• United States




IP Expo Nordic and getting Popp’d by ransomware

Sep 29, 20164 mins
Application SecurityData BreachOperating Systems

Ransomware has become all the rage in the security field these days. Both from the perspective of the writers and the defenders. The media is lousy with these articles and I’m apparently not above writing about it myself. This has been grabbing the headlines in a big way simply because of the insidious nature of it.

This is a problem that won’t go away anytime soon as there is a significant revenue potential here for the criminals that leverage this sort of software. Think of the reduced risk level and the amount of the reward. The risk for a criminal to walk in to a bank with a gun and a sack with a dollar sign on the side are not trifling. There are all sorts of variables to take into account.

When the robber walks in to a bank, they need to lock down the situation as fast as possible. Are the cameras going to get a clear shot of the perpetrator? Does the rental cop security guard want to be a hero? Are the patrons of the bank going to comply? Has the teller slipped dye packs into the bag? Are the exit routes for the criminal free and clear and are their multiple egress points in the event someone decides to intervene?

Now, look at if from the perspective a criminal that is sitting on their bed munchkin Doritos and wondering how they will ever dip below the 400lb mark (I still can’t believe that Trump fat shamed hackers). The risk for an online criminal is far lower. Can they get pinched? Of course that is a risk if they are foolish and make mistakes. Most criminals are not of the calibre of Ernst Stavro Blofeld and even he fell afoul of British Intelligence in the end.

An online criminal is not encumbered by geographical limitations such as borders, physical security guards, alarm systems and police. Of course the argument could be made that there are security controls in place like firewalls and so forth but, if the last several years of data breaches are any indication, this is of little consequence in most cases.

This week I was in Stockholm, Sweden to speak at the IP Expo Nordic event. While I was there I was fortunate enough to run into a few characters including Rik Ferguson from Trend Micro. We got to talking and he got out his slide deck and showed me a story that I had completely forgotten about. This was about the original ransomware from 1989. This was a piece of malicious software that would masquerade as an AIDS questionnaire. This software would replace the autoexec.bat file on a system and then keep track of the number of times the system would reboot. On the 90th system restart iteration (not sure the significance of that number) the user would be confronted by a ransom note from the PC Cyborg Corporation.

It would make demands for the user to send $189 USD to a post office box in Panama. Remember this was almost 20 years before bitcoin had fallen out of the head of the elusive Satoshi Nakamoto. This was to be done in order to recover files which were hidden and filenames encrypted. For the sake of clarity, this software wasn’t written by some mad genius VX’r but rather by a doctor by the name of Joseph Popp. He was eventually caught by authorities and did time in the UK for his misdeeds.

Modern malware acts much in the same vein as the aforementioned but, there is no confusion as to the intent of the authors today. Unlike the AIDS ransomware, the modern descendants encrypt files and in some cases entire hard drives and demand princely sums in bitcoin.

While we focus on the rise of modern ransomware we can learn a lot from the history of malware that had come before it and prepare for what is yet to come.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author