The evolution of ransomware attacks


What is ransomware?

So what exactly is ‘ransomware’? It is quite possibly the most dangerous and lucrative form of malware of our time. In essence, ransomware infiltrates a device or network with the aim of encrypting personal data. It then holds the victim to ‘ransom’ by demanding a sum of money (in the digital currency Bitcoin), in order for them to retrieve their files. Typically, when a device becomes infected, instructions will appear which detail how to make the payment and access the data decryption key. The ransom amount is known to vary from a few hundred, to 6 figure sums, which explains why it is such a fruitful attack vector for cyber-criminals.


There are a number of ways that ransomware can be deployed, but the most common and easy method is through phishing scams. Although there are many scams which are sent on a mass scale, it is usually the more targeted and carefully social engineered attacks which prove to have more success. Bad actors often conduct extensive research on a company, such as identifying high-ranking employees, understanding internal teams and spoofing their email domain. These highly sophisticated attacks can catch businesses off-guard. They usually encourage the recipient to download a malicious ZIP file, Word document, Excel spreadsheet or PDF, which when opened will immediately lock-down their device, rendering it inaccessible.

What is the history of ransomware- how has it evolved?

The first ever ransomware attack was launched 32 years ago, by a biological researcher called Dr. Joseph L. Popp. During an AIDS conference hosted by the WHO, Popp distributed a floppy disk to attendees which was titled ‘AIDS Information Introductory Diskette’, alongside instructions of how to install the program. Once activated, malware was installed onto the devices which became known as ‘AIDS Trojan’, it encrypted file names and extensions and demanded $378 for lifetime access to the so-called subscription service. It was soon figured out that the key to retrieve the data was contained in the encryption code, so victims could solve the problem by retrieving the key and deleting the malware. Although Joseph was tracked down via his bank details in Panama, he was never charged.

Since this first ransomware attack, the malware has had a long and varied history

After Popp’s rather unsuccessful first attempt at a ransomware attack, it wasn’t until the mid-1990’s that fellow scammers began to take interest in this criminal practice. In 1995, two cryptographers called Adam Young and Moti Yung, developed a strain of ransomware which used ‘asymmetric encryption’. Rather than using one key like Joseph Popp, Young and Yung used two keys, one which was accessible to the victim and the other which could only be accessed by paying the ransom. They were also the first hackers who introduced the idea of using electronic payment methods, to help anonymise the transactions and conceal their true identity.


      The rise of blockers

      The late noughties saw the rise of a new type of ransomware called blockers. During this time period, blocker ransomware was widely distributed as the code was publicly accessible and could be automatically generated. This pesky ransomware infection took hold of the operating system by adding itself into the Window’s start up process. To make it even more difficult for the user to regain access, it often blocked the task manager and registry editor. There were also other methods used which made device usability almost impossible, including being unable to close certain windows and foil deletion of files. Although removing the ransomware was possible, it required a fair amount of technical know-how from the user. Subsequently, many victims resulted in paying the ransom.


              Ransomware blockers combined with cryptomalware

              Next, we started to see a hybrid ransomware which combined blockers and cryptomalware (such as the world renowned ‘CryptoLocker’). Cryptomalware is particularly malevolent as it can remain undetected on your systems, as a trojan horse it can silently sit on your device whilst searching for and encrypting anything on your hard-drive and connected media. In 2013, the infamous CryptoLocker ransomware began to infect computers across the globe. It was mainly distributed via spam emails and only targeted victims with Windows PCs, running XP, Vista, Windows 7 or Windows 8, but it could also be spread via downloading plugins on websites. The emails would aim to coerce recipients into opening a *.doc or *pdf file, which would have a hidden extension containing the cryptomalware.

              Once the file is downloaded, most users wouldn’t notice anything untoward until the files were fully encrypted. They would then receive a notification that they have been infected by CryptoLocker, with a rather ominious countdown timer until all data is permanently deleted. Although there is anti-virus software which can remove this malware, unfortunately they cannot decrypt your data.
              By 2015, cryptors had completely replaced blockers and bitcoin was the sole currency used for extorting ransom payments. As cyber-criminals were no longer concerned about being identified through their financial details, Bitcoin made way for mass ransomware attacks targeting large corporations.

              WannaCry and NotPetya

              In the years following this, two of the most notorious ransomware attacks took the world by storm: WannaCry and NotPetya. First of all, in May 2017 the devastating WannaCry ransomware strain reared its ugly head. For anyone who works in the Cyber Security industry, this astounding event will be something which sticks with you for many years to come. Here at Equilibrium, we were busy  assisting customers with the fallout of the attack, offering guidance, joining interviews and doing all we could to offer our Cyber Security expertise in a time of much uncertainty and panic.

                WannaCry infected over 500,000 devices and caused $4 billion of damage across the globe. This particularly damaging strain of ransomware was executed by exploiting a Microsoft vulnerability called EternalBlue. Once the ransomware infected a device it continued to spread to other devices within the network, it affected NHS Trusts, Telafonica, Renault, FedEx, Nissan, Hitachi and many more. In the wake of the attack, Microsoft released an urgent patch for unsupported operating systems. However, even though patches for supported systems were available, many businesses had not applied them, which subsequently left them exposed to the ransomware.

                A mere 6 weeks after WannaCry, an even more deadly form of ransomware appeared without warning: NotPetya. NotPetya encrypted the file table in a way which meant that decryption wasn’t an option. As a result, many businesses paid the dreaded ransom and did not retrieve their data in return. Eventually it was concluded that NotPetya was a wiper masquerading as a cryptor. The total damage exceeded a staggering $10 billion.

                Data leaks and disrupting critical services

                Since these two momentous attacks, cyber-criminals have relentlessly bombarded utilities, healthcare, energy and transport institutions with ransomware attacks. As so many citizens depend on their critical services, bad actors are confident that many will pay a substantial ransom. After all, refusing to pay could not only lead to loss of income or critical data, it could also leave many people (especially healthcare patients) in difficult, and even life-threatening situations.

                More recently, a new ransomware trend has emerged which is known as ‘double extortion’. In this form of scam, hackers threaten to leak data into the public domain if a ransom is not paid. This change of technique allows online criminals to apply more pressure on victims, but it also means that they can sell the stolen data on the dark web if they refuse to give into extortion demands.

                Famously, the foreign currency exchange service Travelex paid an eye-watering $2.3 million after the REvil ransomware hacking group took down their systems and stole 5gb of sensitive customer data. This included dates of birth, credit card information and national insurance numbers. Reports suggested that it was caused by a critical unpatched vulnerability in their VPNs, which was used as a backdoor to access their systems. After giving into their demands and paying the ransom, within a few short months Travelex went into administration.


                        Anti ransomware: How can your business protect against ransomware attacks?

                        As always with Cyber Security, there is no ‘silver bullet’ for ransomware detection or eliminating ransomware risks. The best ransomware protection should adopt the ‘defence in depth’ security approach. Using multiple layers of security controls such as taking regular backups (and safely storing them), preventing mass data exfiltration, multi-factor authentication, email filtering, regularly patching vulnerabilities/applying security updates, providing ongoing cyber awareness training, having an incident response plan, DNS filtering and blocking malicious files/websites, will all help to protect against ransomware.

                        If you would like to speak to a Cyber Security expert about ransomware protection for your business, please register your details below or call our friendly team on 0121 663 0055.



                        Get in touch today

                        If you would like to chat to a member of our team you can call us on 0121 663 0055 or email zoe@equilibrium-security.co.uk