The Evolution of Ransomware
Ransomware has only become a key concern of the C-suite in the last few years, but its roots began far longer ago. We look at the history of ransomware, with insight from Sophos Labs’ 2020 Threat Report
Scroll to go.
> AIDS Trojan
One of the earliest known forms of ransomware, AIDS was a trojan horse that was distributed on floppy disks. And while it was extremely basic by modern standards, it featured familiar hallmarks. Replacing a batch file in the root directory of DOS operating systems, it counted the number of times the computer had booted, before hiding all directories and encrypting all files on the C drive. Victims were then prompted to “renew the license” by sending $189 to a PO Box in Panama.
The emergence of digital currencies heralded the dawn of modern-day ransomware, with GPCode considered one of the earliest of this type. A trojan distributed through email attachments on what appeared to be a job application, the earliest version deleted the original files and wrote encrypted versions to a new location. Users were prompted to pay a ransom of between $100-200 to an e-gold or Liberty Reserve account, although the method of encryption did make data recovery possible without needing to pay.
2012 saw ransomware evolve with the spread of Reveton, the first ransomware to entirely lock a users’ screen, forcing them to pay to regain access to their computer. Often known as the Police Trojan, Reveton displayed a message claiming to be from law enforcement, accusing the user of engaging in illegal activity alongside their IP address to help sell the claim. Users were typically asked to pay around $200 to unlock their machine, using a voucher for a service such as Ukash.
While previous ransomware lay the foundations, CryptoLocker arguably represented the true dawn of the modern ransomware era. Targeting Windows users and distributed by compromised websites and emails via a botnet, it encrypted files both on the local machine and mounted network drives, with the encryption key stored only on the malware’s control servers. Users were shown a message telling them to make a payment in bitcoin or a cash voucher by a set deadline, alongside a claim that the encryption key would be deleted after it passed. Victims were typically charged around $400, and in some cases payment did not lead to a decryption of files. The ransomware’s operators are believed to have made around $3m from the campaign.
2014 was the year that ransomware spread to smartphones for the first time, with Sypeng, which targeted the Android operating system. Infecting over 900,000 devices in its first month of operation, the ransomware locked users out of their device and displayed a message on encrypted phones claiming to be the FBI or a cybersecurity firm. Users were prompted to regain access by paying around $300 via a Moneypak voucher.
Also known as Curve-Tor-Bitcoin Locker, CTB-Locker also emerged in 2014, and was notable not because of a novel approach to extorting its users, but its approach to hiding its tracks from law enforcement and cybercriminals. The ransomware was the first to hide its infrastructure in a C2 server in the Onion domain, which is only accessible via Tor browsers. This made it extremely difficult to detect and take down.
While previous forms of ransomware relied on automatic proliferation, LowLevel04 changed the game again by becoming the first of its kind to be carried out manually. Distributed through remote desktop and terminal services, the malware took advantage of poor password protection. The attack itself was typical, encrypting a user’s file in return for payment, although the cost was around $2,400, indicating steep inflation.
The same year saw the launch of Ransomware as a Service (RaaS), with Tox believed to be the first such example. RaaS differed from other ransomware not in terms of its mode of operation – it still encrypted a victim’s computer and demanded a payment – but because anyone with a bitcoin wallet could use it for free simply by registering. The host site handled all the behind-the-scenes tech in exchange for 20% of each ransom payment, allowing people with next-to-no computer skills to become cybercriminals.
2017 was the year that ransomware truly went global, with the launch of cryptoworm WannaCry. Propagated across earlier versions of Windows using a leaked exploit first developed by the US National Security Agency, it spread extremely quickly upon release, infecting more than 200,000 machines across 150 countries within a matter of days before a kill switch was discovered. The attack also introduced the world to the idea of nation-state threat actors, with North Korea blamed for its development and release.
While WannaCry introduced the idea of nation-state attacks, NotPetya showed how ransomware could be used as a tool to devastate a particular country. Targeting Ukraine in particular using the same exploit WannaCry took advantage of, NotPetya used multiple layers of encryption and had the ability to perform administrator-level actions to cause further damage. Although believed to have been released by the Russian government to cripple Ukranian infrastructure, NotPetya also spread worldwide, causing damage to companies, critical infrastructure and government agencies.
> Targeted large-scale attacks
2018 saw the proliferation of ransomware that moved away from the ‘shock and awe’ approach of NotPetya and WannaCry and instead focused on targeted attacks that focused on locking entire organisations out of their systems. 2018 saw numerous ransomware tools that took this approach, with SamSam and Dharma being two of the most notable. SamSam, for example was used to cripple private companies, government agencies and healthcare organisations.