CyberWire Daily - CyberWire Daily at 10: The evolution of ransomware. [Special Edition]
Episode Date: May 31, 2026In this special edition of CyberWire Daily’s 10th anniversary series, N2K CyberWire's Maria Varmazis and Dave Bittner consider the tactics, trends, and turning points that shaped the threat landscap...e over the last decade of ransomware. Ransomware has evolved from small-scale extortion and opportunistic attacks to sprawling, sophisticated, organized crime and state-sponsored attacks. Cryptocurrency plays a pivotal role in enabling ransomware's growth by providing untraceable payment methods. Join us as we explore key incidents like WannaCry and NotPetya, the shift from street crime to organized and nation-state cyber threats, and AI's impact on the future of ransomware. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
From nuisance attacks to billion-dollar criminal enterprises,
ransomware has transformed the cybersecurity landscape over the past decade,
the tactics have changed, the targets have changed,
and the stakes have never been higher.
I'm Dave Bittner.
In this special edition of the Cyberwire podcast,
I'm joined by Maria Vermazes for a look back at ransomware's evolution over the last 10 years.
We'll explore how,
attackers adapted their methods, how defenders responded, and what the history of ransomware
can teach us about the threats organizations face today. That's ahead on this Cyberwire special edition.
All right, well, welcome back, everybody. It is my pleasure yet again to welcome Dave Bidner,
host of the CyberWire Daily, to speak with me today. Hi, Dave. Hello, good to be back. Yes,
good to see you, Dave. And we are, as we have been this past year, celebrating
10 years of the Cyberwire Daily, which again, what a feat. Congratulations, Dave.
It's hard to believe. Time flies when you're having fun. Oh, that's so sweet. So 10 years is a decent
amount of time. You know, blink of an eye for some and quite an age for others. And when I think of
the last 10 years, I'm pretty sure I've said this every conversation we've had. But to me, the true
story of the last 10 years in the cybersecurity realm has been ransomware. That is the number one thing
that I think of. So we're going to dedicate our time today to talking about ransomware how it has
changed extraordinarily over the last 10 years. And you've watched it all happen. So if we do our
Wayne's World, doing back 10 years. Yes. Yes. Ransomware was like back in 2016, 2017.
Yeah. How would you have described it back then for those that maybe have forgotten or weren't there
for this? Well, I mean, you know, when I started doing this every day, so 10 years ago,
You know, ransomware had been around for a while.
The idea of it had been around for a while.
But it becoming a business, people making their living off of it widely, was pretty new still.
And my recollection is that in the early days, it was what we would look back at now
and consider to be, you know, adorable small-time street crime versions of,
ransomware, right? Someone would, they were targeting individuals. It was like, you know,
walking down the street and being mugged, except on your computer. People would get you for
$100 or a couple hundred dollars, but it really wasn't going to change your life very much.
Chances are you'd pay the ransom. Your files would be unlocked. You'd go about your business,
and that's what it was. Yeah. And there was often real money they asked for,
actual denominations of coin as opposed to crypto, right?
It was actual money.
Yeah, I mean, not that crypto's not, but you know what I mean.
Yeah, yeah.
And so that's the big thing that happened simultaneously,
which I would label as the accelerant for ransomware,
was cryptocurrency to have this unregulated global source of money,
a way to exchange money,
and to mix it and to trade it and to steal it
and all that stuff that you can do with crypto
that you can't do with, you know,
you can't do with Visa or MasterCard,
made it possible.
Yeah, yeah.
And there was also the accelerant of much more potent threats
that were doing much more damage
and casting a much wider net,
and I would be remiss if I didn't just say the word,
want to cry.
I mean, it makes me want to cry,
it made us all want to cry.
Do you remember hearing about Wanna Cry for the first time?
Or do you remember that story unfolding?
Because that really was seismic.
It was, yeah.
It was 2017, I believe, that Wanna Cry happened.
And I think that was really the moment that ransomware became generally present for the general public.
People knew what ransomware was.
It wasn't just a niche thing anymore.
What I'd Want to Cry, what did it get about a quarter million computers all over the world.
but also what it got, you know, they disrupted hospitals and transportation systems and manufacturers.
So it was hitting people where they live, shutting down people's work and that sort of thing.
So really showed how ransomware could spread globally using unpatched vulnerabilities.
And it was an eye-opener for people all over the world.
You know, I think it's also worth just taking maybe a half-average.
half step back at that point of time, I remember right around that era, right around 2017,
interviewing people, experts in cybersecurity, who really thought ransomware was going to be winding down.
Yes, yeah.
Right?
Yep.
I remember it was just, it was a bit of a footnote in the threat reports that were coming out.
It was like, yeah, it's this thing, but don't worry about it.
You're fine.
Don't even think about it.
And what they thought the real threat was going to be crypto mining, because that was, I use air quotes, a victimless crime where you sneak into someone's computer and you have it run all night mining Bitcoin for you.
And they don't know it.
It doesn't really affect what they're doing.
So you're not going to attract law enforcement because you're not really hurting anyone other than using up their electricity.
But of course, that didn't happen.
It went completely the other way.
Yeah, because crypto mining takes some time.
And there are faster ways to acquire large amounts of cash, usually through crime.
So, yeah, I want to cry was, that was actually when I was in the hospital with my kid,
giving birth and the hospital systems were down.
I remember the hospital systems were down while you were giving birth?
Yep, I remember talking to the doctor, and he was like,
so what do you do for a living?
And I remember saying, you won't believe this, but this kind of thing is the stuff I kind
of them concerned about in my day job. So it was very funny. So for me, Wanna Cry was tied to a baby
crying. Literally. Literally. Yeah. But I mean, Wanna Cry was moving on from the personal side.
It really was the, not an opening salvo, but I mean, it was that huge stone in the lake that
just had that ripple effect that just kept going. And then we have mentioned Not Petia a bunch
in the conversations we've had about the 10 year anniversary.
feels inevitable that we should bring that one up again as well because that was another huge one
around the same time right right and that one you know uh sort of blurred that line between ransomware
and destructive cyber operations um there are plenty of people who believe that that was more about
disruption than actually profiting uh and of course you know caused billions of dollars and damages
uh global shipping was probably the place it hit hardest and i think
you know, combining
Wanna Cry with Not Petya,
this is to extend
my metaphor to the breaking point,
this is where we
transition from street crime to
organized crime. Right, and also
nation state, malfeasance
potentially, which
is quite a paradigm shift.
And to me, that really
raised the stakes in kind of the
scariness factor of it all, to be totally honest.
Mm-hmm. Yeah, I mean,
countries like North Korea realize that
you know, they can fund big parts of their national operations by using ransomware on people
and it's become an effective, I'm sure it's a line item in their budget every year now.
That's crazy to think about.
And a point that you've made in the past, I'm just going to bring up your own good point, is also
what was considered a valid target for ransomware, whether or not they're actually specifically
going after infrastructure like health care.
or just saying, we're going to get whoever we get,
it felt like there were no holds barred at that point.
And then it just became an all-out war, not to get too hyperbolic.
Yeah, I mean, I think, yes, you're right.
But I think it's important to look back at some of the nuance there
because, again, my recollection, which is certainly a bit fuzzy at this point.
But in the very beginning, it seemed like as ransomware hunting got bigger and bigger
and they were going after larger targets,
there were times when they hit hospitals,
in those initial first waves,
if, for example, they hit a hospital,
it seemed like that wasn't their intended target.
Some of the groups were apologetic,
immediately turned over the keys,
and said, this is not who we meant to hit.
We're sorry, we won't do that again.
And that didn't last very long before completely flipped the script,
and they realized,
hospitals, I need to be up and running, so who better to pay the ransom quickly than a place
where there are actually lives on the line. And that continues to this day. It sure does.
And when we look back at the evolution of ransomware over the last 10 years, I think something that's
also noticeable is how the nature of the threat has evolved in, I hate calling it interesting,
because it's dangerous, but it is, as we analyze it, it's interesting.
from straight up extortion to extortion on several different levels,
not just I want your money, but also I have now your intellectual property.
That is to me darkly fascinating that that's what we ended up with.
Yeah, you're absolutely right.
I mean, we went from just locking up the files and saying,
if you want the key, please send us some money,
to both locking up and exfiltrating files.
And now plenty of groups don't even bother,
to lock up the files. All they want to do is
exfiltrate the files and then they'll
say, hey, if you don't want these files
leaked and you don't want to suffer the
reputational damage, please pay us money.
And, you know, just
recently we saw the thing with
Canvas where it seems like Canvas
paid the ransom
in order to get their files
back. And people are,
how do I describe this?
They have, I guess, appropriate
skepticism when
the folks at Canvas are saying that the bad actors assured them and provided somehow proof that the files had been deleted.
Like, had a screen capture of someone emptying a trash can.
Yeah, you can't talk to that.
That's just, that's just science.
Yeah.
Right.
So I think that also, not to get too philosophical and out of our range of conversation here, but it really does become who can you trust?
conversation, right? Now, you can say it's not in the ransomware operator's best interest
to cheat you out of things because their business model is in part based on trust.
People won't pay them if they don't believe they're going to get their files back and
things won't be shared. So that's certainly a component of it. But what a strange world
where this has become a normal thing. We've seen some crackdowns with law enforcement,
but have we really made a dent?
There are no international treaties that say you can't attack hospitals, right?
There's no agreements over those sorts of things.
Cyber security-wise, yes.
Yeah, yeah.
Yeah.
Yeah.
And how interesting that kinetic warfare has those limitations,
and cyber warfare so far does not.
Yeah.
One of the many gaps in policy.
The list is very long.
But yeah, it's
Ransomware is just so fascinating to me
when I think about how it has proliferated
with kits that are making it just brain dead easy
for it to be deployed
and for these campaigns to work so well.
You were mentioning Canvas
and that it seems like they paid the ransom.
In your recollection, has the advice at all changed
in sort of common parlance about what to do
when you're hit with this?
Because the reason I ask
is I want to say at the beginning it was a we don't negotiate with terrorists kind of thing.
And then it shifted to it's just the cost of doing business.
And now I'm not really entirely sure what the consensus is on this.
Yeah.
I mean, your guess is as good as mine because I think there's a lot of stuff going on behind the scenes
that we'll never see or never know about because there's a lack of mandatory reporting.
a plane crashes and there's a whole investigative regime that comes into place to find out what happened.
Someone gets hit with ransomware and if they're not a public company, they don't necessarily have to disclose that it ever happened.
Though they quietly contact their insurance company who they have a conversation, decide what's the cheapest way for us to get out of this and away we go.
There have been plenty of cases I'm sure you've heard of too where something happens with a
company and they go down for a few days and nobody says what's going on and everybody assumes
it's ransomware but the systems come back up and everybody just kind of moves on with their life
and we'll never really find out what happened so you know there's a lot of that and truly it
i i suppose my question was unfair because it also matter it depends on who's been targeted and
in what nature right i mean there's all these there's all this nuance that we can't possibly capture
question, so sorry for the terrible question, babe.
Oh, Maria. Your questions are never terrible.
Well, I was just thinking, you know, if it's a business where nobody wants their IP
compromise. Nobody wants this, obviously. But if, you know, if it's some, if it's data that
potentially gets locked up that you get unlocked, putting this broadly, that's one thing.
If it hits a critical infrastructure that's going to really material impact, materially impact
someone's lives. So hospitals, energy, we've seen that before with the colonial pipeline ransomware,
right? And I've just something where, you know, people are not going to be able to live as opposed to,
oh, it's just a business problem. Right. Then the calculus is, of course, going to be completely
different. I don't know where I'm going with this. So, well, I mean, so if you, I've certainly played
through this in my mind many times, as I know you have as well. I think if you're a ransomware
operator, you don't want to be the person who accidentally turns out the lights of the entire
U.S. Eastern seaboard, right? Because that's how you get a missile through your front door.
But the street cred, Dave. The street. Yeah, you will live in infamy. That's for sure.
You sure will. Yeah. Yeah. Right. You know, the flip side of this is I have half jokingly wondered,
and I know I've shared this with you before, of how many people.
in Infosex secretly have a backup plan if retirement doesn't work out for them, that they're just
going to adopt low-level nuisance ransomware to fill the gap in between to make ends meet.
Listen, if AI's coming for all our jobs, you know.
Right.
So I call it nuisanceware, just not enough to get law enforcement involved, but enough to make a
difference in an individual person's life.
And I joke about it, but who knows?
Yeah, the flip, living in the gray zone, living between the white and the black,
it's a whole philosophical discussion that can get very interesting.
Yeah, yeah.
Anyway, that's a different rabbit hole.
We can go down that one for a different conversation.
I know that we're getting close to time, so your thoughts on where it's going with ransomware,
not that you necessarily know better than anybody else, but, you know, I'm curious your
thoughts on this.
Well, it seems like it's trending in a good way, or maybe at least it's not good, you know,
doesn't seem to be getting worse anymore.
The numbers are going down in terms of the number of attacks
and the amount of money that the bad guys are getting.
It's still a lucrative business.
I wonder how much of the decrease is due to the fact
that so many people have updated their basic hygiene,
that the low-hanging ransomware fruit just isn't there anymore.
It takes a much larger investment through social engineering to make this happen.
So you've weeded out a lot of the ransomware operators who are just doing it for giggles.
And now we've got these groups that are organized crime who are financed, either independently or by nation states.
And they're still doing their things, still going after the big whales.
But is it – can we say that –
that an upside to ransomware is that it forced everyone into better basic hygiene? Like how many people
have multi-factor authentication because of the fear of ransomware or because they actually got hit
by ransomware? You know, what a terrible success story that is if that's... Yeah. Yeah. Unintended consequence.
Yeah, well, I'll take that one. That's a good unintended consequence or intent. Yeah, on their part,
unintended. Right. But wouldn't, I mean, truly the criminals are looking for the quickest buck or quickest coin.
So if there are other methods that are now just so much easier for them to do,
maybe they're also just walking away from ransomware because social engineering with AI is now so much easier.
True.
Yeah.
I wonder something's taking its place.
I'm sure there is something.
Right.
And, you know, Maria, I don't have to run faster than the bear.
I only have to run faster than you.
That's right.
And I don't run very fast.
As all are hacking humans listeners know, I click all the links.
So, you know.
I am no speed demon myself.
Well, Dave, as we reflect on ransomware, anything that you wanted to close out with?
Any thoughts there?
No, I think that's a great place to ransom it up.
To wrap it up.
That's a great place to wrap it up.
Yeah.
I mean, look, it's here to stay, certainly for the short term.
And it'll be interesting to see how much AI actually affects it.
but hold on to the bar because here we go.
We're going, we're heading up the lift hill.
And that's a look back at a decade of ransomware.
My thanks to Maria Vermazas for joining me for the conversation.
Thanks for listening.
For more cybersecurity news analysis and podcasts,
check out our website, thecyberwire.com.
I'm Dave Bittner.
We'll see you back here next time.