Cyber Threats

A Brief History of Ransomware

Ransomware is as commonplace in our lives today as email. All signs indicate that ransomware is not going away any time soon. So where did this nefarious family of malware come from?

Mark Anthony FuentesBy: Mark Anthony Fuentes, Sep 27, 2019
TwitterFacebookLinkedIn

The Scariest Sentence In Cyberspace?

Oops, your files have been encrypted!”

These days, few words strike more fear into the average user. They are almost always followed by financial loss, embarrassment, or reprimands from the IT Team.

Ransomware is as commonplace in our lives today as email. According to Webroot, 1.5 million new phishing sites are created every month. Cyber Security Ventures estimates that a new organization will fall victim to ransomware every 14 seconds in 2019. Even scarier, they estimate this will rise to a new organization every 11 seconds in 2021. All signs indicate that ransomware is not going away any time soon.

Ransomware targets one of two things that you value: Your data or your reputation. The most commonly-known kinds of ransomware target data and they do this through encryption.

So where did this nefarious family of malware come from?

Simple Beginnings

One of the earliest examples of ransomware was the AIDS Trojan written by Joseph Popp in 1989. This ransomware hid the files on the hard drive and encrypted their names using symmetric cryptography. It then showed the victim a message claiming that a certain piece of the user’s software had an expired license. The victim was then asked to pay US$189 to the entity known as PC Cyborg Corporation.

AIDS Trojan

Credits: Photo by Datto

Later in 1996, Adam L. Young and Moti Yung from Columbia University presented a concept called cryptoviral extortion at 1996 IEEE Security & Privacy Conference. In their presentation, they criticized the AIDS Trojan for possessing a fatal flaw: symmetric cryptography — encryption that uses the same key to encrypt and decrypt. Using a single encryption/decryption key allowed the decryption key to be extracted from the trojan itself. Young and Yung improved upon the first version by introducing hybrid encryption so that the malware only ever possessed the encryption key.

In 2003, the reverse of Young and Yung’s cryptovirology was reported on at West Point. This version gains access to a victim’s data, but does not encrypt it. Instead, the malware threatens to release the data to the public unless a price is paid. This attack yields monetary gain for the attacker if the malware is able to access data that may damage the victim’s reputation when leaked. This subset of cryptoviral extortion is called leakware or doxware.

By 2006, ransomware experienced an explosive rate of propagation with trojans such as Archiveus, Cryzip, TROJ.RANSOM.A, and Gpcode. As ransomware’s prominence grew, the encryption behind them slowly increased in strength, as well. In June 2008, a variant known as Gpcode.AK was discovered that used a 1024-bit RSA key, believed to be so large that it could not feasibly be broken without a concerted, distributed effort.

Making Headlines

In September 2013, a trojan known as CryptoLocker started spreading in enough numbers to start making headlines.

The ransomware used a 2048-bit RSA key and uploaded in turn to a command-and-control server which used a whitelist of specific file extensions to decide what to encrypt. The malware would then threaten to delete the encrypted data if a ransom was not made in Bitcoin or pre-paid cash voucher within 3 days.

CryptoLocker was eventually taken down as part of the seizure of the Gameover Zeus Botnet by the United States Department of Justice in June 2014. All in all, it is estimated that CryptoLocker extorted at least US$3 million before its demise.

In May 2017, systems all over the world began to be crippled by the WannaCry ransomware attack. When all was said and done, more than 230,000 machines were affected in over 150 countries. WannaCry used an exploit created by the United States National Security Agency called EternalBlue to spread.

Later in 2017, EternalBlue was used again by a variant of the Petya ransomware aptly called NotPetya to attack users in Ukraine.

Ransomware Is Here To Stay

As the world becomes more and more digital and dependent on data, that data becomes more and more valuable. Couple that with relatively easy ways to distribute and it is no surprise to see the dramatic proliferation of ransomware in our everyday lives. Malwarebytes has observed a 365 percent rise in ransomware in its client’s systems from 2018 to 2019. The threat is real and we are all targets.

So what can we do? Against such a crafty threat, organizations and users like need to be more aware of what links we are clicking on and what files we are opening.

Mark Anthony Fuentes
By: Mark Anthony Fuentes, Sep 27, 2019

Mark Fuentes has over a decade of experience in the cyber security field highlighted by roles in organizations such as Verizon, The International Monetary Fund, and The United States Department of Homeland Security. Mark is an avid consumer of technology trends and threat intelligence and seeks out new applications of tech and research to combat cyber crime.

TwitterFacebookLinkedIn

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.