If there’s one word that can strike fear equally in the hearts of end users, security pros, and CIOs, it’s ransomware. While the sudden rise in prevalence of this particular type of malware seems to indicate it’s a new form of attack, ransomware has actually been around just about as long as malware has, and looks to be here to stay.
A number of prominent attacks have gained media attention recently, so we wanted to take a look at the history of ransomware, raise awareness of it, and share a little information about the 10 worst ransomware attacks that ever happened. From the first to the most recent, these are the ten to remember, either because they were the most impactful, spread the fastest, could have been avoided, or had some other significance in the course of history.
PC Cyborg, AKA the AIDS Trojan
The first real broad manifestation of ransomware dates back to 1989, with the PC Cyborg ransomware, also called the AIDS Trojan. The phrase ransomware wasn’t really in use back then, heck even malware wasn’t a common term, but this code has the distinction of being the first widely known to encrypt files and extort a ransom. It spread by floppy disk (remember those?!) and encrypted files, demanding a US $189 ransom be sent to a post office box in Panama. It was started by Dr. Joseph Popp, an actual AIDS researcher (amongst other things,) who distributed 20,000 floppies to attendees at an AIDS conference that allegedly contained a research program to help with the study of AIDS. Infecting machines upon first use, it waited 90 reboots before changing file and directory names, rendering a system unusable, and presenting the demand, allowing it ample time to spread to others as more and more floppies were shared over Sneakernet. Since PC Cyborg used symmetric encryption, it wasn’t long before someone created a way to recover files. It’s unknown how many victims mailed the ransom money. You can read more about PC Cyborg at https://en.wikipedia.org/wiki/AIDS_%28Trojan_horse%29.
While ransomware never really went away, it was 2006 before the next big thing struck. Archievus targeted Windows users’ “My Documents” folder, and used RSA encryption to ensure there was no easy way back. Victims had to make purchases from specific online sellers before being given the key to decrypt their data. As it turns out, the password was not unique to each victim, and once this was discovered the password was widely published, helping victims to recover their data. That password, by the way, was “mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw” which may help you win the next game of Trivial Pursuit you play! You can read more about this at http://news.bbc.co.uk/2/hi/technology/5038330.stm.
Most people reading this post will probably recognize the name “Reveton” from 2012. Reveton, AKA the “Police Trojan,” presented itself as a warning from various law enforcement agencies depending on the victim’s region, and indicating that illegal content such as unlicensed software or pornography had been detected on the victim’s system. To “sell” itself to the victim, personal details or even webcam footage was added to the demand note. In order to “unlock” their system, victims would have to pay a “fine” by way of various anonymous payment systems. Reveton was spread by the Citadel trojan. Several people were eventually tracked down and arrested in connection with this ransomware. Learn more at https://en.wikipedia.org/wiki/Ransomware#Reveton.
By 2014, ransomware started being part of the general public’s vocabulary thanks to the widespread and highly impactful CryptoLocker. Another trojan horse targeting Windows users, it first appeared in late 2013 and spread both by email attachments and through botnet activities targeting vulnerable machines. Using asymmetric encryption and demanding a ransom paid by Bitcoin, victims could either pay up, or lose their data, as recovery was not feasible. It’s estimated that from US $3M up to US $27M in ransom was paid before the botnet was taken down. By August, the private keys had been recovered after law enforcement processes made arrests and seized hardware controlled by the people behind CryptoLocker, and victims could retrieve their individual decryption keys online. CryptoLocker’s approach has been cloned several times, with the most prominent being CryptoWall and TorrentLocker. You can read more about CryptoLocker at https://en.wikipedia.org/wiki/CryptoLocker.
CryptoWall actually may date back to the end of 2013, but rose to prominence in 2014. CryptoWall copied several of the attributes of CryptoLocker, including even the appearance of the ransom demand. Spread by both email attachments and infected downloads, the most common vector was through the Cutwail spam botnet. It’s estimated that CryptoWall infected 625K computers and encrypted billions of files. CryptoWall’s infection had the unique approach of deleting shadow copies created by the Windows Shadow Copy Service, rendering using shadow copies as a recovery method ineffective. Demanding ransoms from $200 to $2000 dollars payable by Bitcoin or other methods, CryptoWall also used a deadline approach to motivate victims to pay. It’s estimated that over US $1M was paid by victims. There’s a great write-up on CryptoWall at https://www.secureworks.com/research/cryptowall-ransomware.
Based in part on CryptoLocker’s code, TorrentLocker may also be called Crypt0L0cker because replacing letters with numbers is so 1337. Unrelated to BitTorrent, TorrentLocker is spread by email attachment or links to downloadable files, and targets both local and network accessible files, including those on removable media, and encrypts them using asymmetric encryption before presenting the ransom demand and a deadline. Ransom started at US $550 payable in Bitcoin, and after 72 hours would increase. BleepingComputer has a great write-up of TorrentLocker at https://www.bleepingcomputer.com/virus-removal/torrentlocker-crypt0l0cker-ransomware-information#TorrentLocker.
In 2016, LOcky gained notoriety by successfully extorting data from a major US healthcare company that fell victim. The Hollywood Presbyterian Medical Center paid US $17K to recover patient data records that had been encrypted by LOcky. LOcky had a new approach, combining social engineering with a Word macro that, by itself, did not carry anything obvious. Victims would receive a Word document disguised as an invoice, but that would prompt them to enable macros in order to render properly. When the user did, the macro would download the malware, encrypt the victim’s data, and demand the ransom in Bitcoin. LOcky was also the first to detect whether or not it was executing on a VM (a good indication that a researcher was looking at it, as opposed to a victim) and to take measures to avoid detection. Variants of LOcky continue to be detected in the wild. You can learn more about LOcky at https://en.wikipedia.org/wiki/Locky.
Making waves in March 2016, Petya took a more holistic approach to encryption by encrypting drives’ file system tables rather than individual files, rendering an entire system unusable very quickly. It overwrites the Windows bootloader and forces a reboot, which then leads to encrypting both the file table and file system while appearing to be a CHKDSK, giving it time to run. Once encrypted, the ransom demand is presented as an ASCII image demanding payment via Bitcoin. It also could use a variant of the Mischa malware to encrypt user files if the user did not have admin access to the compromised machine, which would be necessary to overwrite and force a reboot. You can learn more at https://en.wikipedia.org/wiki/Petya_(malware).
One of the most recent, and most prevalent, ransomware attacks hit in May 2017 and is known as WannaCry. It spread like wildfire, infecting more than 200K systems in 150 countries. WannaCry is perhaps most notorious for using worm-like methods to spread from an infected machine to others on the same network. What makes matters so much worse are two things of distinction
- The propagation method used attack code allegedly developed by the United States National Security Agency which was stolen and released to the wild. The attack was codenamed EternalBlue and targets vulnerabilities in the Windows SMB protocol. It also dropped the DoublePulsar RAT, another piece of NSA code, for later access to victims’ systems.
- Those same vulnerabilities were patched by Microsoft in March of 2017. Companies that were current and up to date should not have seen this malware spread. Those that did suffered in large part from “self-inflicted wounds.”
The other thing that makes WannaCry so distinct is that a security researcher named Marcus Hutchins, while on leave, discovered that the malware attempted to resolve the domain name and would shut down if it succeeded. One quick domain registration and a little more than US $10 later, Hutchins had effectively saved the Internet from this malware. Unfortunately, that may have led companies to a false sense of complacency, as the next on our list takes advantage of the same vulnerability to spread, and of course, so many orgs still had not patched that this too spread like wildfire. You can read more about WannaCry at https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.
A variant of the above discussed Petya, this ransomware started to spread very quickly in the Ukraine and quickly spread throughout the world. Instead of spreading by way of email attachment, NotPetya first got into companies using M.E.Doc, a tax prep software package. Systems that were running this software and that attempted to download legitimate updates instead downloaded and executed the malware, which could then spread by way of the same vulnerability that WannaCry exploited. And yes, as you can guess, victims still had not patched the vulnerability with updates that were available months earlier in MS17-010, released in March 2017. Worse, NotPetya did not have the killswitch that WannaCry had, so there was no heroic domain registration to save the day this time. One of the most frightening aspects of NotPetya is that it is alleged that the systems monitoring radiation leaks from the Chernobyl nuclear power plant were taken offline as a result. If true, it would seem that they are unfamiliar with importance of isolation and securing SCADA systems. Again, you can learn more about NotPetya at https://en.wikipedia.org/wiki/Petya_(malware).
From what we’ve seen so far this year, there are a few things I think are safe bets for the next half of 2017.
- Ransomware will continue to increase, with greater impact.
- New versions will use more of the attack methods released by the ShadowBrokers and that allegedly come from NSA tools that got out into the wild.
- Exploits will continue to attack vulnerabilities for which patches have been released.
- Larger organizations will continue to pay, rather than taking actions to prevent infection such as scanning emails, filtering downloads, and updating their systems.
Don’t be a victim. Patch your systems, reduce or remove administrative rights from users, never open files/surf the web/read email while logged on as an admin user, implement email and web filtering, and run current anti=malware that cannot be disabled by end users or admins. If you’re smart, keep current, and take precautions that are readily available to you and that you should already be doing, your risks from ransomware will be minimal.