A history of ransomware

What ransomware is, why it works, and what you need to do to protect against this top threat

A history of Ransomware
Harold Hollingsworth (Creative Commons BY or BY-SA)
Current Job Listings

A recent study titled, "Battling the Big Hack" by Spiceworks found that 80 percent of organizations experienced an IT security incident in 2015, with 53 percent of respondents having a concern for ransomware in 2016. But how did we get here? And how can we avoid these growing attacks in the coming year and beyond?

Dodi Glenn, vice president of cyber security at PC Pitstop said, “In general, all ransomware pretty much works the same in that it tries to extort money from a user, but each variation of it does something slightly different.”

In 1986, two Pakistani brothers, Basit and Amjad Farooq Alvi wrote software and included a special “ransom” message, instructing users to call them if they saw the warning. Their goal in creating this virus named "Brain" was to identify piracy. The intent, said Glenn, "was to protect their assets."

By 1989, bad actors realized that these viruses could be used for more malicious purposes. PC Cyborg/AIDS, which is commonly know as the first ransomware, was delivered via floppy discs.

Victims received a diskette titled "AIDS Information Introductory Diskette”, and when the boot count reached 90, "AIDS would then go in and hide the directories and encrypt the files on the C drive," said Glenn. It then asked the victim to 'renew the license' and contact PC Cyborg Corporation for the $189 payment, which was sent to a PO box in Panama.

[ MORE: Many ransomware victims plead with attackers ]

"We see a lull in terms of ransomware from 1989 to 2006, but in 2006, two different ransomware were pushed out," said Glenn. "GPCoder, also called PGPCoder, utilized Symmetric Encryption, which made it fairly easy to hack," he continued.

Victims received an alert to send an email for instructions on how to decrypt the files after payment. "This was pretty much the same situation as the 1989 version. It would take files, archive them, and then put a password over the files, but a security researcher cracked the code, and then gave that code to anyone who had encrypted files," Glenn said.

This malware then evolved to RSA-1024 and AES-256, making it easier for bad actors to encrypt more files. "They would rename them with a ._CRYPT extension and delete the original files," Glenn said.

The use of the more sophisticated industrial strength encryption advanced the success of ransomware so that criminals were able to encrypt more PDFs, PowerPoints, and other files on the disc. "They would drop a 'read me' file that when opened gave the alert that files had been encrypted," Glenn explained.

The 2010 version of ransomware had less of an impact. GPcode evolved to CPcode.ak in the 2010 Winlockers, which were non-encrypted ransomware that took control of the whole computer. "The premise is if you can’t use a computer at all, the machine is inoperable. Users were forced to buy money packs and then send the PIN code from a prepaid card in order to unlock the files," Glenn said.

The failure in this version was that the ransomware could be removed from the computer's safe mode where one could uninstall, quarantine, or delete it. "It didn’t tamper with files on the disc, but criminals became more aggressive with trying to get you to pay. They'd bank on people searching the naughtier sites on the web and warned that if you didn't pay, they would let the government know you’ve been viewing naughty websites," Glenn said.

The Cryptowall variances, ranging from 1.0 to 4.0 began in 2013 using RSA 2048 encryption. Glenn noted, "CryptoLocker was targeted in late May 2014 via Operation Tovar, which allowed Fox-IT, a security firm, to obtain the database of private keys, to decrypt encrypted files for free."

One of the most significant changes was the shift from credit card payments to bitcoin payments, which allows for greater anonymity of the bad actors.

The Cryptowall 2.0 version (also called CryptorBit or HowDecrypt) was released in the beginning of December 2013, and into 2014. Delivered via exploit kits on compromised websites or malware server, it deleted volume shadow copies (copies of files on disc used to recover files).

According to Glenn, Cryptowall 4.0 was introduced in 2015, and had removed all other versioning numbers. These are the ransomware that we continue to see today. "They are looking for any particular files that are valuable to the end user—pictures, word, office documents--things they know people are going to view as being valuable," he said.

Others do similar things, they run, encrypt, and then hold files hostage until they receive a payment.

Understanding the history of ransomware is not what is important; rather, this will hopefully bring to light the importance of backups and monthly end-user training programs. Knowing the current risks and what to look for is the best defense against an attack.

$500 for your thoughts? Take our 2019 Security Priorities survey today!