The Evolution of the Ransomware Threat

• November 15th, 2016
PC security

If you’re a news junkie you’ve probably heard about one of the most effective threats – ransomware. Every time you turn on the news there’s another report of a medical system, university or even electrical grid being brought to its knees by data-encrypting criminals who hold precious information until ransom has been paid.

Ransomware is powerful and scary and is one of the oldest methods of attack out there. Unlike many other technological developments, it’s easy to see how ransomware has progressed from a mere bother into the mighty behemoth it is today. Hackers have been experimenting with different ways to lock data on other people’s computers since the late 1980’s, making their attack methods much more precise today. Let’s look at its evolution to see where this trend could be headed.

The First form of Ransomware

In 1989, Dr. Joseph Popp created the first official ransomware when he distributed disks that supposedly contained AIDS education material at a medical conference. Users would input the disks into their hard drive and after a certain amount of time, the disk began to lock files on the user’s computer. In order to decode the files, the program instructed users to send $189 to an anonymous bank account, and only after receiving the money, Popp would unlock and restore the files.

AIDS Trojan caused a mild panic but remained nothing more than a footnote in malware history for almost 15 years. In 2005, the internet made it far easier for hackers to conduct widespread attacks. Now, over 10 years later, the concept of using a Trojan virus is significantly easier and much more common.

The History of Ransomware

In 2006, hackers began to experiment with new versions of ransomware that used RSA encryption keys to lock files. From that moment onward, ransomware took a giant leap forward. Until hackers decided to encrypt files with RSA algorithms, ransomware was an annoyance but not a terribly difficult one to beat. Using RSA algorithms makes unlocking files without a correlating key nearly impossible.

For its next act, ransomware appeared as a notice from the FBI or local police units. Known as Reveton, after the user clicked a link, they received a pop up informing them that the FBI found illicit material on their computers. This caused their files to be held until the proper authorities received the unlock fee. Meanwhile, the user’s files were being held behind this pop up, blocking access to their files. Using geolocation tools, hackers created very authentic notices using names of local police departments, including user’s IP addresses and images taken with the users own webcams to make it look legitimate. Not knowing what to do, most people just paid up.

Ransomware took another step forward with Cryptolocker which was significantly more advanced in its locking methods, seriously taking advantage of all benefits of those super-strong RSA keys. Spreading via infected attachments in emails, Cryptolocker alerted users that they had four days to pay up or their information would be destroyed. The vast majority of victims did not pay the fee but the hackers earned in $27 million in six months from the users that did pay. Another remarkable development was that now the crooks began to demand payment in Bitcoin, which was still a relatively new concept in 2014.

Another variant that surfaced in 2013 was Cryptowall, which was delivered via malvertising campaigns. A significant facet of this version was that it tricked antivirus and anti-malware measures into thinking it’s one of the good guys so it wouldn’t be removed.

So far, all the examples above have exclusively targeted computers running Windows OS. But never fear, just recently Mac got its own ransomware called KeeRanger. This new variant only accessed OS X systems running a popular BitTorrent client called Transmission. After infection, the Trojan would lay low for a few days and then start to encrypt files.

Stay One Step Ahead

By following the evolution of the threat, you’ll see that the methods of each iteration change slightly, gradually making it harder to get your files back. This is why ransomware is so significant and powerful, because it keeps changing and adapting with the times. Be sure to equip your computer with a reliable antivirus program and keep a backup of all your files. Your best defense is to stay one step ahead.