Introduction
Ransomware has been around for a long time, but it’s only recently that it’s become a major threat to businesses. Ransomware is malware that infects and holds your computer hostage until you pay the attackers in order to regain access.
Ransomware is one of the fastest growing malware threats and businesses are often the targets. According to the National Cyber Security Alliance (NCSA), ransomware is one of the fastest growing malware threats and businesses are often the targets.
Originally, ransomware was simply an annoyance—a common form of cybercrime that could be easily dealt with, this evolving form of cybercrime is now posing serious risks to both businesses and consumers alike. Here’s what we know about how ransomware works—and how it’s evolved over the years:
First Known Ransomware
The first known ransomware attack occurred in 1989 when a graduate student created the AIDS trojan and sent it to his rivals across the US, encrypting their research papers as a punishment for stealing his ideas. The program was called m89_1-0.exe (also known as AIDS), and it demanded an outrageous amount of money from its victims—$100,000 per computer infected.
The young man used social engineering tactics rather than technical measures to infect computers with this malware: he sent out email messages containing links that looked like they led to other research papers but instead opened up a file named m89_1-0.exe if clicked on by unsuspecting users.
The surge continued
Ransomware experienced another surge when criminal hackers stole an encryption program named PGPCoder from a Russian hacker, and distributed it through email attachments or torrents to unsuspecting users. This was one of the first examples of ransomware that used a 256-bit AES encryption. The code was uncrackable, unless the user paid the ransom. While this wasn’t technically the first instance of malware being distributed through email attachments (the first known example occurred in 1989), it was certainly one of its most prominent uses and subsequent proof points for how effective this distribution method could be for malicious actors looking to make money off of their attacks.
The year 2006 also saw the introduction of another ransomware family: Archiveus. In a similar vein to PGPCoder, this trojan used 256-bit AES encryption to encrypt everything on an infected user’s machine and would only decrypt it if they paid their attackers.
This early form of ransomware was designed to target files rather than entire systems; however, it still caused significant damage and disruption to users when they were infected by these types of programs.
It wasn’t until 2011 when WinLock appeared on the scene. This variant targeted people in Russia primarily by locking their computer and demanding payment via a nearby convenience store to unlock it again. It was distributed through email attachments or torrents.
The person responsible for creating this Trojan horse was a Russian hacker who wanted to make money off of his creation. He said that he created WinLock because he thought it would be funny if people had to pay money before they could use their computers again.
Many variations of WinLock have been created since then, including one called CryptoLocker which first appeared in September 2013 and locks users out of their data until they pay a ransom fee between $100-$400 USD (or more recently, Monero).
CryptoLocker was one of the first pieces of malware to use an “asynchronous” payment system, which required victims to purchase prepaid cards at local stores in order to pay off their ransom (a practice still used today by many ransomware variants). Another significant milestone occurred when CryptoLocker first appeared in 2013—the first ransomware-as-a-service model that allowed others to sign up for the service and begin distributing it themselves without needing any technical skills or access to malicious code. CryptoLocker would encrypt files on an infected machine until users paid $300 worth of Bitcoin using Tor hidden services (websites not visible through traditional search engines).
WannaCry is a ransomware attack that spread across the world in May 2017. It started in the UK, but quickly spread to other countries.
The ransomware was created by a hacker or group of hackers known as The Shadow Brokers, who had previously leaked tools from the NSA. They released it on to the internet on 14th April 2017, and it was designed to take advantage of a Windows vulnerability called EternalBlue, which had been stolen by The Shadow Brokers.
EternalBlue took advantage of a security flaw in Microsoft’s file sharing protocol SMBv1, which allowed hackers access to computers running Windows XP, Windows Vista and Windows Server 2003. If an infected machine was connected to the internet through an unpatched router, then it could become infected with WannaCry malware.
Once infected with WannaCry ransomware, victims would see their files encrypted and be unable to access them without paying a ransom fee (usually around $300). The message displayed on screen would read: “Oops! Your important files are encrypted!”
Wannacry spread rapidly across Europe and Asia because many organisations hadn’t updated their systems after Microsoft released a patch for EternalBlue back in March 2017 (a month before the first infections occurred).
After WannaCry, hackers are getting more creative. They are targeting new industries, like healthcare and transportation, and they’ve created a new type of ransomware known as RaaS (Ransomware-as-a-Service). Ransomware is also becoming more sophisticated as it targets your computer from all angles. For example, Cryptolocker uses wormlike features that move through your network until every device is infected.
Conclusion
If you’re thinking about protecting yourself against the latest ransomware threat of the day, it’s important to keep in mind that these attacks are constantly evolving. As we saw with WinLock, it took less than six months for a new strain of ransomware to emerge and make its way into the wild. With this in mind, it’s best practice not only to have an up-to-date backup plan but also consider investing in a good Endpoint Detection and Response (EDR) system so you can protect all your devices from threats like these.
We here at Intricate Security can help and assess your network to see what type of security measures you would need to help protect not only from ransomware but from any type of security incident.