A Brief History of Ransomware
Ransomware! The crypto-coercing & data encryption viruses seem to have made an explosion in recent years. With viruses like WannaCry (2017), SamSam (2018), Ryuk (2019) and DarkSide (2021) it seems as if a major ransomware attack is at the centre point of a major news story every year [1]. Along with dark net markets that sell drugs, guns, and offer assassins for hire; ransomware may appear to be another nefarious technological innovation that piggybacks on the invention of bitcoin. Although it’s rise to prominence began with a spike in popularity 2012 the history of ransomware is a lot longer and more varied than one might be led to believe [2]. Moreover the existence of ransomware predates the widespread adoption of the internet, dating as far back as 1989. This article will cover the history and development of five critical ransomware viruses throughout the ages: AIDS, REVTON, WannaCry, and Darkside.
AIDS
AIDS is the first known example of ransomware, dating back to 1989. Also known as Aids info Disk or PC Cyborg trojan, AIDS was fundamentally a trojan horse. After inserting the AIDS floppy disk and replaying the AUTOEXEC.bat file AIDS would count the number of times the computer had rebooted. At the 90th boot AIDS would hide directories and encrypt file names rendering the C drive unusable (particularly sinister as the AIDS disk would be shared among peers unbenounced to it’s impact). The user is ‘asked to renew license’ by mailing $189 USD to a post office box in Panama and contact the PC Cyborg Corporation. Harvard-taught evolutionary biologist Dr. Joseph Popp, was identified as the author of the AIDS trojan horse. He was charged on 11 counts of black mail after trying to defend himself by claiming that the money he collected was used to fund AIDS research [3].
REVTON
REVTON was the first major ransomware virus, appearing as early as 2012. It’s payload displayed a warning on behalf of “police” that that the PC it found itself on was reportedly used for illegal purposes such as child porn or unlicensed software. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer’s IP address while some versions display footage from a victim’s webcam. Moreover each message was customized to each users country strengthening the illusion of police involvement. Different variations would contain different messages from local law enforcement making the illusion stronger. Because of this, REVTON was commonly refereed to as the “Police Trojan”. It was loosley based on Citadel and Zeus viruses and would spread through drive by downloads on infected web pages that would scan for “outdated plugins” thereby downloading the software [4].
WannaCry
In May of 2017 WannaCry ransomware began spreading through the internet using a vector named EternalBlue. Developed by the NSA, and leaked by the shadow brokers in 2017, EternalBlue exploited the current implementation of Microsofts SMB protocal. The vulnerability allowed for code to be executed on remote Windows Machines. The virus spread at an unprecedented level infecting more than 230,000 computers in over 150 countries and demanded $300 in Bitcoin. It even targeted FedEx, Honda, Renault, the Russian Interior Ministry, and the British National Health Servis where 16 hospitals began turning away patients. The attackers gave their victims a 7-day deadline from the day their computers got infected, after which the encrypted files would be deleted [5].
DarkSide
On May 7, 2021 a cyberattack was executed on the US Colonial Pipeline. The FBI identified Dark side ransomware group, that sells ransomware as a servise, as the key proponents of the attack . After successfully resulting in the extortion of 75 bitcoins or about $5 Million, and resulting in the shutdown of the US’s biggest oil pipline, supplying 45% of the countries fuel, the attack was deemed one of the worst in US history. In May of 2021 SentinelOne published an analysis of the attack where it claimed that it’s clients were defended. In May 2021, the FBI and the Cyber security and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general [6].
The Future of Ransomware
Although the core of ransomware has remained relatively unchained, namely dencrypting or claiming to dencrypt files for money methods of distribution have changed significantly from the floppy disks AIDS was once found on. Moreover the black market for ransomware as a service has grown significantly, specifically in Russian speaking countries. The creation of ATP with ransomware groups such as DarkSide that specifically target large corporations and potentially look to use zero days such as WannaCry did is also a new phenomenon. As awareness of computer security increases and people become more aware of phishing scams and common social engineering practices used to distribute many Trojans, I predict that widespread ransomware attacks such as Revton that spread via drive-by-download will decrease. A greater emphasis will be placed on high profile victims with a large attack surface and ability to pay a large ransoms.
Sources
[1] https://gatefy.com/blog/real-and-famous-cases-ransomware-attacks/
[2] https://threatpost.com/petya-ransomware-encrypts-master-file-table/117024/
[3] https://www.knowbe4.com/aids-trojan
[4] https://www.thejournal.ie/gardai-garda-police-trojan-scam-virus-logo-locking-488837-Jun2012/
[5] https://techcrunch.com/2019/05/12/wannacry-two-years-on/
