone.

2017: Cryptojacking
The connection between threats and cryptocurrencies was first used by them to pay ransomware for ransomware attacks or to steal wallets with virtual money. However, in 2018, there was a previously unknown threat.

XMRig is a program written to extract Monero cryptocurrency. It uses processor circuits to perform mathematical calculations used in cryptocurrency mining. However, cyber-gangs began secretly installing XMRig on the machines and devices under attack, and then collecting and consolidating mined cryptocurrencies for their own benefit.

2019: The emergence of GandCrab and ransomware as a service
GandCrab has launched a new phenomenon in cybercrime, which has led to an increase in the number and level of malware attacks by providing tools to create and implement paid ransomware attacks. The creators of GandCrab tried to achieve two goals: to be independent of real attacks on businesses and to make more money. Thus, they developed a business model known as Ransomware-as-a-Service (RaaS). All “dirty work” is done by people who have access to the tool, and its authors are left in the background and receive a part of the ransom paid – from 25 to 40%.

This proved to be beneficial for both parties, as the GandCrab authors did not have to risk finding and infecting victims, and the “partners” themselves did not have to spend time developing ransom programs.

The creators of GandCrab announced their retirement in June 2019 after earning $ 2 billion for themselves. They were then freely linked to the criminals behind Sodonikibi and REville, especially as part of the Colonial Pipeline attack in the summer of 2021. Other notable RaaS variants after GandCrab include BlackCat, Conti, DarkSide and Lockbit.


Fortinet experts point out that from 1971 to the early 2000s, most malware was used as a joke or as an attempt to test the work of virus creators. However, at the beginning of the century, this phenomenon developed into high-income cybercrime, as well as attacks by states. The meaning of the term “virus” has changed over the past 20 years to a modern “malware” that reflects the evolution of threats. It is no coincidence that these changes coincide with the development of the hyper-connected world we live in today. As we enter the next round, we can unfortunately assume that threats will still be directed at all fashionable or current trends and technical solutions.

Leave a Comment