Suprisingly long history
Ransomware has been the most pervasive cyber threat since 2005. According to publicly available information, ransomware infections have outnumbered data breaches 7,694 to 6,013 over the past 11 years.
Over the years there have been two distinct varieties of ransomware which remain consistent: crypto and locker based. Crypto-ransomware is ransomware variants that actually encrypt files and folders, hard drives, etc. Whereas Locker-ransomware only locks users out of their devices, most often seen with Android based ransomware.
New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to easily and widely distribute new strains as well as advanced development techniques such as using crypters to ensure reverse-engineering is extremely difficult. Additionally, the use of offline encryption methods are becoming popular in which ransomware takes advantage of legitimate system features such as Microsoft’s CryptoAPI, eliminating the need for Command and Control (C2) communications.
Terrance DeJesus of Solutionary's Security Engineering and Research Team (SERT) takes a look back at the highlights and the evolution of ransomware throughout the years.
The very first ransomware virus, the AIDS Trojan, was created by Harvard-trained Joseph L. Popp in 1989. 20,000 infected diskettes were distributed to the World Health Organization’s international AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. It didn’t take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks.
Almost two decades (17 years) after the first ransomware malware was distributed, another strain was released. Unfortunately, this new strain was much more difficult to remove and used RSA encryption for the first time in ransomware history. The Archiveus Trojan encrypted everything in the “My Documents” directory on a system and required users to make purchases from specific Web sites to obtain the password to decrypt the files. Archiveus was also the first known ransomware variant to use Asymmetric encryption.
The unnamed Trojan of 2011
Jump five years and mainstream anonymous payment services make it much easier for hackers using ransomware to collect money from their victims without revealing their identity. Product related ransomware Trojans began to go mainstream that same year. A Trojan ransomware that mimicked a user’s Windows Product Activation notice informed users that their system's Windows installation had to be re-activated due to fraud. A fake online activation option was offered but was ultimately a dead end for the users trying to resolve their issue, requiring users to call an international number. The malware claimed that this call would be free, but the call was actually routed through a rogue operator who placed the call on hold, causing the user to incur large international long distance charges to go along with their ransomware infection.
A major ransomware Trojan known as Reveton began to spread throughout Europe. Based on the Citadel Trojan, the piece of ransomware claimed the computer under attack had been used for illegal activities and that in order to unlock the system the user would be required to pay a fine using a voucher from an anonymous prepaid cash service. In some strains, the computer screen displayed footage from the computer’s webcam to give the illusion that the ‘criminal’ was being recorded. Shortly after this incident, there was a flurry of “police-based” ransomware including Urausy and Tohfy.
Researchers discovered new variants of Reveton in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.
September 2013 was a pivotal moment in ransomware history as CryptoLocker was born. CryptoLocker was the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments made to look like customer complaints. CryptoLocker infections spread rapidly because threat actors leveraged the already existing GameOver Zeus botnet infrastructure. Operation Tovar in 2014 put a halt to the GameOver Zeus Trojan and CryptoLocker campaigns by targeting the Peer-to-Peer infrastructure used for distribution and support.
CryptoLocker uses AES-256 to encrypt files with specific extensions, then uses a 2048-bit RSA key generated by the command-and-control (C2) server to encrypt the AES-256 bit key. C2 servers were established on Tor networks. This made decryption difficult as attackers kept the RSA public-key on their C2 servers. Hackers using CryptoLocker would threaten to delete the private key if payment was not received within three days.
In 2014, CryptoDefense, a ransomware that used Tor and Bitcoin for anonymity and 2048-bit RSAencryption, was released. CryptoDefense used Windows’ built-in encryption CryptoAPIs, and the private key was stored in plain text on the infected computer - a flaw that was unfortunately not immediately discovered.
The same creators of CryptoDefense shortly rolled out an improved version dubbed CryptoWall. Unlike CryptoDefense, CryptoWall doesn’t store the encryption key where the user can get to it. Cryptowall became a widespread issue as it used the aggressive Cutwail email spam campaign, which mainly targeted the United States. CryptoWall has also been delivered via exploit kits such as Angler, and found to be the final payload downloaded during Upatre campaigns. CryptoWall has had several active campaigns all being conducted by the same threat actor who tracked them by unique IDs. CryptoWall showed an advancement in malware development because of its ability to establish persistence by adding additional registry keys and copying itself to startup folders. In 2015, the Cyber Threat Alliance published a report on a globally spread CryptoWall campaign that netted roughly $325 million. This CryptoWall campaign required an expansive infrastructure containing over four tiers to operate.
Sypeng and Koler
Sypeng can be considered the first Android-based ransomware that locked the screen of victims with an FBI penalty warning message. Sypeng was delivered via fake Adobe Flash updates in SMS messages. MonkeyPaks worth $200 were expected for payment.
Koler ransomware was extremely similar to Sypeng in that it used fake “police” penalties and demanded MoneyPaks for ransom. Koler can be considered the first “Lockerworm” in that it contained self-propagating techniques in which it would send customized messages to everyone in a phone’s contact list, pointing them to a specific URL to be downloaded again, then locking them out of their systems.
CTB-Locker and SimplLocker
Unlike other variants of its past, CTB-Locker communicated directly with the C2 server in Tor, versus having a multi-tiered infrastructure made up of proxies, botnets, multiple Bitcoin wallets, etc. It was also one of the first ransomware variants to begin deleting Shadow Volume Copies on Windows machines. In 2016, CTB-Locker was updated to specifically target websites.
SimplLocker was also discovered in 2014. It was considered to be the first “Crypto-based” ransomware for Android mobile devices in that it encrypted files and folders versus simply locking the user out of their phone.
An aggressive Android ransomware strain started to spread across America in September of last year. Security researchers at ESET discovered the first real example of malware capable of resetting the PIN of your phone to permanently lock you out of your own device. Dubbed LockerPin, the ransomware changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen. LockerPin then demanded $500 to unlock the device.
Ransomware-as-a-Service (RaaS) started in 2015. These services typically included user-friendly ransomware kits which could be purchased on underground markets. Typically selling for $1,000 to $3,000, buyers shared roughly a 10 percent to 20 percent cut of their profits with the seller. Tox is often considered the first and most widely distributed RaaS toolkit/ransomware.
TeslaCrypt appeared in 2015 as well and would go on to be a persistent threat as developers made roughly four versions. It was first distributed via Angler exploit kits and grew to be distributed by others. TeslaCrypt used AES-256 to encrypt files, then RSA-4096 to encrypt the AES private key. C2 domains within Tor were used for payment and distribution efforts. Included in its infrastructure were multiple tiers, including proxy servers. TeslaCrypt itself was highly advanced, containing functions which allowed resiliency and persistence on victim machines. In 2016, TeslaCrypt authors gave up their master decryption key to ESET.
LowLevel04 and Chimera
LowLevel04 ransomware was discovered in 2015, targeting Remote Desktop and Terminal Services. Unlike other ransomware campaigns, attacks were done manually by attackers in which they remoted into servers, mapped out internal systems and drives before manually distributing the ransomware. In this case, attackers were observed deleting application, security and system logs.
Chimera ransomware was discovered towards the end of 2015. Considered to be the first “doxing” ransomware of its kind, Chimera threatened to publish sensitive or private files online to the public. Chimera used BitMessage’s P2P protocol for communication to C2s. It turned out these C2s were just Bitmessage nodes.
Ransom32 and 7ev3n
7ev3n ransomware has become publically known in the past few months. At 13 bitcoins, it probably demands the highest ransom yet. 7ev3n ransomware not only performed the typical encryption then ransom demands, but also trashed Windows systems as well. The malware developers seemed to be heavily focused on ensuring 7ev3n had the capabilities to destroy any possible way of recovering encrypted files. 7ev3n-HONE$T was released shortly, lowering the ransom demand and adding some efficient functionalities.
During 2016, malware authors of EDA2 and Hidden Tear publicly released the source code on GitHub, claiming to do so was for research purposes. Those who discovered it quickly copied the code and made custom changes, causing a huge spike in random variants to appear.
The infamous Locky ransomware was discovered in 2016 as well. Locky quickly began to spread via aggressive phishing campaigns and by leveraging the Dridex infrastructure, which was already spread globally. Locky also made headlines for infecting multiple hospitals based in Kentucky, California, Kansas and foreign regions. Threat actors quickly discovered that infecting systems tied to necessary facilities within healthcare paid off as multiple hospitals quickly paid the ransoms, thus starting a trend of phishing emails that led to ransomware downloads in the healthcare industry.
SamSam or SAMAS ransomware was observed being distributed specifically to vulnerable JBoss servers. At first, threat actors performed reconnaissance against JBoss servers using a tool known as JexBoss, before exploiting vulnerabilities and installing SamSam. Unlike others, SamSam included a channel so attackers could communicate in real-time directly with their victims via a .onion website.
The first official Mac OSX-based ransomware, KeRanger was discovered in 2016, delivered via a Transmission BitTorrent client for OSX. The ransomware was signed with a MAC development certificate, allowing it to bypass Apple’s GateKeeper security software.
Petya became popular in 2016 as it was being delivered via Drop-Box and overwrote the Master Boot Record (MBR) of infected machines, then encrypted the physical drive itself. It also used a fake CHKDISK prompt while encrypting the drive. If the payment of $431 was not received within seven days, the payment doubled. Petya was updated to include a second payload, which turned out to be Mischa ransomware variant, which did not encrypt the hard drive.
Maktub was discovered as well in 2016, proving to researchers that ransomware developers were attempting to create extremely advanced variants. Maktub was the first of its kind to use a Crypter, which is software used to hide or encrypt the source code of malware. Instead of using C2s for retrieving and storing encryption keys, Maktub performed the encryption offline using Windows CryptoAPI.
The Jigsaw ransomware became the first of its kind in which the ransom note contained the popular Jigsaw characters from the movie series SAW. It also threatened to delete a file every 60 minutes if the $150 ransom was not paid. Additionally, if a victim attempted to stop the process or restart their machine, it then deleted 1,000 files.
As of the end of May 2016, CryptXXX is the latest ransomware variant being heavily distributed. Researchers suggest that it is connected to the Reveton ransomware variant because of similar footprints during the infection period. CryptXXX is spread via multiple exploit kits, primarily Angler, and is typically observed after Bedep infections. Included functionalities are, but not limited to, Anti-Sandbox detection, mouse activity monitoring capabilities, custom C2 communication protocols and payment through TOR.
Microsoft released an article detailing a new ransomware variant named ZCryptor. Besides the adapted functionalities as its predecessors such as encrypting files, adding registry keys for persistence and so forth, Zcryptor can be considered one of the very first “Cryptoworms”. Distributed through spam email, Zcryptor has self-propagating techniques to infect external devices and other systems on the network while encrypting every machine and shared drive as well.
What is the future of ransomware?
Experts predict we will continue to observe multiple, new variants throughout 2016. Of these variants, it is likely that only a few will actually have a high impact based on the efforts of the malware authors and cyber gangs involved. While ransomware authors continue their development cycles and either update pre-existing strains or make new ones, additional features which enhance resiliency and persistence are predicted to become ransomware standards.
The strains with such functionalities and capabilities, if used along with a vast infrastructure and anonymous networks and payment services will be a global nightmare. Propagation techniques included will not be surprising in the near future as threat actors attempt to determine how to increase their income, while decreasing efforts. Recent strains which use crypters suggest that ransomware authors understand there are multiple researchers attempting to reverse-engineer their strains. This reverse engineering and analysis helps lead ransomware developers to improve their own ransomware variants.
It seems likely that offline encryption (ransomware variants which do not require C2 infrastructures to properly create, maintain and distribute private and public keys) will continue to be observed within Windows-based ransomware in which attackers leverage much of Microsoft’s in-house capabilities.