In today’s digital age, the threat of ransomware attacks looms large, causing significant damage to individuals and organizations alike. Ramsonware has turned into a multi-billion-dollar industry. It is the most popular form of malware used in attack campaigns today, and it has become common place with its ease to deploy and effectiveness against organizations. In this blog post, we’ll do a deep dive into the process and history of ransomware as an attack strategy.
What is ransomware?
Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid by encrypting a victim’s files. While some simple ransomware may lock the system in a way, which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto-viral extortion. This process encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system or hostage files.
The Typical Ransomware Process
- Infection: Ransomware is usually delivered through harmful email attachments, infected software downloads, or compromised websites. Once the victim’s system is infected, the ransomware begins its malicious actions.
- Encryption: The ransomware encrypts the victim’s files using a strong encryption algorithm, making them inaccessible without the decryption key. This prevents the victim from accessing their own data.
- Ransom Note: After the encryption process is complete, the victim receives a ransom note, often in the form of a pop-up message or a text file, explaining that their files are locked and detailing the ransom amount and the payment method.
- Ransom Payment: The attackers demand payment, often in cryptocurrency like Bitcoin, as it provides a level of anonymity for both the victim and the attacker. The victim is instructed on how to make the payment to receive the decryption key.
- Decryption (Possibly): If the victim decides to pay the ransom, the attackers might provide a decryption key or tool that can unlock the encrypted files, allowing the victim to regain access to their data.
How does ransomware spread?
Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. From malicious email attachments and fake links to social media scams, ransomware spreads quickly and hits hard.
Why is ransomware so successful?
You could say there’s one key reason why ransomware has boomed: because it works. Organizations can have the best antivirus software in the world, but all it takes for ransomware to infect the network is for one user to slip up and launch a malicious email attachment and discover all their files have been encrypted. If organizations weren’t giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data to function, so many are willing to pay a ransom and get it over and done with.
Meanwhile, for criminals it’s a very easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?
The History of Ransomware
The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called crypto-viral extortion, and it was inspired by the fictional “face hugger” in the movie Alien.
The first ransomware, known as PC Cyborg or AIDS, was created in the late 1980s. PC Cyborg would encrypt all files in the C: directory after 90 reboots, and then demand the user renew their license by sending $189 by mail to PC Cyborg Corp. The encryption used was simple enough to reverse, so it posed little threat to those who were computer savvy.
With few variants popping up over the next 10 years, a true ransomware threat would not arrive on the scene until 2004-2005, when GpCoder used weaker RSA-1024 encryption to hold personal files for ransom.
Cases of ransomware infection were first seen in Russia between 2005-2006. Trend Micro published a report on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system. It also created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for $300.
In 2007, WinLock heralded the rise of a new type of ransomware that, instead of encrypting files, locked people out of their desktops. WinLock took over the victim screen and displayed pornographic images. Then, it demanded payment via a paid SMS to remove them. (Locker Ransomware)
With the development of the ransom family Reveton (Police Trojan) in 2012 came a new form of ransomware: law enforcement ransomware. Victims would be locked out of their desktop and shown an official-looking page that included credentials for law enforcement agencies such as the FBI and Interpol. The ransomware would claim that the user had committed a crime, such as computer hacking, downloading illegal files, or even being involved with child pornography. Most of the law enforcement ransomware families required a fine be paid ranging from $100 to $3,000 with a pre-paid card such as Ukash, MoneyPak, or PaySafeCard.
Average users did not know what to make of this and believed they were truly under investigation from law enforcement. This social engineering tactic, now referred to as implied guilt, makes the user question their own innocence and, rather than being called out on an activity they aren’t proud of, pay the ransom to make it all go away.
Finally, in 2013 CryptoLocker re-introduced the world to encrypting ransomware—only this time it was far more dangerous. CryptoLocker used AES encryption (encrypted with RSA Public Key Embedded in the Malware) and stored the RSA private key required to unlock files on a remote server. This meant that it was virtually impossible for users to get their data back without paying the ransom. This type of encrypting ransomware is still in use today, as it’s proven to be an incredibly effective tool for cybercriminals to make money.
In 2015, the Angler exploit kit was one of the more popular exploit kits used to spread ransomware and was notably used in a series of malvertisement attacks through popular media such as news websites and localized sites. Angler was constantly updated to include several Flash exploits and was known for being used in notable campaigns such as the Hacking Team leak and Pawn Storm. Because of its easy integration, Angler remains a prevalent choice to spread ransomware.
2017: The Year Ransomware Broke
Large scale outbreaks of ransomware, such as WannaCry in May 2017 and Petya in June 2017, used encrypting ransomware to ensnare users and businesses across the globe.
Both incidents emphasized the urgency of maintaining up-to-date software and patching systems to prevent the spread of such malware. They also highlighted the need for effective cybersecurity measures and the potential for ransomware attacks to have significant economic and operational consequences.
In response to these events, there was increased awareness about the importance of cybersecurity practices, more attention given to vulnerability management, and a recognition of the global nature of the ransomware threat.
Training and awareness are the two main ways to learn and prevent these types of attacks from compromising unknowing victims. The best way to stay cyber-secure is to learn about these types of threats and be more proactive to keep them from happening. In our next blog post, we’ll break down the steps and strategies you need to execute to protect yourself and your organization from ransomware attacks.
If you are planning to train for a cybersecurity certification to enhance your skills, Training Concepts would love to help prepare you to be successful on exam day.
Training Concepts offers many certifications for cybersecurity and would love to have the opportunity to guide you through them all with ease. Reach out to schedule a consultation if you’re interested in starting a career in technology or improving your security skills.