Co-Authored by Dr. Yoohwan Kim
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas
Note: This blog post is the second in a series of articles about ransomware.
In the infantry and the intelligence field, a basic tenet is to know your enemy. In 2016, ransomware attacks spiked 6,000%, with more than 4,000 attacks occurring daily. That makes ransomware an enemy worth knowing.
But to truly understand ransomware, it is necessary to first examine its history and how attackers plant this software in victims’ computer systems for illicit gain.
1989: First Known Use of Ransomware
In 1989, 20,000 attendees at the World Health Conference received free floppy disks. The disks contained a real survey about AIDS, but they also contained a Trojan Horse virus that encrypted the users’ files after a fixed number of reboots. The virus demanded that each victim send $189 to a post office box in Panama.
The creator of the virus, an AIDS researcher named Dr. Joseph Popp, was arrested by the FBI and extradited to Britain.
His virus used only symmetric key cryptography, but the level of ransomware sophistication has increased ever since.
1996: Researchers Connect Cryptography to Ransom
In 1996, researchers Adam Young (Columbia University) and Moti Yung (IBM) published a paper “Cryptovirology: Extortion-Based Security Threats and Countermeasures.” The co-authors proposed the use of public-key cryptography, which would make reverse engineering impossible.
While Young and Yung’s academic paper showed the writers’ expertise, it also showed “how cryptography can be used to implement viruses that are able to mount extortion-based attacks on their hosts,” as the co-authors wrote. Unfortunately, too many readers recognized the article’s potential use in criminal attacks.
Interestingly, the co-authors also coined the terms “crypto-viral extortion” and “cryptovirology.” This new terminology moved cryptography from a defensive position to an offensive position.
2005 – 2006: Russians Become Involved in Ransomware
In 2005 and 2006, organized crime figures in Russia created some ransomware. Their software was among the first discovered to be ransomware programs.
The principal targets were Russian citizens and others living in Russian-speaking countries. Later ransomware programs would move from victim to victim using common language paths.
After the victim downloaded the program, the software would take the computer’s file types, zip them into a password-protected folder and delete the originals. The victim would be required to transfer $300 into an E-Gold account, an early version of Bitcoin.
2005: “Ransomware” Becomes a Term
In September 2005, Susan Schaibly wrote an article, “Files for Ransom,” for NetworkWorld magazine which contained the first known use of the term “ransomware.” Another interesting term used to describe ransomware was “Filenapper.” But a more appropriate term is extortionist.
2005-2009: Ransomware Payment Methods Increase in Sophistication
In 2005, GPCoder was a frequently used Trojan Horse virus that encrypted files and demanded a ransom of between $100 and $200 in E-Gold or as a deposit to a Liberty Reserve account.
E-Gold was a digital currency operated by a Florida-based company. The U.S. government banned its use in 2009. Liberty Reserve was a Costa Rica-based digital currency that was harder for the U.S. government to shut down.
Bitcoin was introduced in 2008, followed by the release of its open-source software in January 2009. These developments led to an incredible spike in ransomware attacks that have continued to increase ever since.
2012: Ransomware Mimics Law Enforcement Organizations
In 2012, a public stir was created by the appearance of Reveton ransomware, which impersonated police departments and the FBI. This type of software was used to scare victims into paying to unlock their computer data.
Typically, a message would appear on the victim’s screen claiming that the user was caught conducting illegal online activity. The message would also threaten the victim with imminent arrest unless a “fine” was paid promptly.
The on-screen logos of authentic law enforcement organizations made the scam appear real. The idea was to cause victims to panic and pay up quickly, not giving them time to realize that law enforcement organizations do not demand payment from the public, especially via Bitcoin.
2013: The First Major Ransomware Appears
The year 2013 saw the birth of Cryptolocker, a crypto-ransomware that was spread via email. Cryptolocker demanded that the victim pay $400 in Bitcoin within 72 hours.
This ransomware infected half a million computers, and 1.3% of the victims paid the ransom. The attackers netted an estimated $27 million from their victims.
An international collaborative effort called Operation Tovar was formed to crack down on Cryptolocker and another ransomware program, the Gameover Zeus botnet. As a result, Russian hacker Evgeniy Mikhailovich Bogachev was caught and charged as an administrator of both Cryptolocker and Gameover Zeus.
The criminals’ command and control server was also recovered during Operation Tovar. The information on that server gave 500,000 victims the key to unlock their data without paying the ransom.
However, California-based network security firm FireEye warns that CryptoLocker has evolved and has started again to compromise users’ devices.
2014: Copycat Ransomware Like CryptoDefense Appears
Over time, copycat ransomware like CryptoDefense also evolved. This ransomware would double the victim’s ransom if it was not paid within four days.
But CryptoDefense was poorly designed because the decryption key was easy to find in the program. CryptoDefense proves that even hackers make mistakes.
Over time, many crypto-ransomware programs evolved further and acquired business and market differentiations. Some crypto-ransomware included a voice feature like Cerber ransomware, while others overwrote the master boot record and disable booting.
Some ransomware targeted healthcare facilities; others targeted gamers. One variant known as Silent Shade demanded a ransom of only $30, easily affordable for most victims.
2016: Ransomware Offers Opportunity to Avoid Ransom by Purposely Infecting Others
In December 2016, ransomware took on a new angle: deliberately infecting friends or colleagues. A program called Popcorn Time offered free decryption if the victim infected two other people, normally friends, via email. The new victims would open their trusted friend’s email and click on a link. Then, their systems would be attacked.
The attackers offered victims two ways to retrieve their data. The victims could choose the “nice way” and make a payment, or the “nasty way” by infecting the computers of two other people.
Ransomware Is An Equal Opportunity Attack on All Computer Systems
Ransomware isn’t limited to just one type of computer or mobile device. Operating systems of Mac devices can be attacked by a ransomware called KeRanger. It typically activates within three days of the infection and charges a ransom of $400.
Similarly, Linux systems are attacked by KillDisk. This ransomware demands 222 Bitcoins or $218,000. Researchers, however, recently found a key for KillDisk.
Ransomware is starting to exploit smartphones and even cloud servers. Cyber defenders will need to work diligently to overcome these ransomware infections.
The Best Protection against Ransomware: Back Up Your Data
Backing up your data is one form of protection against ransomware. If you have backups of your recent files and your computer is infected, it may be easier to wipe your machine and start over. You could also opt to buy a new machine if your computer or mobile device is old.
Overall, the data you store is much more valuable than your computer. Be sure to protect your data by backing it up to a hard drive kept offline.
About the Authors
James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.
Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 “Secrets to Getting a Federal Government Job”.
Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications, and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and 6 patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company.