The Evolution  of Ransomware

>

>

One of the earliest known forms of ransomware, AIDS was a trojan horse that was distributed on floppy disks. And while it was extremely basic by modern standards, it  featured familiar hallmarks. Replacing a batch file in the root directory of DOS operating  systems, it counted the number of times the computer had booted, before hiding all directories and  encrypting all files on the C drive. Victims were then prompted to “renew the license” by sending $189 to a PO Box in Panama.

The emergence of digital currencies  heralded the dawn of modern-day ransomware, with GPCode considered one of the earliest of this type. A trojan  distributed through email attachments on what appeared to be a job application, the earliest  version deleted the original files and wrote encrypted versions to a new location. Users were prompted  to pay a ransom of between $100-200 to an e-gold or Liberty Reserve account, although the method of  encryption did make data recovery possible without needing to pay.

2012 saw ransomware evolve with the spread of Reveton, the first ransomware to  entirely lock a users’ screen, forcing them to pay to regain access to their  computer. Often known as the Police Trojan, Reveton displayed a  message claiming to be from law enforcement, accusing the user of engaging in illegal activity alongside their IP  address to help sell the claim. Users were  typically asked to pay around $200 to unlock their machine, using a voucher  for a service such as Ukash.

While previous ransomware lay the foundations, CryptoLocker arguably represented the  true dawn of the modern ransomware era. Targeting Windows users and distributed by compromised websites and  emails via a botnet, it encrypted files both on the local machine and  mounted network drives, with the encryption key stored only on the malware’s control servers. Users were shown a message telling them to make a payment in bitcoin or a cash  voucher by a set deadline, alongside a claim that the encryption key would be  deleted after it passed. Victims were  typically charged around $400, and in some cases payment did not lead to a decryption of files. The ransomware’s operators are believed to have made around $3m from  the campaign.

2014 was the year that  ransomware spread to smartphones for the first time, with Sypeng, which  targeted the Android operating system. Infecting over 900,000 devices in its first month of operation, the ransomware locked users out of their device and displayed a message  on encrypted phones claiming to be the FBI or a cybersecurity firm. Users were prompted to regain access by paying around $300 via a Moneypak voucher.

Also known as Curve-Tor-Bitcoin Locker, CTB-Locker also emerged in 2014, and was  notable not because of a novel approach to extorting its users, but its approach to hiding its tracks from law  enforcement and cybercriminals. The ransomware was  the first to hide its infrastructure in a C2 server in the Onion domain, which is only accessible via Tor browsers. This made it extremely difficult to  detect and take down.

While previous forms of ransomware  relied on automatic proliferation, LowLevel04 changed  the game again by becoming the first of its kind to be carried out manually. Distributed through remote desktop  and terminal services, the malware took advantage of poor password protection. The attack itself was typical, encrypting  a user’s file in return for payment, although the cost was around $2,400, indicating  steep inflation.

The same year saw the launch of Ransomware as a Service (RaaS), with Tox believed to be the first such example. RaaS differed from other ransomware not in terms of its mode of operation – it still encrypted a victim’s computer and demanded a payment – but because anyone with a bitcoin wallet could use it for free simply by registering. The host site handled all the behind-the-scenes tech in exchange for 20% of each ransom payment, allowing people with next-to-no computer skills to become cybercriminals.

While differing software architectures had until  now limited particular ransomware to a  single operating system, Ransomware32 broke down these borders by becoming the first ransomware to be  written in Javascript, enabling it to run across Windows, Mac and Linux operating systems. A RaaS like Tox, its operators took 25% of the  profits, with individual users again needing minimal  technical skills.

2017 was the year that ransomware truly went global, with the launch of cryptoworm  WannaCry. Propagated across earlier versions of Windows using a leaked  exploit first developed by the US National Security Agency, it spread extremely quickly upon release, infecting more than 200,000 machines across 150 countries  within a matter of days before a kill switch was discovered. The attack also introduced  the world to the idea of nation-state threat actors, with North Korea  blamed for its development  and release.

While WannaCry introduced  the idea of nation-state attacks, NotPetya showed how ransomware could be  used as a tool to devastate a particular country. Targeting Ukraine in particular using the same exploit WannaCry took advantage of, NotPetya used multiple layers of encryption  and had the ability to perform administrator-level actions to cause further damage. Although believed to  have been released by the Russian government to cripple Ukranian infrastructure, NotPetya also spread worldwide, causing damage  to companies, critical infrastructure  and government agencies.

2018 saw the proliferation of ransomware that moved away from the ‘shock and awe’ approach  of NotPetya and WannaCry and instead focused on targeted attacks that focused  on locking entire organisations out of their systems. 2018 saw numerous ransomware tools  that took this approach, with  SamSam and Dharma being  two of the most notable. SamSam, for example was used to cripple private companies, government agencies and  healthcare organisations.