Interestingly, ransomware is not a new thing. It first appeared in 1989 with a Trojan program called, “AIDS Trojan,” which was spread by floppy disk. The AIDS Trojan used several tricks to hide files and encrypt their names using symmetric cryptography. The author extorted a $189 fee from users to provide a restoration tool. The author was identified and forced to stop the distribution, though not prosecuted due to mental deficiency. It is not clear why there wasn’t much activity between this attack and the mid-1990s, when antivirus began to be a common defense.
The next major step came in 1996 when two researchers wrote a paper discussing how identifying symmetric cryptography was ineffective for such an attack because the program source code contained a copy of the symmetric key. They also wrote a proof of concept program demonstrating the use of public key cryptography in such an attack. The paper also coined the terms “cryptoviral extortion” and “cryptovirology” as new areas of attack and study.
Between 1996 and 2005, I don’t recall any instances of ransomware being reported by any of the nearly 800 managed security services customers I had, and there doesn’t seem to be any media attention documents. Antivirus appeared to detect and block them before activation or signatures were quick to be distributed, making them more of a minor nuisance than anything. It was in May of 2005 that the media next took note of a ransomware attack. The attack was identified by Websense (now part of Forcepoint). One of their customers called in with files that had suddenly changed names to an unreadable gibberish and he could not access them. He also received a short note indicating that if he were to pay $200, he could get them back. At that point, commentary on the incident focused on the target’s lack of vulnerability management and defense in depth. A comment on the incident said, “Ransomware uses all the same vulnerabilities we already know about. We just haven’t fixed them yet.”
In 2005, there was a renewed interest in ransomware with variants that included Krotten, Archiveus, and GPCoder. GPCoder was the most formidable due to its use of 1024-bit RSA encryption when obfuscating files. At the time, that was industry-leading strong encryption. These attacks would produce a forcefully toned threat to keep silent and pay up or you would not get your files back. Antivirus companies soon picked up on these, wrote signatures, and blocked them. Over the next four years it was a cat-and-mouse game with new variants emerging and quickly identifying and blocking the ransomware.
The next wave came in 2009 when scareware vendor Vundo converted to ransomware due to a higher return rate. This wave was limited in impact by the file types it would encrypt and antivirus companies quickly identified and blocked the new wave, thus ending the fourth age of ransomware.
2012 brought a new set of tactics. One tactic, rather than focusing on the end users, focused on website service providers; more specifically, those providing services of questionable ethics and legality (such as pornography and pirated software). Reveton and Kovter ransomware informed the victim that they were engaged in some form of illegal activity and kindly provided a list of possibilities and ordered them to pay a fine to “the state” to release their files. Antivirus companies also identified these files and they were eventually blocked. However, the estimate of losses from ransomware for 2012 hit at least $5 million and possibly even double that.
By late 2013, ransomware writers were like sharks drawn to blood in the ocean; ransomware variant creation and distribution kicked into high gear. CryptoLocker gathered over $3 million itself and variants like CryptoWall, Cryptodefence, Locky, and Samas followed. These programs used industry standard RSA-4096 bit encryption and extorted $200 or more from their victims.
In the next posts on Ransomware, learn why today’s ransomware is a significant threat and what types of defenses you can employ.