Call us today! (704) 847-5200

The Evolution of Ransomware

Cybersecurity is a top priority for almost every modern company. All industries leverage data in strategic business decisions to some degree, and some companies handle various types of sensitive information – such as private customer details, vendor information, financial records, and other valuable data. A malware attack can be extraordinarily expensive and seriously damaging to a company, and ransomware is one of the most insidious forms of malware known today.

What Is Ransomware?

Malware is any type of malicious code meant to harm or compromise a system, and ransomware leverages human psychology in order to extort money from targets. As the name suggests, ransomware essentially holds a victim system hostage until a ransom is paid – typically in the form of Bitcoins or some other digital currency.

A hacker will attempt to dupe a user into clicking a download link or opening a connection in some way, and the ransomware is downloaded to the victim’s system. Once ransomware has infected the system, it will attempt to spread itself to other points in that system. Then, the ransomware encrypts all of the files on the victim system and demands payment.

History of Ransomware

The first known case of a ransomware attack took place in 1989. An evolutionary biologist named Joseph L. Popp created the “AIDS Trojan,” which also became known as the “PC Cyborg.” He loaded the program onto 20,000 diskettes and labeled them “AIDS Information – Introductory Diskettes” and sent them to the World Health Organization’s international AIDS conference. This first generation of ransomware used simple symmetric cryptography and was therefore relatively easy to defeat.

The next time ransomware made the news was much more serious. In 2006, the Archiveus Trojan launched using RSA encryption. This program would encrypt all of the contents of a system’s “My Documents” directory and force the system’s owner to purchase items from an online pharmacy to pay the ransom. After making the necessary purchases, the user would receive a 30-digit password to decrypt the files.

Later that year, another ransomware program named GP Code spread through an email attachment posing as a job application. This program used a 660-bit RSA public key. Other ransomware programs proliferated as well, but they simply locked users out of their systems instead of encrypting files. One well-known version of this type of ransomware was WinLock, which displayed pornography on the computer’s display until the ransom was paid. A more sophisticated version of GP Code named GPcode.AK launched in 2008 using a 1024-bit RSA key.

Evolved Attacks

The first truly large-scale ransomware attack happened in 2011. Thanks to several options for anonymous money transfers on the internet, hackers were able to collect money from victims more easily. This emboldened them, and there were over 30,000 ransomware detections in just the first half of 2011 alone. This trend exploded, and the third quarter of 2011 saw over 60,000 new ransomware incidents.

Cybercrime continued to proliferate, and in 2012, the Citadel toolkit appeared. Citadel offered hackers a paid service for installing malware on systems Citadel had already infected. Cybercriminals now had easy access to countless systems behind a small paywall, and there were over 100,000 ransomware infections in the first quarter of 2012.

Early 2012 also saw the dawn of the Reveton worm, a ransomware program that scared targets by falsely informing them they had committed a crime, such as possessing child pornography or illegal downloading. Reveton would then attempt to extort money from the victims. By July 2012, ransomware detections increased to about 2,000 per day. The Reveton worm continued to evolve and began mimicking the FBI’s Crime Complaint Center.

Recent Attacks

2013 saw many new ransomware variants with different effects. One targeted OSX systems exclusively and caused large numbers of browser windows to open in Safari which the user would have to close. Another version posed as the Department of Homeland Security and forced victims to pay a $300 fine.

Later that year, a Trojan designed for mobile devices known as “Svpeng” spread through Russia and evolved dramatically by 2014. This new form of Svpeng infected 900,000 mobile phones in Russia, India, Switzerland, and the UK in just 30 days. Similar to the Reveton’s tactics, it would accuse users of attempting to access or download child pornography and demand payment.

Another evolution of ransomware known as CryptoLocker launched in 2013 and became the first ransomware program to spread through compromised websites and email attachments. CryptoLocker used the Gameover ZeuS botnet, a hacking platform that had been stealing online banking information since 2011. Using 2048-bit encryption, CryptoLocker would overwrite and delete encrypted files and demand payment in exchange for a key. By December of 2013, CryptoLocker had infected over 250,000 machines and extorted over $27 million in Bitcoin ransoms.

By August of 2014, digital security company Symantec reported that ransomware detections in the vein of CryptoLocker had increased more than 700% year-over-year. As ransomware evolved and it became easier for criminals to secure untraceable payments using the deep web, ransomware became increasingly popular – resulting in astronomical losses for victims.

Ransomware continues to evolve, and numerous strains – such as CryptXXX, CryptoHost, and Locky – appeared in early 2016 and have resulted in millions lost in ransoms.

Ransomware is very potent, it has a high return on investment for hackers, and victims are easily scared into paying ransoms out of fear of losing their files or being unjustly accused of crimes. Prevention is key to fighting ransomware, so make sure you regularly have your system inspected by reliable digital security professionals.