Ransomware Evolution: Then and Now

Many centuries ago, humans learned to ride on the backs of animals to make travel faster, more efficient (especially with loads). After this the connection was made that a rock or log that with a rounded circumference was easier to roll to a required place. From this observation, the wheel was developed. It was then only a short leap to harness the power of the animal with the technology of the wheel. As time moved on, some of those who possessed work animals and a set of wheels had the idea to provide services to others at a cost. So naturally, commerce and competition evolved. And secondary services were required; think of running a coach service – drivers, coach-builders, blacksmiths, coaching inns were all required to keep the service running. So, such an industry provided opportunities for hard-working people and raised revenue for a company. It also created business opportunities for others who didn’t wish to play a part in the mainstream economic system for one reason or another, though who still wanted part of the (financial) action. Enter Highwaymen, Pirates, Bank-Robbers and the like. These individuals used their knowledge of the current technology and working methods to profit by very different means. Fast-forward past the Industrial Revolution. And further on, to the age of Information Technology. Now most commercial and service sectors have evolved to be information driven. Western society (and an ever increasing part of the far East) is now microchip-driven and computer dependent. But there are still highwaymen and pirates – and they now use ransomware.

By the turn of the 21st century when most people owned or could access a computer, applications such as on-line banking became the norm. This rationalized business/user operation (and by cutting staff, made it more profitable), though with the rush to roll-out technology before competitors did, there were often many inherent flaws in the apps of this electronic transposition (with new ones created daily). What was also underestimated is that for perhaps every 1000 brilliant computer graduates who would contribute to this commercial Brave New World of consumer convenience and enhanced profit, there will invariably be one student with the same level of IT brilliance, but who wants to be a Pirate. The amazing technological advancements once only dreamed of by writers such as Aldous Huxley, Azimov and Orwell can revolutionize healthcare and social communication and the wonderfully beneficial aspects of life; though there is also consumerism and greed for convenience, profit and domination – in short, the weaker and the darkest facets of Human Nature. To think that technology will not be adapted by individuals vulnerable to these paths is a grave mistake. If people use the alleged safety of plastic and virtual currency, then the villains will adapt to the changing market.

Ransomware is malicious coding that infiltrates a computer’s system (and sometimes a whole network), encrypts or locks files and then demands a ransom payment in return for the decryption key. A number of methods for infiltration, evasion and encryption have evolved since this malware first emerged over a quarter of a century ago. The idea was probably first conceived by two I.T students fooling around: one has the amusing idea to try to scramble this co-student’s end-of-term paper for a challenge. It works, and after a little (or a lot) of teasing, this original malware author agrees to decrypt his friend’s work – on the condition that the other buys the drinks that evening. That evening in the bar, the developer gets talking – and an ingenious prank is hijacked by the most insidious of human traits: profit/gain. The rest is mal-history…

The Dark Age

It is ironic and darkly poetic that the first distributed ransomware was intimately linked to research into the AIDS virus. It dates back to 1989 and is referred to as the AIDS INFO DISK (aka PC Cyborg Trojan), developed by Dr. Joseph Popps. This first ransomware was spread manually via a mailing list; the author sent 20,000 floppy disks world-wide that were distributed by healthcare departments. This malware worked by hiding directories and encrypting file names. The coding process was flawed, though two cryptographers, Young and Yung, patched the malware and published details for academic research, not realizing that had given prospective hackers a primer to work from. After 2002, an increasing number of minor ransomware attacks were started that were probably experimental trial runs.

The Middle Ages

Then in 2006 things started to get busy with Troj/Ransom-A. This threatened to delete a file every 30 minutes until the $10.99 ransom was paid via Western Union.

Graham Cluley of SophosLabs commented, ‘Our concern is that this may be the beginning of a growing trend of malware designed to extort money from innocent users‘.

It is interesting to note the small sum demanded for decryption compared with today’s prices. In this year, another ransomware, Gpcode was launched and was initially crackable because the original files were deleted after encryption allowing them to be restored with Undelete utilities. There were infections that were also decipherable as they used basic symmetrical code. In 2008, ransomware such as Archiveus started using the longer, more effective asymmetrical RSA algorithms which was a major step forward in the battle against decryption. The Gpcode variant .AK emerged using the practically unbreakable RSA 1024 code. At this point, all that could be done was to search for flaws in the execution of the malware and look for ways to disrupt the encryption process before completion.

WinLock – a ransomware variation – appeared in 2010. It was released in Russia (and the Russian criminals were eventually arrested). The ‘ransomware’ denied access to normal functioning by overwhelming the system with pornographic content. The ‘ransom’ to reverse this was to send a $10 SMS; small cash, though the gang are thought to have made $16m. The following year, using a similar ‘phone-based payment scheme, a Windows Product Activation scam was run, locking PCs with a fake product notice until a ‘free’ call was made.

From the Enlightenment to Present Day

The Reveton ransomware was the star of 2012; this malware locked a user’s system informing that it had been used for viewing copyrighted or illegal content that included child pornography, and that a fine was payable.

2013 saw the the start of ransomware as we know it today with the unveiling of CryptoLocker. Apart from its high level of encryption, this was the first ransomware to utilize the TOR network for payment in the 2.0 update released later in the year. It was also the first ransomware to reliably delete Shadow Volumes and disable other backup modes. Dozens of malware codes have been modeled on this one. The next year, CryptoLocker was launched from a new attack vector – though contaminated website adverts and it is thought that many billions of files were infected in this campaign. Since 2013, there have been countless clones, variants (such as CryptoTorLocker in 2014), re-issues, updates of the classic model of CryptoLocker.

At the end of 2015, ransomware started to be offered for sale on the TOR network. Ransom32 comes as a franchise package – the buyer pays an up-front price for the product and receives customer support to help launch it, paying the vendor a percentage (25%) of the collected ransom cash. For extra flexibility in the market place, this malware is written in JavaScript (the first of its kind discovered), which means it can also infect MAC and Linux platforms. This is an example of a growing realization that the ransomware industry is just that – a dark reflection of daylight commercial models. Increasingly, cyber gangs are targeting businesses – last year small to medium sized business accounted for almost half of ransomware infections, and this is increasing all the time. Malware traditionally left Linux and MAC relatively untouched, though as many companies (and some government networks) are starting to switch to the Ubuntu version operating system, it is a natural progression for hackers to update. Most extortion softwares are certainly just clones (or franchises), whereas some ransomware make innovative changes for specific targets (for example, the current Petya ransomware using DropBox for added verisimilitude to deliver its CV exploit attachment into corporate HR environments).

Another important evolutionary point of modern ransomware is the anti-detection coding incorporated and the increasing range of strategies used to defeat security scanning software. This is done in a number of various ways to evade increasingly efficient detection tools. Perhaps the most important tactic is the use of rootkits that can write the ransomware to the Master Boot Registry and place an .exe in User Files or a similar location. This is re-written on every Start Up (with priority, so not to be discovered), and then deleted by the rootkit when a Shut Down or Scan commanded is detected. Rootkits and similar elements can also prevent security software from running in some cases, and deny access to listed security websites.

A Current Reflection

Stand and deliver – your money or your life/Try use a mirror – no bullet or a knife,’ *

Technology has transformed modern life in the way that parallels the Industrial Revolution. The difference from the horse-and-cart analogy is that if a routine was disrupted (for instance a wheel came off the cart) it was possible to continue the task manually by remembering how it was previously achieved. In the Utopia of the Information Technology Age, most tasks are completed from a desktop, communicating with systems that are in some cases fully automated. For some people, their entire identities are written onto a hard drive. And communication is predominantly desktop-driven. With this conceit of maximum convenience comes the total reliance on technology. Increasingly, a person’s Life is digital code.

What happens if this binary Life is threatened by an Information-Age Highwayman, Pirate or Bank-Robber? It is now necessary for an individual to hold up a mirror and reflect long and hard, to see just how dependent they are on an operating system, and what would happen if all that data was lost. Against modern ransomware, there is only one safe way to save a digital life – like the song says: use a mirror – keep a reflection in the form of an external backup.

As the prime-mover – or vehicle – of modern daily life is the computer operating system, so the ransomware author is this generation’s Highwayman.

* ‘Stand and Deliver’; 1981; Adam and the Ants; CBS Music

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.