The history of ransomware
Published by on February 16, 2016 in Information Security

Ransomware is one of the largest threats you can face today, both on your own PC at home, and at work too.

From humble beginnings, it has become a massive global business that nets millions, if not billions, for its creators.

And, in this article, we’re going to take a closer look at ransomware, as I explain what it is, how it has evolved over the years and, perhaps most importantly, what you can do to prevent it taking a hold of your data.

What is ransomware?

I think the best way of describing ransomware is to paint a picture.

Imagine one morning you switch your laptop or computer on and attempt to go online to log into your favourite site. As you take your eyes off the screen for a moment the page begins loading but then… bam…. a strange image has appeared instead of the website you were hoping to open.

Full of text you begin reading, your heart sinking as you discover someone has supposedly hijacked all the data on your machine.

Of course you think they’re kidding, playing some kind of perverted prank. After all, all your holiday snaps are on your computer, as are all the photos of your kids.

But hang on, what does it say? Pay up or all the data is gone for ever???

And what are these Bitcoin things the swine is asking for?

Surely it’s a joke, I can press Escape and it will go away?

Not so fast… you’re data really has been hijacked and not only that, its also been encrypted so well that you ain’t never getting it back (in all likelihood) unless you pay up.

So, there you have it, ransomware is malicious code that snatches your data away from you by wrapping it up in unbreakable encryption that could cost you hundreds or even thousands of pounds to have removed.

Welcome to the increasingly large world of ransomware.

Ransom

Ransomware timeline

1989 – “Aids” Trojan, aka PC Cyborg becomes the first known case of ransomware on any computerised system

2006 – After a decade-busting hiatus, ransomware returns en masse with the emergence of Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive. All are notable for their use of sophisticated RSA encryption algorithms.

2008 – Gpcode.AK arrives on the scene. Utilising 1024-bit RSA keys, it requires a massive effort, beyond the means of most users, to break.

2010 – WinLock hit users in Russia, peppering displays with porn until the user made a $10 call to a premium rate number.

2011 – An unnamed Trojan locked up Windows machines, directing visitors to a fake set of phone numbers through which they could reactivate their operating systems.

2012 – Reveton informs users their machine has been used to download copyright material or child pornography and demands payment of a ‘fine’.

2013 – The arrival of the most well-known piece of ransomware to date: CryptoLocker. Ramping up the encryption level, it is incredibly hard to circumvent.

2013 – Locker turned up, demanded payment of $150 to a virtual credit card.

2013 – Hard to detect, CryptoLocker 2.0 added the use of Tor for added anonymity for the criminal coder who created it.

2013 – Cryptorbit also added Tor use to its repertoire as it encoded the first 1.024 bits of every file it encoded. Also installed a Bitcoin miner to milk victims for extra profit.

2014 – CTB-Locker mainly targeted Russia-based machines.

2014 – Another significant development, CryptoWall infected machines via infected website advertisements. Infected billions of files worldwide.

2014 – A somewhat more friendly piece of ransomware, Cryptoblocker did not encrypt Windows files.

2014 – SynoLocker targeted Synology NAS devices, encrypting every file it found on them.

2015 – Another hard to detect piece of ransomware, CryptoWall 2.0 used Tor for anonymity and arrived in a manner of different ways.

2015 – TeslaCrypt and VaultCrypt can be described as niche ransomware in that they target specific games.

2015 – CryptoWall 3.0 improved on its predecessor by coming packaged in exploit kits.

2015 – CryptoWall 4.0 added another layer to its encryption by scrambling the names of the encrypted files.

2015 – The next level of ransomware see Chimera not only encrypt files but also publish them online when ransoms are not paid.

2016 – The newest ransomware on the lock is called Locky, primarily because it renames all your important files so they have a .locky extension.

The early history of malware

One common misconception when it comes to the history of ransomware is that it all started as recently as 2013 with the birth of CryptoLocker.

But that’s not true I say.

You need to cast your timeline much further back in my opinion, to 1989, and “PC Cyborg,” aka the AIDS Trojan. Written by Joseph Popp who was later certified mentally unfit to stand trial, it would encrypt a piece of software on the victim’s machine and ask for $189 to unlock it.

Fast forward to the mid-2000s and, a few proofs of concept aside, the next batch of ransomware came to the fore. Code named Archiveus, Cryzip, Gpcode, Krotten and TROJ.RANSOM.A appeared. All had one thing in common – more sophisticated encryption techniques, utilising longer and longer RSA keys.

The Archiveus Trojan, for example, locked up everything in its victims My Documents folder with a 30-digit password. To obtain the credentials required to regain control over their files, the victim would have to buy something from an online pharmacy.

Gpcode moved things along by utilising a 660-bit RSA key to encrypt files after the victim opened an infected email attachment which masqueraded as a job application.

A slight detour in 2010 saw ransomware with a difference. A group of Russian cybercriminals were arrested over a piece of malicious code called WinLock. Instead of encrypting files, WinLock instead restricted access to a system by continually displaying pornographic images. To remove that inconvenience, victims had to send a premium rate SMS to obtain a code that could unlock their machines. At $10 a pop, this ruse is said to have netted the cybercriminals a cool $16 million.

In 2011 another ransomware Trojan with a difference emerged. Mimicking the Windows Product Activation screen seen when a newly installed instance has not been activated, it claimed the user had been the victim of fraud and their Windows license was null and void. It did, however, offer the solution – a quick call to a ‘free’ international phone number which would wield a code to re-activate Windows. Of course, as you may have already realised, the free phone number was anything but.

CryptoLocker

And then, in 2013, the one piece of ransomware most people have heard of finally came onto the scene.

CryptoLocker came to far greater prominence than its predecessors simply because it was particularly nasty, as well as widespread.

Discovered in the Autumn of that year, it exhibited the classic ransomware hallmarks of encrypting files and demanding cash in return for their release.

While the amounts requested varied to some degree, victims were typically asked for $300 within a particular timescale or all their data would be lost to them forever.

Utilising a form of encryption so strong it couldn’t realistically be broken, CryptoLocker proved to be hugely successful, fuelling a rush to market for more and more ransomware over the last couple of years, some of it new, most of it variations on CryptoLocker itself.

Beyond CryptoLocker

Due to the success of the early variants of ransomware, and CryptoLocker in particular, there are now many more examples, all of which have come to prominence between 2013 and 2015, a few of which include:

  1. Locker, which in appeared in December 2013, and required the user to send $150 to a virtual credit card account.
  2. CryptoLocker 2.0 which materialised around the same time and built upon the original through its use of C++ instead of C#, 2048-bit encryption. It also used Tor and demanded payment in Bitcoin to enhance anonymity for whomever is behind it. Additionally, it is not generally detected by firewalls or antivirus software.
  3. Proving the run-up to Christmas 2013 was not happy for everyone, that same month also saw the release of Cryptorbit, a piece of ransomware that encrypts the first 1024 bytes of any file it comes into contact with. Utilising social engineering, this ransomware comes in the guise of a Flash update or antivirus program though it is, of course, something else entirely. Like CryptoLocker 2.0, it too makes use of Tor and asks for payment in Bitcoin. Additionally, it also secretly installs coin-mining software on the users computer which yields the controller even more money over time.
  4. The next significant piece of ransomware was not spotted until mid-2014. Possibly developed in eastern Europe, CTB-Locker (Curve-Tor-Bitcoin Locker), mainly infected machines in Russia.
  5. CryptoWall, which emerged around the same time, exploited a vulnerability in Java to display malicious adverts on sites owned by popular brands. Any one of the estimated 600,000 people who clicked on the ads saw their hard drives encrypted and a demand for $500 served upon them. All in, it is believed that around 5 billion files were encrypted by the crooks.
  6. Next, Cryptoblocker appeared around July 2014. Somewhat less benign than other ransomware, it ignored Windows files as well as anything stored in Program Files. It also encrypted data with AES insets of RSA and only targeted files less than 100 MB in size.
  7. In August of 2014 a manufacturer-specific piece of ransomware was discovered. SynoLocker targeted network attached storage (NAS) devices produced by Synology, encrypting each and every file it discovered. Given the use of such devices in storing movie rips that have been expensively, or otherwise, obtained probably left victims feeling rather keen to retrieve their files by handing over their Bitcoins.
  8. Around the turn of the year we saw OphionLocker which used elliptical curve cryptography to hold files ransom for just 3 days before locking them up forever, and Pclock which encrypted files associated with a user’s profile. Victims were given just 72 hours to hand over a Bitcoin.
  9. As new year 2015 passed, CryptoWall 2.0 arrived. Delivered in numerous ways, include infected email attachments, malicious pdf files and exploit kits, it encrypts all of a user’s data until they pay up for a decryption key. Like many other ransomware variants, it uses Tor for anonymity and utilises several different methods to avoid detection.
  10. The following month saw two new types of ransomware – TeslaCrypt and VaultCrypt. The former targets popular video games such as World of Warcraft and Call of Duty, the latter posed as a customer support notice but was actually a Windows batch file that directed victims to a payment page.
  11. In March of last year CryptoWall 3.0 arrived on the scene. Coming via exploit kits, it escalates privileges on the system and disables many security features.
  12. More recently, in September, it was succeeded by CryptoWall 4.0 which encrypts the filenames of encrypted files, making it even more difficult to figure out which files have been affected and, thus, are in need of being restored.
  13. More recently, we have seen Chimera. Rising to prominence in November 2015, it not only encrypts files but, also, sees them published on the internet for all to see if the ransom is not paid.
  14. Finally, we have Locky, a ransomware that targets videos, images, source code, and Office files and scrambles them such that they end with a new locky extension. It then changes your desktop wallpaper, directing you to pay a ransom with Bitcoin, typically in the region of £280.

Mobile ransomware

Right about now I am sure many of you will be thinking you are lucky to be using something other than a Windows PC because all this ransomware seems problematic at best, downright costly at worst.

But just because you are not using a PC it does not mean you are completely immune to this sort of attack.

While not quite as popular an attack vector, mobile devices have also been targeted.

Apple fans will be pleased to hear that iOS has had few cases of suspected ransomware. Android fans, as ever, may be wishing they’d opted for a more secure platform in the face of several reports of malware on Google’s mobile operating system.

That said, phones and tablets appear to be far more resilient against ransomware as they automatically back up important files such as contact lists, photos, etc. to their affiliated cloud services so, where ransomware has got onto such a device, the damage caused has been largely insignificant.

Bitcoin

How to avoid ransomware

While a device locked up with ransomware may seem like an end of the world scenario to some, it needn’t be that way.

There are actions you can take to both minimise the risk of having your files encrypted in the first place, and to cope with such a situation even if it does arise.

So, first things first, install antivirus software.

As you’ve already read, its not a silver bullet guaranteed to make you immune to ransomware, especially if the variant in question has not updated quickly enough, or the code itself is adept at hiding itself, but it is a good starting point that will do much to lower the risks of many types of malware finding their way onto your system.

Secondly, ensure you keep everything up to date.

That doesn’t just mean your antivirus program, it also applies to operating system patches and updates for all the other software on your system too.

And, lastly, the best advice anyone can give you about keeping your data safe from any type of risk whatsoever: backup.

The reason why ransomware is so successful in extracting money from people is the fact that the majority only have one copy of their precious photos, videos or business data.

By creating backups – which are preferable kept offsite to guard against the risks of fire, etc, in your home – you instantly have access to everything you need to start afresh, albeit it may take you some time to restore your entire system to the state it was in before the ransomware took hold.

Of course it should go without saying that you need to check your backups on a regular basis – I personally know far too many people who have relied upon them, only to find they had made a mistake and not actually saved any of their data in the first place!

Also, with the price of blank DVDs, hard drives, flash storage, etc. being reasonably low, why not backup your most important data more than once? I have and I’m glad i did (my main hard drive failed and, in the space of the few days during which I was waiting for a replacement to arrive, so did the backup drive).

So, to conclude this lesson on ransomware, I would say, yes, it is a problem, but it doesn’t have to be the outright disaster scenario it has been for some unfortunate people in the past – get some basic security software onto your machine, keep everything up to date and backup often and you should be reasonably safe and safe in the knowledge that, if the worst should happen, you’ll be back up and running in no time without having to hand over any Bitcoin.

One thought on “The history of ransomware

  • Thank you for this timely information. I have two computers, no server, and am not on a network of any kind. I backup to several drives connected via USB. I even backup my critical information that is in the Cloud. One of my computers is a Chromebook and manages all of our business affairs which are housed in the Cloud. I’m kind of a Dinosaur (80 years old) attempting to keep up with the times. Does the foregoing appear to be a fairly robust approach to protection in these days?

Leave a Reply

Your email address will not be published. Required fields are marked *