Ransomware’s Early Days
The first documented and purported example of ransomware was the 1989 AIDS Trojan, also known as PS Cyborg. Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer. To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama. Dr. Popp was eventually caught but never tried for his scheme as was declared unfit to stand trial. His attorney said he began wearing a cardboard box on his head to protect himself from radiation.
Fast Forward to the Internet Age
With the Internet making it easier to carry out Popp’s ransom idea, cyber criminals began to realize that they could monetise ransomware on a far wider scale.
In 2006, criminal organisations began using more effective asymmetric RSA encryption.
- The Archiveus Trojan encrypted everything in the My Documents directory and required victims to purchase items from an online pharmacy to receive the 30-digit password.
- The GPcode, an encryption Trojan, which initially spread via an email attachment purporting to be a job application, used a 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key.
The New Wave
Starting 2011, ransomware moved into big time. About 60,000 new ransomware was detected in Q3 2011, and more than doubled in Q3 2012, to over 200,000. What’s most astounding is that ransomware more than quadrupled from Q3 2014 to Q1. 2015.
With no signs of slowing down, there are now many, many ransomware variants. Here’s a brief rundown of the ones you should know:
CryptoLocker – first versions appear to have been posted September 2013
- Usually enters the company by email
- If a user clicks on the executable, it starts immediately scanning network drives, renames all the files & folders and encrypts them.
- $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number.
- CryptoLocker 2.0 was written using C# while the original was in C++.
- Tor and Bitcoin used for anonymity and 2048-bit encryption.
- The latest variant is not detected by anti-virus or firewall.
- CryptorBit corrupts the first 1024 bytes of any data file it finds.
- Can bypass Group Policy settings put in place to defend against this type of ransomware infection.
- Social engineering used to get end users to install the ransomware using such devices as a fake flash update or a rogue antivirus product.
- Tor and Bitcoin again used for a ransom payment.
- Also installs crypto-coin mining software that uses the victim’s computer to mine digital currency.
- First infections were mainly in Russia. The developers were thought to be from an eastern European country.
- This one attacked Synology NAS devices. SynoLocker encrypted files one by one.
- Payment was in Bitcoins and again Tor was used for anonymity.
- Exploited a Java vulnerability.
- Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others led people to sites that were CryptoWall infected and encrypted their drives.
- According to an August 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.”
- More than 600,000 systems were infected between mid-March and August 24, with 5.25 billion files being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 paid $500, but the amounts ranged from $200 to $10,000.
- only encrypt files <100MB and will skip anything in Windows or Program Files.
- It uses AES rather than RSA encryption.
- ECC (elliptic curve cryptography) public-key encryption.
- 3 days to pay the ransom or the private key will be deleted.
- Files in a user’s profile are encrypted.
- Volume shadow copies are deleted and disabled.
- 72-hour countdown timer to pay 1 bitcoin in ransom.
- Delivered via email attachments, malicious pdf files and various exploit kits.
- Encrypts the user’s data, until a ransom is paid for the decryption key.
- Uses TOR to obfuscate the C&C (Command & Control) channel.
- Incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes.
- Has the ability to run 64-bit code directly from its 32-bit dropper. It can switch the processor execution context from 32 bit to 64 bit.
- Targets popular video game files such as Call of Duty, MineCraft, World of Warcraft, and Steam.
- First circulated in Russia.
- Uses Windows batch files and open source GnuPG privacy software for file encryption.
- I2P network communication.
- Uses exploit kits to gain privilege escalation on the system.
- Disables many security features on a target system.
- The most important change from CryptoWall 3.0 to 4.0 is that it re-encrypts filenames of the encrypted files, making it more difficult to decipher which files need to be recovered.
- Also known as the Onion Trojan-Ransom
- Spreads via brute force attacks on machines with Remote Desktop or Terminal Services
- Encrypts files using AES encryption but the encryption key itself is RSA encrypted
- The hackers will publish the encrypted files on the Internet if the victim doesn’t pay!