What is Ransomware?

Ferdinand Ramos
Jun 14, 2019 · 7 min read

Unfortunately, I am a few weeks late at writing this blog to catch on the hype from the recent attack that took down almost the entire city of Baltimore’s government. But the threat of another attack is always present for businesses, people, and yes, even governments. Hopefully I can share a little information on what ransomware is, where it came from, how it works, and maybe I can catch the hype from the next attack.

Ransomware is a lot of things: scary, frustrating, debilitating, illegal, and most surprisingly, capable of making over a billion dollars in payouts annually. What’s even worse is how much it costs businesses and people to deal with ransomware, possibly as high as $75 billion each year. This estimate may seem high compared to the $1 billion in payouts, but just think about what is even more valuable than money. The answer of course is time. These businesses are forced to spend unbelievable amounts of time on finding a solution, rebuilding software and records, and playing catch up for months or even years.

Malware has been around for nearly as long as computers, with some of the earliest versions dating back to the 70s. Of course, the spread was much slower and very easily contained. But, here we are today, only a handful of applications lack a graphical user interface. Gone are the days of the command line interface, and gone are the days of slow, easily contained malware.

It was only a matter of time before people realized that computers and malware could be combined to make some serious money. In 1989, this is exactly what Dr. Joseph Popp did, although he claimed that all money extorted would go to AIDS research. Popp handed out and mailed upwards of 20,000 floppy disks with a survey that would tell the users their risk of contracting the AIDS virus based on their answers. What the recipients didn’t know was that the software came with a price.

This first occurence of ransomware contained many of the basic principles that we see in today’s versions. The software mocked and threatened the user, demanding money in return for their data, which had been encrypted. However, Popp’s methods would have little to no traction in the world today. He asked the ransom to be sent to a PO Box in Panama, which would almost certainly trace back to him, and even further, the encryption method only attacked the file names, so users’ file data was still intact.

Image for post
Image for post
AIDS Trojan ransomware message

Just as quickly as experts were learning about existing malware, developers were creating new strains and families of malware. For ransomware, this culminated in 2006 with the Archievous Trojan, which encrypted all of the files in the ‘My Documents’ folder (not just the file names this time). This was also the first ransomware virus to use asymmetric encryption, which meant that there was a key to encrypt the data and a separate key was needed to decrypt, a departure from Popp’s symmetric encryption.

The next major step in ransomware development came in 2011, along with the creation of anonymous payment websites. This meant cyber criminals could get payments quicker and much safer — no need to use PO Boxes in Panama anymore. We also saw with the WinLock Trojan, another departure from traditional ransomware up to this point. WinLock is of the ‘Locker’ type of ransomware, meaning it locks the computer so users can’t even log in unless they pay the ransom. In the case of WinLock, only the locker strategy was applied, files were not encrypted in any way.

Once the locker strategy was found, there was one piece missing to really push users into paying the ransom, and that was the psychology of a user. So, we see the advent of scareware and ‘Police’ Ransomware. This version of ransomware would lock down the user’s computer claiming the user had participated in illicit or illegal activities. The software also posed to be coming from an official law enforcement agency or even the FBI in the case of Reveton. Some strains of police ransomware even take over the webcam to display a live feed of the user, insinuating that they are being watched. Undoubtedly, the goal of this software is to scare the user enough that they don’t even think to ask somebody for help.

Image for post
Image for post
A sample of a Reveton ransom message

Again, there was a small stretch of time where little advancement was being made to ransomware, that is, until CryptoLocker came into play. In late 2013, we saw new methods of delivery and a much more direct threat to get the ransom. CryptoLocker was spread through a network of infected or ‘zombie’ computers, infecting websites and exposing more users than ever. The inventors of CryptoLocker also employed spear phishing techniques, where they would email businesses legitimate-looking complaints or offers, with the attachments being the CryptoLocker software. Users would then find their files all to be encrypted with a message very plainly stating that their files were encrypted and they had three days to pay the ransom or everything would be deleted.

Ransomware stayed in a similar vein to CryptoLocker for the next few years, with some small variations; being able to encrypt multiple operating systems, including android, new payment methods(mainly bitcoin), and cryptoworms, which are ransomware that are able to spread automatically through networked devices. All of this summed up to what we see today with ransomware.

Today we see the clear evolutionary result of all of the past ransomware pieced together, which has combined to become WannaCry, short for WannaCrypt. WannaCry takes advantage of a security flaw in older versions of Windows Server. This gave it the power to spread nearly worldwide and fast. What’s even more shocking about this widespread flaw is that it was discovered by the NSA, and kept hidden from Microsoft for over 5 years before the attack occurred. I’m not going to get into the politics and reasoning behind what the NSA did and is quite possibly still doing, but let’s just say that some very wealthy ransomware developers are happy the NSA held onto that information as long as they did.

We are also now seeing a new model for profiting from ransomware: ransomware-as-a-service. Developers are offering their ransomware to anybody who is willing to pay for it; just change the address for payment and communication and the buyer is ready to extort some Bitcoin. The attack we saw last month in Baltimore was carried out with a ransomware known as Robbinhood, and some experts believe that this large scale attack is to draw attention to the name so it can be offered in the future with the ransomware-as-a-service model.

The answer is quite simple. Disconnect from the internet. Forever. But, if that is a little too big of a jump for you, I understand. I’m sure not going to do that. But we can practice good cyber hygiene. We can stay on top of security updates, be careful of what we download and what websites we visit, always keep offline backups, even something as simple as knowing what ransomware is puts you ahead of those who don’t.

There is also the question of whether or not to pay the ransom if you are unlucky enough to be hit, and I’m here to tell you that, for the greater good, you shouldn’t. We shouldn’t incentivise this industry further than they already are, and some of the time they don’t even keep up their end of the deal(who would have guessed it…a dishonest criminal). That being said, I honestly might pay the ransom depending on the day. And you might too, and I see nothing wrong with that. How can we be expected to start over from square one with everything? All your assignments, documents, pictures, anything saved to that computer just gone. That’s tough to put a price on, but luckily the ransomware developers do that part for us.

So now you have all the information you need to be Terrified On The Internet™. Use this information to your benefit, or maybe just to impress your friends who care to listen to you talk about cybercrime. Either way, be safe out there.

I became interested in ransomware and cybersecurity through my internship here at QueryAI, I was tasked with researching cybersecurity logs and sort of gravitated towards ransomware as it is one of the most dangerous and fastest growing threats to businesses.

Also keep an eye out for the next few weeks as I will be completing my research and making a blog post detailing a simple way for IT professionals to monitor their systems for when ransomware has struck.

Query.AI

Seamless Cross-platform Investigations

Thanks to Craig Jorgensen

Ferdinand Ramos

Written by

Query.AI

Query.AI

Query.AI is a decentralized data analysis technology that unlocks the power of your organization’s data, simplifying access and analysis across your platforms and locations, without data duplication.

Ferdinand Ramos

Written by

Query.AI

Query.AI

Query.AI is a decentralized data analysis technology that unlocks the power of your organization’s data, simplifying access and analysis across your platforms and locations, without data duplication.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store