THE EVOLUTION OF RANSOMWARE

Ransomware made its debut in Russia and Eastern Europe around 2005. The first instances were more disruptive than lucrative. The perpetrators did not have a reliable way to collect money from their victims and had to rely on ransoms paid out in the form of pre-paid cards and other non-digital kinds of payment. With the advent of Bitcoin, ransomware proliferated because it made it easy to collect was largely untraceable. Cybercriminals could get their payment online and disappear.

Within a short time, ransomware attacks spread across Europe and to the United States. Some efforts at this time included ransomware that claimed to be from a law enforcement group such as the FBI or Justice Department. Many of the threats revolved around the possibility that the victim may have been accessing pornography on their computer. Ransoms were relatively low, usually a few hundred dollars or so. Victims were given a certain amount of time to pay the official looking fine and directed to use an official looking email address. The phony threats sometimes included the possibility of arrest if they chose not to pay.

Knowing what we do now, we all may look at this and wonder how it actually worked. But at that time, many victims did pay. Blame it on naivete, or perhaps the fact that cybercriminals tended to distribute their malware through ads operating on porn sites that the victim might actually have visited. At one point, experts determined that around 500,000 people clicked on the malicious ads over a period of two weeks.

In 2013 a new, advanced form of ransomware began proliferating. The advancements came in the form of multi-step programming and in the ways it locked up the users files. Cryptolocker used private and public cryptography keys to lock the files up. It was initially distributed via a botnet named Gameover Zeus. If a victim failed to pay, Cryptolocker’s first order of business was to attempt to steal the users banking credentials. If that failed to get the cybercriminals what they wanted, then they would install a backdoor on the victim’s machine, almost always without their knowledge, and simply download the credentials.

Subsequent versions of CryptoLocker were distributed in an email that appeared to come from popular shipping services that most have used at some point, like UPS or FedEx. Victims usually had 3 or 4 days to pay. Often, an on-screen “doomsday” clock was included which would counted down the hours. If no action was taken, the decryption key was deleted and no one would be able to unlock the files.

For 6 months, beginning in September 2013, CryptoLocker infected more than half a million victims. Even though only a little over 1 percent of victims paid the ransom, the attack was highly profitable for the cybercriminals, netting them an estimated $27,000,000.

In June 2014, the FBI seized the control servers that were running Cryptolocker. Using the servers, an internet security company working with the FBI was able to develop an unlocking tool that let infected machines break the Cryptolocker code.

The success of Cryptolocker spawned several copycats. These copycats began using much more aggressive ransom tactics to convince victims to pay. If the initial ransom was not paid within the allotted time, the ransom doubled. Cybercriminals also began using the Tor network, server cluster which allows users to improve their anonymity and made transactions much harder to trace.

Today’s most virulent ransomware programs include names such as Petya, CryptoWall, CTB-Locker, and TorrentLocker. These new forms of ransomware include much stronger encryptions methods and more effective ways for the cybercriminals elude detection.

Protecting against ransomware remains difficult since cybercriminals routinely upgrade their code to defeat antivirus programs. However, antivirus programs, which also are routinely upgraded, and regular data backups are still the best methods to protect yourself against known ransomware.

Return to the Tech Trends Newsletter