What is Ransomware?
Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.
There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware
Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered. A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.
Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.
Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.
The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted. When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.
The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.
Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.
Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.
Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.
The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.
These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.
Locker and Crypto Ransomware
Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.
Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.
2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.
As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS. Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.
CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.
The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker. Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.
Ransomware – What Lies Ahead
Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.
The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.
One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.
There is no bullet-proof solution when it comes to cybersecurity. Security is a process, not a product. Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.
If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.