A short history of ransomware

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cybersecurity.

The first type of ransomware ever observed was the AIDS Trojan in 1989

Ransomware has been a dominant feature on the cybersecurity landscape in recent years, but it is far from a recent phenomenon, with the first ever ransomware having appeared in 1989.

The AIDS Trojan, as it was dubbed, was released onto the world on five-and-a-quarter inch floppy disks in 1989. Much like ransomware today, the AIDS Trojan attempted to extort money from victims by encrypting their hard disk and demanding payment for decryption. Despite there being no real security in place to protect from that type of threat at the time, the AIDS Trojan was ultimately unsuccessful. In the late ’80s, few people used personal computers, the internet was mostly only used by science and technology experts, and international payments were difficult to process.

Despite this faltering start, in the mid-2000s we saw the emergence of what we would call modern ransomware threats, threats which continue to dominate the threat landscape today.

Ransomware: The early years

Average ransom amount in 2016 was over $1,000

Cybercrime, in particular the use of malware for financial gain, made its first impressions on the threat landscape in the early 2000s with the arrival of online banking threats. A number of years later other revenue-generating threats appeared, in particular fake antivirus scams. These threats masqueraded as legitimate security software, displaying warnings of non-existent threats and security issues which could only be addressed if the victim paid a fee.

Ransomware also started making its first appearances around the same time. The first strain of modern ransomware appeared in 2005 with the Trojan.Gpcoder family. This was an early type of “crypto-ransomware”, where attackers encrypt the victims’ files and offer to decrypt them in return for a fee or ransom.

Another type of ransomware emerged in 2011, which was an early form of “locker” ransomware. Rather than encrypt files, Trojan.Winlock displayed a fake Windows Product Activation notice which could only be removed if the victim input an activation key. In order to acquire this key the user was required to call an international premium rate number.

These early strains of ransomware had one thing in common: they were easily defeated due to the weak encryption and unsophisticated infection methods used. However cybercriminals would learn from these early failures.

Police ransomware

In 2011, a new form of ransomware started to dominate the threat landscape. Police ransomware was a lesson in the effectiveness of social engineering.

This ransomware was a type of locker ransomware which blocked access to the keyboard and mouse and displayed an image using law enforcement imagery. The image stated that a crime had been committed and that the victim must pay a fine to regain access to their computer.

Typical police ransomware locked screen image

This new strain of ransomware was successful for a number of reasons:

  1. The image was customized depending on the victim’s location. The message was written in their local language and used a logo from local law enforcement.
  2. The message often included the computer’s IP address to add legitimacy. Some strains of police ransomware would also take a photo using the computer’s webcam and include this in the ransom image.
  3. The attackers made it easier to pay the ransom by adopting the use of prepaid electronic payment systems such as Ukash, Paysafecard, and MoneyPak. These systems allow individuals to pay for goods online without a credit card. They also offer a level of anonymity to the attacker.

Police ransomware soon became a victim of its own success as it drew the attention of law enforcement, the security industry, and mainstream media. It was getting harder to trick victims and easier to remove it. Time to move onto something new.

Crypto ransomware

Ransomware reached epidemic proportions with the shift to crypto ransomware, which has been the dominant ransomware threat since 2013.

Crypto ransomware authors don’t waste their time with social engineering; they are upfront with their demands. Their ransom notes typically display a straightforward extortion message offering to decrypt the captured files upon the payment of an often hefty ransom.

Instruction screen from the Locky strain of cryto ransomware

These modern ransomware attackers also learned from their crypto ransomware forefathers. Current strains of ransomware use strong encryption methods such as asymmetric or public key encryption. This method uses a public key on the victim’s computer to encrypt the files. The files can only be decrypted using a private key which only the attacker has access to. This makes recovery from ransomware infections much more difficult.

The prices charged by crypto ransomware authors have increased — with the average ransom amount per computer in 2016 now more than US$1,000.

The Bitcoin influence

One of the reasons for the growth in popularity in ransomware for cybercriminals is cryptocurrencies making it easier for ransoms to be paid. Typically, ransomware authors request that ransoms be paid in bitcoins, meaning the money they make from their activities is largely untraceable.

Before the advent of cryptocurrencies it was much more difficult for attackers to receive payments that were almost totally untraceable. While prepaid electronic payment systems offered some anonymity, they were difficult to “cash-out” and involved adopting some money laundering steps.

New ideas

Popcorn Time ransomware sought to get victims to infect other people too

While money is still the main motivation for ransomware authors, they have also been making some unique and creative demands in recent times. With the Popcorn Time ransomware, the authors said they would decrypt a victim’s files for free if they successfully infected two of their friends with the ransomware, and the friends paid up.

Another ransomware discovered by security researchers, called Koolova, offered to decrypt infected victims’ files if they read two specific articles on cybersecurity.

Ransomware is also no longer just a PC problem. There are now strains of ransomware for Macs and mobile devices have been hit with ransomware for some time now. The Internet of Things is also a likely ransomware target. In early 2017, it was reported that a smart TV had been infected with ransomware. Earlier research from Symantec had demonstrated how this could be possible.

Don’t become a victim

When it comes to ransomware, prevention is most definitely better than cure:

  1. Email is a main infection channel for ransomware. Be wary of emails pretending to be an invoice or delivery notice and don’t blindly click on links or open attachments.
  2. Infection may also occur through compromised websites so stick to reputable websites as much as possible
  3. Use full-featured security software
  4. Back-up your files. Even if you do get struck down by ransomware, a back-up means you can easily recover.
  5. Don’t pay the ransom. As tempting as it may seem, it won’t guarantee that you will get your files back and it simply helps to fund criminals.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.