One day in December 1989, Eddy Willems got a floppy disk that changed his life. His boss gave it to him after finding the label intriguing: “AIDS Version 2.0,” a disease that was new and strange at that time. The company, based in Antwerp, Belgium, sold medical insurance among other things, and some AIDS statistics might prove lucrative, the boss thought. So, he asked the 27-year-old Willems to test the software.
A jack-of-all-tech-trades, Willems put the 5.25-inch black plastic diskette into his PC. He ran the program, filling out a whole survey meant to tell if someone could be infected with AIDS or not. “And that was it,” Willems says. “I thought: okay, nothing really special here. I’m probably going to throw it away.” Soon, he switched off the computer and went home.
When he turned on his computer the next day, Willems noticed it had fewer folders, but he didn’t put a lot of thought into it. On the third day, however, when he booted up his computer, something strange happened. "There was a message on the screen asking me to pay," Willems says. “It was asking me to mail $189 to a PO Box in Panama, or I couldn’t use my computer anymore. I thought, 'What is this?'”
Willems switched off the computer and used a bootable floppy to restart it. He saw that his directories were still there, but they were hidden, and the names of the files were changed to strings of random characters. Luckily, the contents of his files were unaltered, only their names looked weird.
“I thought: This was encryption,” he says. “But it was completely ridiculous. The program wasn’t created by a real IT guy.” An analysis of the malware published a month later in the Virus Bulletin January 1990 edition said pretty much the same thing: “While the conception is ingenious and extremely devious, the actual programming is quite untidy.”
The original AIDS Version 2 floppy disk
Willems wrote a small script to restore the names of the files. “It took me actually ten minutes to solve the bloody thing,” he says. Then, he went to his boss again and told him that there was possibly a bug in the AIDS program. “I said the diskette is of no use to us, and I’m throwing it away.”
AIDS Trojan the first ransomware
Little did he know that the AIDS Trojan, also known as PC Cyborg, was wreaking havoc all over the world. It is believed that 20,000 computer enthusiasts, medical research institutions, and researchers who attended the WHO’s international AIDS conference in Stockholm received diskettes like the one Willems got. This sneaky software was attributed to American evolutionary biologist Dr. Joseph Popp, who held a Ph.D. from Harvard. Popp was arrested for spreading the computer virus, charged with several counts of blackmail. He was, however, declared mentally unfit to stand trial.
When Willems saw the names of his files encrypted, he didn’t think it was a security issue. Only a few days later he watched a report on a Belgian TV station explaining the magnitude of what was happening. He was interviewed by journalists and soon his decryption method was used not only in Belgium, but also in faraway countries such as Japan. “The bloody thing” made him famous and, without him realizing it, it paved the way to a successful career. Willems is now a security evangelist at G DATA.
During that crazy week in December 1989, Willems did one more thing right: He didn't throw away the diskette after all. He proudly keeps it on display at his home because “ït’s one of the only AIDS floppies left in the world,” he says.
The floppy foreshadowed a new type of attack that cost companies billions of dollars in total each year. “I never thought ransomware would become such a trend,” Willems says.
Refining the ransomware concept: Cryproviral extortion
Ransomware had slow beginnings. The idea of encrypting people’s data and asking for money laid dormant for a few years after that AIDS Trojan incident. However, it resurfaced in 1995, when two cryptographers, Adam L. Young and Moti Yung, were placed in the same room at Columbia University in New York City. In the name of research, they were given “ample time with which to contemplate the dystopia of tomorrow,” as they later wrote in a paper.
The two were aware of the AIDS Trojan and its limitations, namely that the decryption key could be extracted from the code of the malware. So, given the experiment they were doing, they asked themselves: How devastating would the most powerful virus be?
The answer lay in the movie Alien. They took inspiration from facehugger, a creature that wraps its legs around a victim’s face, becoming impossible to detach. Removing the most devastating computer virus should be “even more damaging than leaving it in place,” they thought.
The idea they came up with was, however, slightly different. The two coined the term “cryptoviral extortion,” a concept in which the attacker uses a public and a private encryption key. It places the public key in the cryptovirus, while keeping the private decryption key private. The malware generates a random symmetric key, which is used to encrypt the victim’s data. Then, that key is encrypted with the public key. After that, it “zeroizes the symmetric key and plain-text and then puts up a ransom note containing the asymmetric ciphertext and a means to contact the attacker,” the paper reads.
Young and Yung thought that electronic money could be extorted through this process, although electronic money didn’t exist at that time. They presented their idea at the 1996 IEEE Security and Privacy conference in Oakland, California, and it was seen as being both “innovative and somewhat vulgar.”
PGPCoder led next wave of modern ransomware
Yet soon after the conference ended, the method was shelved. Ransomware attacks only started to become a thing in 2005, when PGPCoder or GPCode was found in the wild. This virus encrypts files that have certain extensions such as .doc, .html, .jpg, .xls, .rar and .zip. It also creates a ‘!_READ_ME_!.txt’ file in each folder laying out instructions on how one could get their data back. The victim was asked to pay between $100 and $200 to an e-gold or Liberty Reserve account. In addition to GPCode, other Trojans such as Krotten, Cryzip, TROJ.RANSOM.A, MayArchive, and Archiveus started to use more refined RSA encryption, with an increasing key size.
By around 2010, the cybercriminals knew well how to make money out of ransomware. A Trojan named WinLock, built in Russia, reportedly brought their creators $16 million. WinLock didn’t use encryption at all; instead, it restricted the victim’s access to the system by showing pornographic images. Those who wanted to use their machines again were told to send an SMS to a premium number, which cost around $10, and many embarrassed victims decided to pay. The Russian police eventually arrested the gang in Moscow.
In addition to premium SMSes, phone calls were also used to pay the ransom. In 2011, a Trojan mimicked the Windows Product Activation notice. It told users that they had to re-activate their OS because they had been victims of a fraud. This meant that they had to call an international number and provide a six-digit code. These calls were supposed to be free, yet they were routed through an operator that charged high fees.
Ransomware gangs wanted more clever schemes to make money, so they kept diversifying their strategies. In 2012, the Reveton malware family made headlines, marking the advent of the so-called “law enforcement ransomware.” The infected computer’s screen showed a page that would include the logos of the Interpol, the FBI or the local police, telling users that they’ve committed a crime such as downloading illegal files, which is why this type of malware is also called scareware. The victim was instructed to pay a few hundred or even a few thousand dollars with a prepaid card.
In the first years of the 2010s, ransomware was profitable, but it wasn’t very common. Cybercriminals had difficulties getting money from victims without using the traditional channels. This underground industry blossomed when Bitcoin ermerged. In 2013, the world met the destructive CryptoLocker, the malware that kicked off the ransomware revolution.
Ransomware, a straightforward business model
Around mid-September 2013, Chester Wisniewski was in a hotel room in Seattle, Washington, watching the Seahawks on TV. It was one of the strongest teams in that NFL season, and its defense was among the best in the history of the American Football League. But Wisniewski, a security researcher at Sophos, couldn’t enjoy the game.
“I got tipped off by somebody in the lab that they were looking at some ransomware,” he says. “And I'm like: Ransomware? I literally thought of the AIDS Trojan.”
That’s how Wisniewski ran into CryptoLocker, the malware that marked the beginning of a new era. CryptoLocker targeted Windows computers, and most users got it through a zip file attached to an email that appeared to be coming from a legitimate company. Inside that zip archive was a double extension file -- it looked like a PDF, but it was, in fact, an executable. (The Trojan has also spread using the Gameover ZeuS Trojan and botnet.)
Once the file was run, it called the command-and-control servers, which generated a 2,048-bit RSA key pair. It kept the private key, but it sent the public one to the infected computer and used it to encrypt files that have certain extensions. The Trojan was also capable of mapping the network to look for more files to scramble. Then, the user got a red screen instructing them to pay the ransom within the next 72 or 100 hours. The victim could choose the preferred currency: US dollars, euros or the equivalent amount in Bitcoin.
“In the beginning, the criminals were using just one Bitcoin wallet,” Wisniewski says. “I thought this would be a way to track how many victims are paying these guys.” The researcher kept an eye on that wallet week after week, and, at the end of October, the cybercriminals finally realized that the security researchers were watching and started changing the Bitcoin wallet. Meanwhile, millions of US dollars traversed that wallet, Wisniewski says.
CryptoLocker was taken down in June 2014, and in August the security company Fox-IT got its hands on the database of private keys, so users could decrypt their files free of charge.
The success of this ransomware inspired a crowd of copycats. “All of a sudden, boom! It wasn’t just CryptoLocker. There were 50,” Wisniewski says. “Once people caught on to the fact that the gang made millions in just a few weeks, the cat was out of the bag.”
Security company Symantec observed that the number of ransomware families exploded in 2014, and the straightforward Bitcoin-powered monetization model helped. Soon, another malware, CryptoWall, made over $18 million, the FBI estimated, and reached a market share of almost 60%. Smaller players such as TorrentLocker made a name for themselves by targeting countries in Europe, Australia and New Zealand.
Ransomware targets smartphones, Macs and Linux
In 2014 and 2015, as smartphone penetration rose above 50%, ransomware gangs saw even more opportunities. The Android market had four major players at that time: Svpeng (the first to emerge), Pletor, Small and Fusob, which had some thief-ethics built into it. Whenever Fusob infected a phone, the first thing it did was to check the language of the device. If it was Russian or some other Eastern European language, the malware did nothing--suggesting that its authors were based in the region and they didn’t want to steal money from their people. If there was a different language, Fusob displayed a fake screen that accused the user of wrongdoing. It claimed that a criminal case could be opened if they don’t pay a fine ranging between $100 and $200. Most of the victims were from Germany, the UK and the US.
By 2016, attackers were targeting even more platforms. The KeRanger ransomware was the first ransomware to infect Macs, while Linux.Encoder went after computers running Linux. Ransom32 was the first one written in JavaScript with the purpose of infecting machines running on multiple platforms.
Dozens of new ransomware families were appearing, targeting individual users as well as companies. A Kaspersky report published that year claimed that a business was hit every 40 seconds, and an individual every 10 seconds. Virulent strains such as Chimera, Cerber, Locky, CryptXXX, CTB-Locker, and TeslaCrypt (which ended up having a market share of almost 50%) appeared, and the ransomware-as-a-service model started to become popular.
It looked like the bad guys were thriving, while users and companies were paying piles of money. Some of the cybercriminal gangs were indeed taken down during cross-border operations, but it still appeared that they had an edge in the race. Something needed to be done to help companies and users avoid paying the ransom. All it took was a short meeting in The Hague.
The good guys unite
Security researchers felt they were playing a hopeless game of whack-a-mole against ransomware gangs. The more cases they closed, the more that appeared. Solving one incident at a time was clearly not enough to discourage cybercriminals. “Everyone thought we should do something bigger,” says Raj Samani, chief scientist at McAfee.