A history of ransomware: The motives and methods behind these evolving attacks

One day in December 1989, Eddy Willems got a floppy disk that changed his life. His boss gave it to him after finding the label intriguing: “AIDS Version 2.0,” a disease that was new and strange at that time. The company, based in Antwerp, Belgium, sold medical insurance among other things, and some AIDS statistics might prove lucrative, the boss thought. So, he asked the 27-year-old Willems to test the software.

A jack-of-all-tech-trades, Willems put the 5.25-inch black plastic diskette into his PC. He ran the program, filling out a whole survey meant to tell if someone could be infected with AIDS or not. “And that was it,” Willems says. “I thought: okay, nothing really special here. I’m probably going to throw it away.” Soon, he switched off the computer and went home.

When he turned on his computer the next day, Willems noticed it had fewer folders, but he didn’t put a lot of thought into it. On the third day, however, when he booted up his computer, something strange happened. “There was a message on the screen asking me to pay,” Willems says. “It was asking me to mail $189 to a PO Box in Panama, or I couldn’t use my computer anymore. I thought, ‘What is this?’”

Willems switched off the computer and used a bootable floppy to restart it. He saw that his directories were still there, but they were hidden, and the names of the files were changed to strings of random characters. Luckily, the contents of his files were unaltered, only their names looked weird.

“I thought: This was encryption,” he says. “But it was completely ridiculous. The program wasn’t created by a real IT guy.” An analysis of the malware published a month later in the Virus Bulletin January 1990 edition said pretty much the same thing: “While the conception is ingenious and extremely devious, the actual programming is quite untidy.”

Eddy Willems

Willems wrote a small script to restore the names of the files. “It took me actually ten minutes to solve the bloody thing,” he says. Then, he went to his boss again and told him that there was possibly a bug in the AIDS program. “I said the diskette is of no use to us, and I’m throwing it away.” 

AIDS Trojan the first ransomware

Little did he know that the AIDS Trojan, also known as PC Cyborg, was wreaking havoc all over the world. It is believed that 20,000 computer enthusiasts, medical research institutions, and researchers who attended the WHO’s international AIDS conference in Stockholm received diskettes like the one Willems got. This sneaky software was attributed to American evolutionary biologist Dr. Joseph Popp, who held a Ph.D. from Harvard. Popp was arrested for spreading the computer virus, charged with several counts of blackmail. He was, however, declared mentally unfit to stand trial.

When Willems saw the names of his files encrypted, he didn’t think it was a security issue. Only a few days later he watched a report on a Belgian TV station explaining the magnitude of what was happening. He was interviewed by journalists and soon his decryption method was used not only in Belgium, but also in faraway countries such as Japan. “The bloody thing” made him famous and, without him realizing it, it paved the way to a successful career. Willems is now a security evangelist at G DATA.

During that crazy week in December 1989, Willems did one more thing right: He didn’t throw away the diskette after all. He proudly keeps it on display at his home because “ït’s one of the only AIDS floppies left in the world,” he says.

The floppy foreshadowed a new type of attack that cost companies billions of dollars in total each year. “I never thought ransomware would become such a trend,” Willems says.

Refining the ransomware concept: Cryproviral extortion

Ransomware had slow beginnings. The idea of encrypting people’s data and asking for money laid dormant for a few years after that AIDS Trojan incident. However, it resurfaced in 1995, when two cryptographers, Adam L. Young and Moti Yung, were placed in the same room at Columbia University in New York City. In the name of research, they were given “ample time with which to contemplate the dystopia of tomorrow,” as they later wrote in a paper.

The two were aware of the AIDS Trojan and its limitations, namely that the decryption key could be extracted from the code of the malware. So, given the experiment they were doing, they asked themselves: How devastating would the most powerful virus be? 

The answer lay in the movie Alien. They took inspiration from facehugger, a creature that wraps its legs around a victim’s face, becoming impossible to detach. Removing the most devastating computer virus should be “even more damaging than leaving it in place,” they thought.

The idea they came up with was, however, slightly different. The two coined the term “cryptoviral extortion,” a concept in which the attacker uses a public and a private encryption key. It places the public key in the cryptovirus, while keeping the private decryption key private. The malware generates a random symmetric key, which is used to encrypt the victim’s data. Then, that key is encrypted with the public key. After that, it “zeroizes the symmetric key and plain-text and then puts up a ransom note containing the asymmetric ciphertext and a means to contact the attacker,” the paper reads.

Young and Yung thought that electronic money could be extorted through this process, although electronic money didn’t exist at that time. They presented their idea at the 1996 IEEE Security and Privacy conference in Oakland, California, and it was seen as being both “innovative and somewhat vulgar.”

PGPCoder led next wave of modern ransomware

Yet soon after the conference ended, the method was shelved. Ransomware attacks only started to become a thing in 2005, when PGPCoder or GPCode was found in the wild. This virus encrypts files that have certain extensions such as .doc, .html, .jpg, .xls, .rar and .zip. It also creates a ‘!_READ_ME_!.txt’ file in each folder laying out instructions on how one could get their data back. The victim was asked to pay between $100 and $200 to an e-gold or Liberty Reserve account. In addition to GPCode, other Trojans such as Krotten, Cryzip, TROJ.RANSOM.A, MayArchive, and Archiveus started to use more refined RSA encryption, with an increasing key size.

By around 2010, the cybercriminals knew well how to make money out of ransomware. A Trojan named WinLock, built in Russia, reportedly brought their creators $16 million. WinLock didn’t use encryption at all; instead, it restricted the victim’s access to the system by showing pornographic images. Those who wanted to use their machines again were told to send an SMS to a premium number, which cost around $10, and many embarrassed victims decided to pay. The Russian police eventually arrested the gang in Moscow.

In addition to premium SMSes, phone calls were also used to pay the ransom. In 2011, a Trojan mimicked the Windows Product Activation notice. It told users that they had to re-activate their OS because they had been victims of a fraud. This meant that they had to call an international number and provide a six-digit code. These calls were supposed to be free, yet they were routed through an operator that charged high fees.

Ransomware gangs wanted more clever schemes to make money, so they kept diversifying their strategies. In 2012, the Reveton malware family made headlines, marking the advent of the so-called “law enforcement ransomware.” The infected computer’s screen showed a page that would include the logos of the Interpol, the FBI or the local police, telling users that they’ve committed a crime such as downloading illegal files, which is why this type of malware is also called scareware. The victim was instructed to pay a few hundred or even a few thousand dollars with a prepaid card.

In the first years of the 2010s, ransomware was profitable, but it wasn’t very common. Cybercriminals had difficulties getting money from victims without using the traditional channels. This underground industry blossomed when Bitcoin ermerged. In 2013, the world met the destructive CryptoLocker, the malware that kicked off the ransomware revolution.

Ransomware, a straightforward business model

Around mid-September 2013, Chester Wisniewski was in a hotel room in Seattle, Washington, watching the Seahawks on TV. It was one of the strongest teams in that NFL season, and its defense was among the best in the history of the American Football League. But Wisniewski, a security researcher at Sophos, couldn’t enjoy the game.

“I got tipped off by somebody in the lab that they were looking at some ransomware,” he says. “And I’m like: Ransomware? I literally thought of the AIDS Trojan.”

That’s how Wisniewski ran into CryptoLocker, the malware that marked the beginning of a new era. CryptoLocker targeted Windows computers, and most users got it through a zip file attached to an email that appeared to be coming from a legitimate company. Inside that zip archive was a double extension file — it looked like a PDF, but it was, in fact, an executable. (The Trojan has also spread using the Gameover ZeuS Trojan and botnet.)

Once the file was run, it called the command-and-control servers, which generated a 2,048-bit RSA key pair. It kept the private key, but it sent the public one to the infected computer and used it to encrypt files that have certain extensions. The Trojan was also capable of mapping the network to look for more files to scramble. Then, the user got a red screen instructing them to pay the ransom within the next 72 or 100 hours. The victim could choose the preferred currency: US dollars, euros or the equivalent amount in Bitcoin.

“In the beginning, the criminals were using just one Bitcoin wallet,” Wisniewski says. “I thought this would be a way to track how many victims are paying these guys.” The researcher kept an eye on that wallet week after week, and, at the end of October, the cybercriminals finally realized that the security researchers were watching and started changing the Bitcoin wallet. Meanwhile, millions of US dollars traversed that wallet, Wisniewski says.

CryptoLocker was taken down in June 2014, and in August the security company Fox-IT got its hands on the database of private keys, so users could decrypt their files free of charge. 

The success of this ransomware inspired a crowd of copycats. “All of a sudden, boom! It wasn’t just CryptoLocker. There were 50,” Wisniewski says. “Once people caught on to the fact that the gang made millions in just a few weeks, the cat was out of the bag.”

Security company Symantec observed that the number of ransomware families exploded in 2014, and the straightforward Bitcoin-powered monetization model helped. Soon, another malware, CryptoWall, made over $18 million, the FBI estimated, and reached a market share of almost 60%. Smaller players such as TorrentLocker made a name for themselves by targeting countries in Europe, Australia and New Zealand.

Ransomware targets smartphones, Macs and Linux

In 2014 and 2015, as smartphone penetration rose above 50%, ransomware gangs saw even more opportunities. The Android market had four major players at that time: Svpeng (the first to emerge), Pletor, Small and Fusob, which had some thief-ethics built into it. Whenever Fusob infected a phone, the first thing it did was to check the language of the device. If it was Russian or some other Eastern European language, the malware did nothing–suggesting that its authors were based in the region and they didn’t want to steal money from their people. If there was a different language, Fusob displayed a fake screen that accused the user of wrongdoing. It claimed that a criminal case could be opened if they don’t pay a fine ranging between $100 and $200. Most of the victims were from Germany, the UK and the US.

By 2016, attackers were targeting even more platforms. The KeRanger ransomware was the first ransomware to infect Macs, while Linux.Encoder went after computers running Linux. Ransom32 was the first one written in JavaScript with the purpose of infecting machines running on multiple platforms. 

Dozens of new ransomware families were appearing, targeting individual users as well as companies. A Kaspersky report published that year claimed that a business was hit every 40 seconds, and an individual every 10 seconds. Virulent strains such as Chimera, Cerber, Locky, CryptXXX, CTB-Locker, and TeslaCrypt (which ended up having a market share of almost 50%) appeared, and the ransomware-as-a-service model started to become popular. 

It looked like the bad guys were thriving, while users and companies were paying piles of money. Some of the cybercriminal gangs were indeed taken down during cross-border operations, but it still appeared that they had an edge in the race. Something needed to be done to help companies and users avoid paying the ransom. All it took was a short meeting in The Hague.

The good guys unite

Security researchers felt they were playing a hopeless game of whack-a-mole against ransomware gangs. The more cases they closed, the more that appeared. Solving one incident at a time was clearly not enough to discourage cybercriminals. “Everyone thought we should do something bigger,” says Raj Samani, chief scientist at McAfee. 

In the spring of 2016, Samani was at Europol’s European Cybercrime Centre in the Netherlands. He was there with security experts from Kaspersky and the Dutch Police. At some point, they booked a small meeting room and started to talk about joining forces. Would it be possible for security companies to unite with law enforcement and build a platform where users could find all the decryption keys free of charge? 

“I was like: Absolutely,” Samani says. “We need to do this.” Everyone in that room quickly agreed, and the NoMoreRansom.org project was born. “I don’t think that meeting was more than 10 minutes,” says the McAfee researcher.

Immediately, they divided their tasks for the NoMoreRansom project. Samani’s responsibility was to identify a company that would host the platform. “I’m good friends with AWS, and so I asked my buddies: Can you host something for us if I don’t want to pay for it?,” he says. “And by the way, it’s probably going to be one of the most targeted websites in the world.”

Amazon Web Services’ executives were supportive. They asked Samani how many hits he expected this platform to get on a daily basis. He made a guess and said 12,000. “On day one, there were 2.4 million hits,” Samani says. 

The NoMoreRansom project officially launched in July 2016, gathering accolades. “To me, it’s a really wonderful example of how public-private partnerships should work,” says Samani. Four years into the making, the project had more than 100 partners–security companies and law enforcement agencies from across the world.

Yet, shortly after NoMoreRansom launched, the cybercriminal gangs regrouped. “They had to adapt their techniques to make people pay the ransom,” says Samani. “We were forcing them to innovate.”

Ransomware takes different shapes

Malware analyst Benoît Ancel, who works for CSIS Security Group in Denmark, saw how this whole process unfolded. He’s often reading forums where ransomware gangs exchange “best practices,” develop game plans, and talk about making a fat profit. He saw them innovate, echoing Samani.

These forums are highly collaborative, according to Ancel. Even competitors work together to create better schemes. “As long as they are making money, everybody is friends with everybody else,” Ancel says.

The cybercrime market is highly specialized. “There are people who know how to send spam, people who collect email addresses, there are developers, network engineers, people who cash out.” Each person gets their share when a ransomware operation is successful.

At some point, when cybercriminals noticed that fewer victims were paying the ransom, several threads on these forums debated the problem, says Ancel. Some groups came up with the idea of changing how ransomware works. Instead of encrypting a company’s files, they could steal them, and then threaten to post them online if a ransom is not paid. Hackers behind the Maze and REvil/Sodinokibi strains have used this tactic.

Ancel is afraid that ransomware gangs will increasingly target critical infrastructure, municipalities, and sectors such as healthcare that are vital to society. Which is exactly what the actors behind the SamSam ransomware did. They attacked the city of Atlanta, Georgia, and several other municipalities, hospitals and universities looking for victims that would suffer the most, thus being more likely to pay the ransom. At the end of 2018, the Department of Justice indicted two Iranians believed to be behind these attacks, saying that they got $6 million in ransom payments, while causing $30 million in losses to victims.

SamSam is hardly the only example. The actors behind the Russian-speaking Ryuk ransomware, which appeared in the second half of 2018, have also hit large organizations, governmental networks, and municipalities. The victims include schools in Rockville Centre, New York, as well as the cities of New Orleans (Louisiana), Riviera Beach and Lake City (Florida), Jackson County (Georgia), and LaPorte County (Indiana).

Ancel is also worried about the growth of the ransomware-as-a-service in recent years. One notable name is the GandCrab, discovered in 2018. It was created by a Russian-speaking group and, like the early Android malware Fusob, it checks the language of the machine. If it’s Russian or a language spoken in a former Soviet republic, it will not drop the malicious payload.

Cybercriminals are invited to join the operation, since GandCrab follows an affiliate business model, but they must agree to split their earnings with the core team of the project, which gets between 30% and 40%. This system made GandCrab popular. By the beginning of 2019, it had 40% of the ransomware market, according to Bitdefender, which estimated that there were 1.5 million victims around the world, both home users and organization.

By May 2015, the cybercriminals behind this project announced they made enough money and wanted to retire. They bragged about earning more than $2 billion in less than a year and a half. However, researchers at Secureworks saw many similarities between GandCrab and a new strain of ransomware called REvil or Sondinokibi, suggesting that maybe not everyone associated with GandCrab has retired.

Nation-state groups get into the ransomware act

Swimming in money is not the idea that powers every attack, says Ancel. He argues that ransomware is no longer ransomware as we know it, since some groups use it as a decoy.

WannaCry, for instance, which affected more than 230,000 computers in 150 countries in May 2017, was likely the work of a nation-state actor, North Korea. The malware used a leaked NSA tool, a Windows exploit named EternalBlue. When a computer was attacked, the victim was indeed asked for money–$300 in Bitcoin within three days, or $600 within seven days. Yet, those orchestrating the operation didn’t strike it rich. They only made about $140,000, which prompted analysts to say two things: that WannaCry was meant to cause disruption, and that it could have been politically driven.

WannaCry was followed in June 2017 by NotPetya, which also relied on the EternalBlue exploit. It mostly targeted Ukraine, and was attributed to the Sandworm hacking group, which is part of the GRU Russian military intelligence organization.

Given all this, the lines between cybercriminals and nation-state actors are becoming blurred. Everyone learns new techniques and adopts new tools. “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” FBI’s Internet Crime Complaint Center wrote in a Public Service Announcement issued in November 2019.

Add up all these, and the future does not look promising, says Willems, the security researcher who still holds onto that AIDS floppy disk that changed his life. Ransomware, he says, will continue to hit us hard: “I’m 100% sure about that.” 

“At some point, you’ll be using a self-driving car. It’ll be hacked, there will be some demand for ransom, and you’ll only have 10 minutes to pay it. If you don’t pay, they will crash your car,” he says.

Thoughts about the destructive ransomware of the future have occupied his mind recently, so he started working on a science fiction novel set around 2035. In this not so distant future, in which NATO controls the internet and all our devices are online, ransomware takes center stage. Ovens can be switched on remotely to burn our houses if we don’t pay the hackers, and our personal data could also be shown to the public if we don’t comply with the demand.

“Well, this is not actually science fiction,” Willems says. “These are the trends we see more and more of.”