The Evolution of Ransomware

Credit to Author: Trend Micro| Date: Wed, 31 Jan 2018 23:28:03 +0000

Ransomware has become a pervasive, dangerous and expensive threat to businesses and individual users.

While many businesses and individual users understand that ransomware isn't a new threat, many don't actually know how long this particular infection style has been utilized by hackers. The first attacks took place more than a decade ago, and since then, ransomware authors have only become more sophisticated and creative when establishing advanced locking or encrypting infection samples.

Compounding the issue of increasingly dangerous samples is the fact that the malicious actors behind the attacks are now demanding higher ransoms – and, in some instances, even after a particularly expensive ransom is paid, files and data remain inaccessible to attack victims.

Because the first step toward protection and prevention is knowledge, it's imperative that enterprise leaders and employees understand this rampant threat. Today, we're taking a closer look at the history and evolution of ransomware.

Early history: The first attacks

According to Trend Micro's research paper, Ransomware: Past, Present and Future, some of the earliest ransomware infections took place more than 10 years ago in 2005 and 2006. These instances involved victims in Russia, using compression to prevent access to password-safeguarded files on victims' endpoints. These infections also included the upload of a file to victims' computers to present the ransom note, which demanded $300 for the returned access to data and files.

These early ransomware samples didn't exactly operate in the way that today's samples do. Often, the pervasive ransomware that we're used to hearing about today falls under one of two categories – locking ransomware, or encrypting ransomware. In both cases, victims are unable to open and retrieve files and data. Per their names, locking ransomware locks the operating system and prevents access that way, whereas encrypting ransomware leverages robust encryption algorithms and then demands ransom for the decryption key.

The first ransomware samples, however, were only capable of locking down specific files, but malware authors ensured that their malicious code targeted some of the most commonly used types, including .JPG, .PDF, .ZIP and .DOC.

Yellow "INFECTED" key on keyboard with skull and crossbones image. Ransomware infections have evolved considerably over the last decade.

Heading into the mainstream: Fear-inducing ransom notifications

Fast forward a few years, and ransomware was becoming increasingly sophisticated and impactful. In 2012, we saw some of the first infections that looked to cash in on fear for payment. In 2012, attackers in Russia and Europe utilized a ruse involving ransomware notes that appeared to be legitimate warnings from law enforcement. This tactic made victims believe they had somehow broken the law, and had to pay a fine to resolve the matter.

This fear-based strategy was used for years, and even made its way onto mobile platforms. In 2015, The Register contributor John Leyden wrote about an Android ransomware sample that displays a warning message appearing to be from the FBI.

"The device's home screen delivers an alarming fake message from the FBI telling users they have broken the law by visiting pornographic websites. To make the message more compelling, hackers add screenshots of the so-called browsing history. The warning gets scarier as it claims to have screenshots of the victims' faces and know their location," Bitdefender chief security strategist Catalin Cosoi told Leyden.

What's more, this sample had the ability to increase the price of the ransom based on victims' responses – while the initial ransom sat at $500, hackers demanded $1,500 from those who attempted to bypass the fraudulent FBI and unlock their devices. This type of ransomware was a far cry from early samples, which were incredibly basic by comparison.

Crypto-ransomware bursts onto the scene

As time passed, malware authors used increasingly damaging methods to encourage victims to pay up. By 2013, hackers weren't just locking away files and preventing access with on-screen ransom demands. This was the year that crypto-ransomware samples came about, which had the ability to eliminate data as well as lock it away.

"This threat no longer just encrypted files, it started deleting files if victims refused to pay," Trend Micro noted. "To get files back, victims were asked to pay varying ransom amounts in the form of Bitcoins in exchange for a decryption key."

"Eliminating data could mean the collapse of the company, so victims were considerably motivated to pay."

This type of ransomware was incredibly impactful when it came to unsecured and unprepared businesses – eliminating data in this type of setting could mean the collapse of the company, so victims were considerably motivated to pay.

Secondary ransom demands

We've even seen instances in which organizations pay the ransom, but the desired outcome – the returned access to files and data – doesn't actually happen. In 2016, Healthcare IT News contributor Bill Siwicki reported on a ransomware infection that took place at a Kansas hospital. In this case, the health care institution paid the initial ransom, but did not receive its unlocked data as promised – instead, hackers demanded a second ransom, which the hospital did not pay.

"Demands for funds are soaring, and the problem is organizations are paying. Ransomware will get worse before it gets better," said Fortinet vice president Ryan Witt. "You don't want to think of return on investment as it pertains to criminal activity, but there is a strong ROI, and these attackers are quite sophisticated and know there is money to be made."

A global attack surface: WannaCry and Petya

One family that surely won't become a footnote in the evolution of ransowmare is WannaCry. CSO called the infection "a perfect ransomware storm," and with its extensive reach and high-profile victims, it isn't difficult to understand why.

WannaCry spread across networks in numerous different countries in May 2017 and quickly became one of the most pervasive ransomware threats to date. The sample leveraged the Windows vulnerability EternalBlue leaked by hacking group the Shadow Brokers, and attacked businesses, health care providers, utility companies and other organizations in Europe, Japan and beyond.

Following close on the heels of WannaCry was Petya, which as The Guardian pointed out, represented the second major global ransomware attack taking place within the space of just eight short weeks. Petya also leveraged the same Windows vulnerability, but had a backup plan in case a patch was installed – the ransomware could also seek out weaknesses in Windows administrative tools to spur attack.

On the horizon: What's next for ransomware?

Experts don't see an end to ransomware anytime in the near future. In fact, Trend Micro forecasted in its 2018 Security Predictions report that ransomware will "only be anticipated to make further rounds," particularly as the rise of ransomware-as-a-service within underground marketplaces becomes more popular.

In this environment where ransomware continues to be a dangerous threat, businesses and individual users should protect their data and assets with multi-layered security solutions coupled with robust backups.

To find out more about guarding against ransomware infections, connect with the experts at Trend Micro today.