Before I get to the blog post, I want to remind you all that I currently have a crowdfunding campaign set up for my 1950s radio serial detective cum ransomware investigator comic book, Your’s Truly, Johnny Dollar. I’d appreciate it if you could back and share the campaign between now and July 5th.

And now…on to the blog post!

At its most basic level the etymology of ransomware is simple, it is a portmanteau of Ransom and Malware, ransomware. In fact, early on in the use of the term, many would capitalize the W, making it RansomWare, rather than the commonly used spelling today, ransomware.

But, etymology is more than just how a word was originally formed. Etymology looks at how a word has evolved and continued to evolve over time. As ransomware threats continue to evolve the meaning of the term has changed. I think we are now at an “etymological crossroad” (which doesn’t appear to be a real term in etymology, so look at me contributing to a whole new field) in the use of the term ransomware.

I want to note, that I am writing this entirely from the point of view of someone who has been a defender against ransomware for as long as it has been around (minus some very early, focused campaigns). The “people” who carry out ransomware attacks have their own language they use for describing what we call ransomware. The evolution of that language is also worth studying, but outside the scope of this blog post.

This post stems from a very good Emsisoft blog post discussing 2022 ransomware trends. The blog post ends with this section:

On a final note, we believe the time has come to retire the term “ransomware.” Historically, the word was used to describe the malicious software which is used to lock data so that a ransom can be demanded to unlock it. Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain. To put it another way, attacks can be exfiltration-only, even when carried out by groups that usually encrypt data – and that means we have ransomewareless attacks by ransomware groups. This creates confusion as to what should and should not be counted as a “ransomware” attack for the purpose of statistics.

A better way of thinking about incidents is simply “data extortion events.” “Encryption-based data extortion” and “exfiltration-based data extortion,” which are not mutually exclusive, are subcategories to that. These descriptors may not be ideal replacements for “ransomware,” but we are sure that somebody can come up with better alternatives.

Emsisoft is not wrong, in fact Mandiant has started using the term Multifaceted Extortion Attacks (though, curiously, they took down the original post explaining their reasoning). Ransomware attacks, as they always have, continue to evolve. The question really is: do we need a new term or do we just accept that the meaning of words changes and we have an evolving definition of ransomware?

There is an excellent paper from 2005 written by John Canavan, then of Symantec, called The Evolution of Malicious IRC Bots.1 Unfortunately, the paper doesn’t seem to be online anywhere you might be able to request a copy here (you can also email me and I will send you a copy). In the paper Canavan describes “RansomWare” as:

With the recent emergence of Trojan.GPCoder, the door is open for the emergence of more complex “RansomWare” threats. Trojan.GPCoder encodes all files on the infected system which match a specific list of file extensions. The Trojan creates the file ATTENTION!!!.txt in each directory in which it encoded a file. The textfile contains the following ‘ransom’ demand.

Example 26: ‘Ransom’ demand created by Trojan.GPCoder

Some files are coded.
To buy decoder mail: [user]@yahoo.com with subject: PGPcoder 000000000032

GpCoder was not using a very robust encryption method, and files can be decrypted using fixtools released by the major Anti-Virus firms. However if this technique were to be implemented correctly, and combined with the power of the IRC botnet results could be devastating.

In 2005 “RansomWare” was understood to be a type of malware that encrypted files on an infected system, delivered via bot. Interestingly, Canavan very accurately predicted the WannaCry and NotPetya ransomware strains, though even he probably wouldn’t have guessed it would take 12 years for his prediction to happen.

Seven years later, in 2012, the definition of ransomware had changed against. Another Symantec paper (also not online, but happy to email it you if you are interested) entitled, Ransomware: A Growing Menace by Gavin O’Gorman & Geoff McDonald2 discusses ransomware as primarily a type of “locker” malware. As in the ransomware locks a computer, preventing access unless an extortion is paid, but it doesn’t encrypt files.

Ransomware that locks a computer and uses law enforcement imagery to intimidate victims has spread from Eastern Europe to Western Europe, the United States, and Canada over the past year. The scam has been copied and professionalized from initial early attacks,

with established online criminal gangs now branching out into the scheme. Each gang has separately developed, or bought, their own different version of the ransomware. This malware is highly profitable, with as many as 2.9 percent of compromised users paying out.

The paper also acknowledges that the definition of ransomware had changed:

Ransomware which locked a screen and demanded payment was first seen in Russia/Russian speaking countries in 2009. Prior to that, ransomware was encrypting files and demanding payment for the decryption key.

The paper also hinted at what was to come:

…the Trojan displayed a pornographic image and demanded payment to have this image removed. Payment could be made through either an SMS text message or regular call to a premium rate number. The idea of shaming victims into payment seems to have been an effective one, as all subsequent ransomware variants used this idea.

Today, we tend to think of ransomware as a hands-on-keyboard attack that involves encryption and data theft and uses shaming tactics to coerce victims into paying. This definition persists despite the fact that the largest number of ransomware victims come from ransomware families like STOP/DJVU, Phobos or Dharma which are automated encryption attacks that don’t involve victim shaming or “double extortion.”

But, with an increasing number of groups relying on extortion-only attacks, primarily because they are easier to carry out, the definition of ransomware could be changing again.

Do we need a naming convention? I don’t think so. All of these attack types still rely on a common thread: Extortion. Extortion has defined ransomware and separated it from other types of malicious attacks since the first ransomware attack in 1989.