History of Ransomware – The Never-Ending Threat

cfoc_history_of_ransomwareThe biggest cyber-threat from around 2005 till this very day is ransomware. Many of you may have heard about it or have even been a victim of it, but do any of you ask questions such as “Why is ransomware so efficient?” Or, how it came into existence in the first place? What has been fuelling it? In this article, I will provide you with a brief history of that kind of malware threats and some insight on the evolution of ransomware.

Before starting, it is important to understand what types of ransomware exist and what exactly ransomware is.
Two main types of ransomware are in circulation. The more common one is crypto Ransomware, which is set to encrypt personal files and data. The other is known as locker ransomware, and it aims to lock a computer and prevent any user access. No matter which type infects a computer system, in the end, all of them demand a ransom to be paid to get your files back, or PC unlocked.

Ransomware comes in the form of a Trojan horse, a virus or a mixture between the two. A Trojan horse presents itself as something useful, but for it, to function, you have to give it access to your computer. An example of that is opening an email attachment. The biggest difference between Trojan horses and viruses is that a virus replicates itself. The virus must execute itself so it can work and it often will put its code in the execution path of another program.

Now that we have clear-cut definitions, we can start with a brief history of ransomware. The timeline can be divided into five different periods that have something that defines them and makes them unique.

1989 and the First Ransomware

The first ever ransomware is known to be the so-called AIDS Trojan. Set in motion by Joseph L. Popp in 1989, the Trojan was put on around twenty thousand diskettes. They were distributed to attendees at the international AIDS conference, held by the World Health Organization. Because the Trojan used symmetric cryptography, it did not take long for decryption tools to be created, which made a full recovery to all files hit by the attack.

2005-2006 and the Return of the Ransomware

From 1989 to 2005 nothing significant happened related to ransomware. However, in the year of 2005, lots of fake programs for spyware removal emerged. These software programs claimed to fix critical issues on it and wanted you to buy a license in the average of 50 US dollars. In actuality, they fixed next to nothing and only exaggerated with the errors they uncovered. In 2006, the “Archievus” virus came into being. This was the first ever ransomware that used asymmetric encryption and the RSA algorithm to do it. People had to buy a decryption password from specific Web sites. Fortunately, it only encrypted the folder My Documents on Windows-based PCs.

2008-2009 and the Fake Antivirus Applications

Since 2008, ransomware took a slight turn into being more serious as the interface for misguiding software became that of Antivirus software. Lots of fake Antivirus programs compromised computer systems. They looked and acted almost the same as their legitimate counterparts, but could demand up to 100 US dollars for “fixing” problems on your PC. As a reason for the higher price, these applications provided fake technical support for years on end.

2011-2012 and Locker Ransomware

In this period, ransomware programs became more severe. Due to previous not-so-successful attempts for criminals to extort money from users, they upped the ante. Locker ransomware peaked, demanding between 150 and 200 US dollars, but also prevented the access and control over an infected computer machine. Before this peak, this type of ransomware originated back in 2008, where a fake Windows Security Center message was pushed on your screen. You were more or less forced to call a premium phone number, and panicked users did so as they were unable to access their computers. In 2012, the locker screens looked as if real law enforcement agencies placed them.

2013 to This Day – Crypto Ransomware and the Emergence of Bitcoin

Ever since 2013, ransomware has been using the Bitcoin currency as a payment system. That started when the CryptoLocker ransomware utilized Bitcoin as a secondary payment method. The efficiency of this cryptographic virus was huge, and it was due several things. One of them was its rapid spread on a massive scale using an already existing botnet – GameOver Zeus. The payload file was placed as email attachments and targeted companies and businesses. The encryption was highly sophisticated – it used AES 256-bit algorithm to encrypt files with a specific extension, then a 2048-bit RSA key to encrypt the AES one. That key was sent to command-and-control servers, established on the Tor network. It demanded $300 as payment.

The golden era of ransomware followed as the prevalent type of such malware is still the cryptovirus and a lot of criminals mimic CryptoLocker and implement its tactics into their own design of malware. Cyber criminals can demand hefty sums for data decryption. For a single computer the ransom price can reach up to 5,000 US dollars, and there have been many companies and hospitals that have paid a couple of times more than that amount.

Ransomware has been evolving a lot – Cerber ransomware talks to you and now spreads as a game; there are multiple examples of crypto viruses using Exploit Kits; ones that hide in memory; ones wrapped in a code-packer to avoid detection and other which self-delete after encryption. It is terrible that a Bitcoin payment service hosted on a Tor network is virtually untraceable, but the worst part is that ransomware is now served on a daily basis and shows no signs of stopping. The good thing is that it inspired security specialists to enhance their security programs and develop anti-ransomware tools.