Evolution and Impact of Ransomware: Patterns, Prevention, and Recommendations for Organizational Resilience

Ransomware, manifesting as Crypto or Locker, poses a significant threat to fundamental computer systems and infrastructures with the primary goal of extracting financial gain from victims through ransom demands for decryption keys. This paper delves into the evolving landscape of ransomware, a persistent and advancing form of malicious software. Besides, this paper explores the development, patterns, and methods of ransomware attacks, scrutinizing their impact on organizations over time. In addition, this study examines the root causes of ransomware's organizational impact and evaluates its evolving scales. The investigation also addresses proactive measures organizations can adopt, aligning with the cybersecurity standards, to enhance preparedness and awareness. Additionally, the study provides recommendations and preventive measures to mitigate the challenges posed by ransomware attacks.


Introduction
The relentless evolution of malware poses a significant challenge to cybersecurity, with ransomware emerging as a pervasive and destructive threat.Malicious software, designed to disrupt electronic devices, continuously evolves, hindering mitigation efforts.The lack of public disclosure regarding malware attacks, driven by concerns about sensitive information and potential damage to reputation, obstructs collaborative prevention efforts and hampers comprehensive research (Holt & Bossler, 2017;Kapoor et al., 2021).Within this landscape, ransomware stands out as a specific form of malware, strategically employed by hackers to encrypt files and demand ransom.The history of ransomware dates back to the late 1990s, evolving in sophistication and impact over the years (Alqahtani & Sheldon, 2022).This study Vol 14, Issue 1, (2024) E-ISSN: 2222-6990 explores the multifaceted impact of ransomware on organizations, delving into patterns, prevention strategies, and recommendations for enhancing organizational resilience.Ransomware, often initiated through phishing attacks exploiting human vulnerabilities, can inflict profound harm on organizations.Beyond financial extortion, it holds organizations criminally accountable for data breaches, compromises technical weaknesses, and can cripple essential resources during an attack.The escalating frequency and sophistication of ransomware attacks underscore the urgent need for organizations to fortify their cybersecurity defences and cultivate resilience in the face of this escalating cyber threat (McAfee, n.d.;Alqahtani & Sheldon, 2022).As ransomware operators refine their disruptive tactics and intensify attacks on critical assets, organizations must proactively adapt, prioritize defence strategies, and mitigate potential disruptions to safeguard their digital infrastructure (Alqahtani & Sheldon, 2022).The escalating prevalence of ransomware, fuelled by low entry barriers and the allure of high rewards, demands a comprehensive understanding of the evolving cyber threat landscape and a strategic shift towards proactive defence mechanisms (Accenture's CIFR team; Alqahtani & Sheldon, 2022).In this context, this study aims to address the overarching problem statements, which are ransomware's emergence as a significant cyber threat across sectors, the role of human error in facilitating ransomware attacks, and the critical need for organizational resilience in the face of escalating cyber threats.In cybersecurity, the persistent evolution of malware poses an ongoing challenge, constantly testing mitigation efforts.The secrecy enveloping malware attacks, fueled by concerns over sensitive information and potential reputational damage, not only impedes research but also complicates the development of effective countermeasures (Holt & Bossler, 2017;Kapoor et al., 2021).This veil of secrecy extends to ransomware, a potent form of malware encrypting files and demanding a ransom for access.Originating in the late 1990s, ransomware has transformed into a sophisticated tool, initiating a digital arms race between cybercriminals and defenders (Alqahtani & Sheldon, 2022).This paper delves into the historical context, patterns, and preventive strategies against ransomware, intending to enhance understanding and fortify organizational resilience against this continually evolving threat.The objectives of this research are as follows: • To investigate how ransomware has evolved in terms of its development, attack patterns, and methods employed by attackers.• To assess the potential impact of ransomware on important infrastructure, including industrial control systems and key sectors like healthcare and transportation.• To explore proactive cybersecurity measures that organizations can adopt to enhance preparedness and awareness regarding ransomware threats.

Evolvement of Ransomware
Ransomware, a significant threat to users' file access, demands payment for restored control, recognized as a global crisis impacting diverse businesses (Muslim et al., 2019).The first ransomware, AIDS Trojan, or PC Cyborg, emerged in 1989, initiating the malicious software trend, but its attempt to extort users was hindered by limited computer usage.Subsequent developments, including asymmetric ransomware, faced payment challenges, leading to the creation of a deceptive antivirus to protect developers' identities (Muslim et al., 2019).Ransomware attacks, driven by financial motives, globally employ vectors such as email, spam, and phishing (Pascariu & Barbu, 2019), complicating tracking due to their use of virtual currencies like Bitcoin for ransom payments.Various notable ransomware variants, including BadRabbit, BitPaymer, Cerber, Cryptolocker, Dharma, DoppelPaymer, GandCrab, Locky, Maze, MeduzaLocker, NetWalker, NotPetya, Petya, REvil, Ryuk, SamSam, and WannaCry, contribute to this evolving threat landscape (CrowdStrike, 2022).Ransomware, differing from conventional malware, stands out with explicit actions of system locking, file encryption, and ransom note display, conveying infection details and the required ransom for recovery (Swami et al., 2021).Its attack cycle encompasses stages like exploitation, infection, delivery, execution, backup tampering, file encryption, user notification, and cleanup (Pascariu & Barbu, 2019).
The surge in ransomware is linked to its adoption by cybercriminals pursuing notoriety and financial gains, aligning it with crimeware-a category of malicious software for criminal internet activities and cyber extortion (Zakaria et al., 2017).The intricate recovery process from ransomware, compounded by its categorization as scareware, underscores the multifaceted challenges posed by this cyber threat (O'Kane et al., 2018).Despite the frequent release of numerous ransomware variants, each derived from its forerunner, the classification of ransomware families remains pivotal for effective response strategies (Kiru & Jantan, 2020).
Transitioning to the modern era, Trojan.Gpcoder, a ransomware variant featuring a flawed symmetric encryption mechanism had risen.Disseminated through deceptive spam emails masquerading as job applications, it represented one of the initial instances of ransomware crafted by Russian criminal organizations, impacting individuals in Russia and neighboring nations (Cawley, 2016).Later, an upswing in ransomware popularity, brought forth Trojan.Cryzip and Trojan.Archiveus.While the former generated password-protected archives of data files, the latter demanded a drug purchase from designated online pharmacies for password retrieval, reflecting early efforts to monetize ransomware (Kiru & Jantan, 2020;O'Kane et al., 2018).Afterward, Locker Ransomware went global, presenting explicit images and demanding payment through SMS or premium phone calls, extending ransomware attacks from Russia to the United States and Europe (Richardson, Ronny, & MaxM, 2017).Later, the Trojan variant GPcode employed a 1024-bit RSA key and requested payment in e-gold or Liberty Reserve, showcasing early sophistication in ransomware operations and payment methods (Richardson et al., 2017).
In 2011, a significant surge in ransomware incidents occurred, driven by the establishment of anonymous payment methods, with a quarterly rise in new samples showcasing the escalating threat and adaptability of ransomware developers (Richardson et al., 2017).
In 2013, a resurgence in crypto ransomware emerged, overshadowing locker ransomware and showcasing increased potency in notable variants demanding $300 in payment, signaling a shift in ransomware preferences (Richardson et al., 2017).The infamous CryptoLocker, credited to hacker Slavik in August 2013, marked a milestone, utilizing victims' cryptographic keys for encryption and propagating through the Gameover ZeuS botnet via deceptive emails.Its three-day payment window, demanding one Bitcoin, and alternative payment options like MoneyPak and Paysafecard reflected a strategic shift in ransomware tactics.Operation Tovar, a collaborative effort, successfully shut down CryptoLocker's servers, providing victims with free decryption services.CryptoDefense, earning $34,000 in its debut month, and the evolved CryptoWall, exploiting a Java vulnerability and leading to a nearly one-million-dollar ransom payment, further underscored the evolving landscape of ransomware threats (Hassan, 2019;Richardson et al., 2017).
The rise of ransomware-as-a-service allowed attackers to build ransomware through TORaccessible websites, exemplified by LockerPin targeting Android devices, highlighting the expanding reach of ransomware.The Cyber Threat Alliance estimated total ransomware damage at $325 million, and identified Linus.Encoder.1 targets Linux-based systems (Hassan, 2019;Richardson et al., 2017).Locky ransomware's update, coupled with FBI estimates of $209 million in ransomware revenue for Q1 2016, emphasized the financial success of such attacks, with notable variants including TorrentLocker, CryptoWall, and CTB-Locker (Richardson et al., 2017).The trend of enhancing existing strains rather than creating new ones was showcased by the emergence of Goldeneye and Petya (NotPetya) (Richardson et al., 2017).In 2020, Ragnar Locker attacked CWT, leading to a ransom payment after compromising confidential files and impacting 30,000 enterprise computers (Ahmed, 2019).
The seventh-largest U.S. commercial insurer, CNA Financial, experienced a sophisticated cybersecurity attack orchestrated by the Phoenix group, using the Phoenix Locker ransomware (Ali, 2017;Ahmed, 2019).Law enforcement and cybersecurity firms, such as Symantec, are increasing efforts against ransomware, leading criminals to adapt.The use of Tor, the Invisible Internet Project (I2P), and cryptocurrencies like Bitcoin is growing, complicating tracking efforts.Ransomware, expanding to Apple and Android systems, poses threats to the Internet of Things (IoT), evident in attacks on smart thermostats and mobile devices.Researchers showcasing control over moving vehicles highlight the potentially life-threatening consequences of ransomware, emphasizing the need for vigilance (Ahmed, 2019;Ali, 2017;Richardson et al., 2017).
Targeting businesses for lucrative gains, cybercriminals leverage the low-risk, high-reward model of crypto-ransomware.Osterman Research, Inc. reveals that 79% of U.S. corporate organizations faced ransomware incidents where the prime targets include the healthcare, financial services, manufacturing, and government sectors (Ali, 2017;State of Ransomware, 2016).The aftermath extends beyond financial demands, with reported disruptions, employee reliance on personal devices during downtime, and revenue losses.The emerging tactic of threatening to make stolen files public adds complexity and potential embarrassment for victims (Richardson et al., 2017).Continually refining their techniques, ransomware perpetrators incorporate delayed notifications, threaten public exposure, and utilize alternative attack methods.The SVG files and Word macros had been used as additional offensive tools (Gallagher, 2016c;Rosenquist, 2016).Recent developments indicate a regionalized focus, with businesses capable of substantial ransom payments being prime targets.Criminals employ detection-evasion tactics, including CAPTCHA tests, showcasing the increasing sophistication of their operations (Constantin, 2015;Mohammad, 2020).North Korea's attack on Sony Pictures demonstrated the potential use of ransomware as a weapon, emphasizing the need for robust cybersecurity measures to counter its weaponization (Ali, 2017).
Understanding the history of ransomware reveals conflicting accounts regarding its origins and spread, with some attributing it to Russia and Eastern Europe and others presenting different timelines and origins, creating a nuanced narrative that underscores the evolution from unsophisticated attacks to sophisticated, targeted operations and the need for a comprehensive understanding of its historical context (Maurya et al., 2018).The inception of ransomware witnessed a shift in cybercriminal tactics, including luring users to malicious websites and encrypting files for extortion.Concurrently, ransomware strategies evolved towards regionalized attacks on financially robust businesses, with criminal groups strategically targeting sectors, employing malware encryption and data exfiltration, compelling companies to balance hefty ransom payments against the risk of exposing sensitive information (Maurya et al., 2018;Ozer et al., 2019).Understanding this evolution, monitoring ransomware patterns, and assessing their impact on the Bitcoin ecosystem are crucial for analyzing and mitigating cyber threats, emphasizing the interplay between ransomware attacks and cryptocurrency transactions (Turner et al., 2020).
Ransomware imposed a staggering $20 billion global economic cost, projected to reach $265 billion by 2031, reflecting its exponential growth and financial impact (Kochovski, 2021).This underscores the urgent need for robust cybersecurity measures and proactive strategies to combat the increasing sophistication and financial repercussions of ransomware attacks.

Impact on the Organization
Despite increasing awareness of ransomware threats, businesses, irrespective of size or industry, remain inadequately prepared, making them lucrative targets for cybercriminals; with a focus shift to smaller enterprises, these attacks have become more widespread and destructive annually (Zakaria et al., 2017).Malwarebytes' study reveals alarming facts, indicating that nearly one-fifth of businesses experienced ransomware attacks and over a third reported financial losses, emphasizing the urgent need for enhanced cybersecurity measures and proactive strategies to counteract the escalating threat landscape (Maurya et al., 2018;Yuryna Connolly et al., 2020).Ransomware employs diverse methods of attack, including exploit kits, malicious email attachments, and links, with victims often receiving spam emails notifying them of computer lockdowns (Maurya et al., 2018;Kiru & Jantan, 2020).Opening email attachments or clicking on malicious links can lead to automatic ransomware downloads, compromising systems and files, followed by ransom demands (Richardson & North, 2017;Kiru & Jantan, 2020).Phishing, especially spear phishing, remains a prevalent technique, enabling criminals to gather sensitive information for potential public exposure, while drive-by downloads exploit software vulnerabilities to secretly infect systems (Connolly et al., 2020;Hassan, 2019).The consequences of ransomware attacks are profound, encompassing short-term disruptions in operations, productivity losses, mitigation expenses, and ransom payments, as well as potential long-term impacts like revenue decline, brand reputation damage, employee layoffs, client and partner loss, and, in extreme cases, business shutdowns (Hassan, 2019).Ransomware incidents have inflicted significant financial losses on major organizations, such as FedEx's reported $300 million due to NotPetya in 2017 and Atlanta spending over $2.6 million on a SamSam ransomware attack in 2018, while Cognizant Technology Solutions reported reduced profitability in 2020 following a Maze ransomware assault, and the City of Baltimore spent over $18 million rebuilding its IT network after a SamSam attack (Hassan, 2019).Despite the proliferation of scholarly research on ransomware focusing on technical aspects, including detection and prevention systems, a paucity of research examines the socio-technical dimensions or the experiences of victimized organizations, emphasizing the need for comprehensive preventative measures (Yuryna Connolly et al., 2020;Holt & Bossler, 2017;Hassan, 2019).While the frequency of ransomware attacks against enterprises is increasing, it remains challenging to measure accurately, with varying statistics globally, indicating the complex nature of cybercrime victimization and the evolving threat landscape (Alshaikh et al., 2020;Shalaginov et al., 2020;Ahmed, 2019).Small and medium-sized enterprises (SMEs) often underestimate their vulnerability, with the entrepreneurial nature of SMEs contributing to risk-taking behavior, underscoring the importance of acknowledging equivalent risk levels and implementing robust cybersecurity measures (Bamrara, 2018;Smith, 2017;Kurpjuhn, 2015).Ransomware attacks have shifted from opportunistic targeting of individuals to more lucrative and targeted assaults on larger organizations, with perpetrators focusing on sectors like government, military, education, research, healthcare, retail, and wholesale (Bamrara, 2018).Despite no clear correlation between organization size and cybercrime victimization rates, larger organizations may face higher infection risks due to human errors (Bergmann MC, 2017;Richardson & North, 2017).The decision to pay a ransom remains a complex dilemma, with the threat's psychological impact often as potent as the actual malware damage (Muslim et al., 2019;Kumar et al., 2016).
Businesses, especially those in the financial sector, emergency services such as law enforcement, fire departments, hospitals, and private sector organizations are prominent targets for ransomware attacks due to the valuable data they hold, the potential for significant consequences, and the vulnerabilities in their security systems, leading to potential financial losses, reputational damage, and customer loss (Maurya et al., 2018;Shalaginov et al., 2020;Kumar et al., 2016;Connolly et al., 2020).
In 2021, more organizations experienced ransomware attacks compared to 2020, possibly driven by the ransomware-as-a-service model's popularity, which lowers technical barriers.
The encryption success rate rose, and the extortion-only attack incidence dropped, indicative of an evolving and more challenging threat landscape (Sophos, 2021;Kumar et al., 2016;Shalaginov et al., 2020).The impact of ransomware extends beyond financial costs, for instance, significant disruptions to operations, loss of business/revenue, and expenditure for mitigation (Kumar et al., 2016;Shinde et al., 2016;Sen & Chourey, 2020).Recovery times varied, with higher education and central/federal government sectors taking over a month, while manufacturing and financial services recovered the fastest, emphasizing the importance of comprehensive recovery planning (Sen & Chourey, 2020).Notably, most organizations relying on backups and cyber insurance for protection lack preventative measures, highlighting the need for updated defense strategies (Kumar et al., 2016).The escalating threat of ransomware is evident in the doubling of affected organizations with improvements in response capabilities; however, the average proportion of encrypted data restored post-payment has fallen and the incidence of victims paying ransomware has nearly tripled.Addressing this challenge requires strategic investments in technology, skills, and knowledge, as simply allocating resources is insufficient (Shinde et al., 2016;Sen & Chourey, 2020;Kumar et al., 2016).Notably, cyber insurance plays a crucial role in mitigating financial risks, but the increasing difficulty in obtaining coverage prompts organizations to enhance their cyber defences to bolster their insurance position (Sen & Chourey, 2020).The global impact of ransomware is exemplified by significant incidents such as the 2019 RobinHood attack on Baltimore, the 2021 Colonial Pipeline ransomware outbreak, and the 2021 Health Service Executive attack in Ireland, underscoring the pervasive and damaging nature of these attacks across diverse sectors (Yilmaz et al., 2022;Shalaginov et al., 2020).In 2022, the Ministry of Finance of Costa Rica experienced a ransomware attack, causing economic disruptions, even though the government refused to negotiate, highlighting the ongoing challenges posed by these threats (Shalaginov et al., 2020).
The US financial institutions paid more ransomware-related payments than in previous years, signalling the escalating impact of ransomware, particularly from Russian criminal groups (Gillum, 2022).Regarding the impact of ransomware on organizations (Shinde et al., 2016), potential ramifications include business shutdowns for days or weeks, loss of sales and client confidence, the challenging decision of whether to pay the ransom, reputational damage, and regulatory fines, as illustrated by the recent ransomware attack on Continental, a German international automobile business, by the LockBit group.This case involves the theft of information, threats of online exposure, and potential negotiations or resistance to complying with the ransom demands, reflecting the complex and damaging nature of contemporary ransomware attacks (Shalaginov et al., 2020;Smith, 2022).

Implementation and Analysis
The survey was published online at allcounted.com with the intention of receiving at least 50 responses from working adults, but 77 attempts were received.Only 58 of the 77 respondents completed the survey, and the discussion data will be drawn solely from the 58 completed surveys which is filtered to working adults which is targeted at 'Public Sector, Private Sector & Own Business' only.The filter returned 53 respondents.The data will be used further in this discussion will be based on 53 respondents only.

Demographic Data
The survey was completed by employed adults from various sectors.It is observed that 83.02% of the contributions come from working individuals in the "Private Sector."And remaining is from 'Own Business' and the lowest one is from 'Public Sectors'.From this it can be decided that 'Private Sector' will be contributing major influence over the topic discussions.Demographic data is presented in Table 1.

Table 1 Summary of Survey Result from Section A (Demographic Data)
Evolvement of Ransomware There are a total of six questions presented to assess the awareness level of working adults; the results are positive, and most respondents provided positive responses.Which shows they are aware of what is 'Ransomware'.Except for one question pertaining to inception of 'Ransomware' from Question 10, it was observed that a high percentage (75.47%) of respondent did not know that ransomware existed since 1989.The breakdown of a total of 6 questions and its responses summary are summarized in Table 2.
The awareness level of working individuals is measured using a total of six questions; most respondents gave favourable answers, and the results are encouraging which demonstrates their knowledge of what "ransomware" is.With the exception of one question about the origins of "Ransomware" in Question 10, it was found that a substantial portion of respondents (75.47%) were unaware that ransomware had been around since 1989.Table 2 provides an overview of the six questions that were asked and a summary of the answers.

Preventive Measures
A total of six survey questions about "Ransomware" were developed by "Deloitte" and given to fifty-three working adults.Remarkably, positive answers to most of the queries show that the company is in fact well-prepared for "Ransomware" attacks."Deloitte" cyber security experts strongly advise the mitigating techniques that are identified in the survey.Presumably, most of the companies who participated in the study, especially those from "Private Sectors," showed that they had adequate safeguards in place to guard against cyberattacks.The results are summarised in Table 3. Impact to the Organisations Eight questions from "ransomware.org"were posted in order to get opinions on "Ransomware impact to the organisation," and Table 4 shows the varied opinions of working adults that were obtained.Most of the responses relevant to the recommended answer have received a higher percentage, indicating that the impact is well understood by the organisations and that mitigation is in place for most organisations.Those working adults understand what 'Ransomware' is and the impact associated.

Conclusion and Recommendations Conclusion
It is hardly surprising that ransomware will evolve over the next few years.If ransomware is not taken seriously, it will be more than simply a software capable of disrupting entire organisation infrastructure; it will have the power to disable an entire city or perhaps a country until the desired ransom is paid (Muslim et al., 2019).Cyber criminals are likely to employ tactics such as hacking industrial control systems (ICS) and other key infrastructure in order to disable ecosystems rather than just networks.Payment systems such as E-bay are among the few possible targets for cyber attackers.In 2016, there was a transit attack in which ransomware targeted a service provider's kiosk.Ransomware has already targeted hospitals and transportation providers.In the future, attackers will be able to target larger targets such as industrial robots that are frequently utilised in manufacturing or infrastructure sectors that connect smart cities (Muslim et al., 2019).
Ransomware can be costly and devastating to a company that does not actively protect itself or is unprepared for the consequences of an attack.As this form of attack becomes more common and evolves, it is vital that organisations are aware of the most recent effective attack patterns and what they can do to avoid vulnerability.Organizations can reduce the likelihood of a successful Ransomware attack and limit related risks in terms of response effort, downtime, costs, organisational impact, and reputation damage by implementing best practices recommendations.

Recommendations
Ransomware has evolved over time because of the lucrative method of forcing victims to pay a ransom.It is worth noting that we can implement preventive procedures in our organisations to deal with such situations if they emerge.The following are highly suggested preventive measures that an organisation should prioritise (Deloitte, An anti-ransomware strategy -deloitte 2020) 1. Implementing and configuring an email gateway to scan and block malicious email, including embedded links and attachments.2. Implementation of URL filtering and blocking within organisation networks which giving access to public network.3. Implements Sender Policy Framework ("SPF"), Reporting & Conformance ("DMARC") and Domain based Message Authentication which can reduce incoming spoof emails.4. Configure organisation firewall to block malicious IP addresses.5. Provide cyber security awareness training once a year which emphasizes on cyber incidents.6. Employees should be randomly tested to see if they are vulnerable to phishing campaigns, and if so, further resources and training should be provided to those who struggle.7. Tag external emails with a notice that they come from outside the organisation to raise employee awareness.8. Implement Business Continuity & Incident Response Plans 9. Incorporate Endpoint Detection & Response (EDR) with Antivirus 10.Have a regular backup of important data frequently.11.Review the access controls.12. Patch the unpatched system regularly.

Table 1
Summary of Survey Result from Section B (Evolvement of Ransomware)

Table 2
Summary of Survey Result from Section C (Preventive Measures)

Table 4
Summary of Survey Result from Section D (Impact to the Organisation)