While the last few years have seen a remarkable uptick in this particularly nasty genre of attack software, ransomware isn't new.
Malware that holds data for ransom has been around for years. In 1991, a biologist spread PC Cyborg, the first ever ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid '00s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early '10s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught.
Over the years, ransomware has grown from a curiosity and an annoyance to a major crisis deeply entwined with top-secret spy agencies and international intrigue. And the biggest ransomware attacks of the past half-decade together do a good job of telling the story of ransomware as it's grown.
It was CryptoLocker, which burst onto the scene in 2013, that really opened the age of ransomware on a grand scale. CryptoLocker spread via attachments to spam messages, and used RSA public key encryption to seal up user files, demanding cash in return for the decryption keys. Jonathan Penn, Director of Strategy at Avast, notes that at its height in late 2013 and early 2014, over 500,000 machines were infected by CryptoLocker.
CryptoLocker was somewhat primitive, and was ultimately defeated by Operation Tovar, a white-hat campaign that brought down the botnet that controlled CryptoLocker, in the process discovering the private keys CryptoLocker used to encrypt files. But as Penn put it, CryptoLocker had "opened the floodgates" to many other varieties of file-encryption ransomware, some of which were derived from Crypto Locker’s code and some of which was given the CryptoLocker name or a close variant but was written from scratch. The variants overall harvested about $3 million dollars in ransom fees; one such them was CryptoWall, which by 2015 accounted for more than half of all ransomware infections.
Within a year, though, a new threat arose. Originally claiming to be one of those CryptoLocker variants, this ransomware soon had a new name — TeslaCrypt — and a clever M.O.: it targeted ancillary files associated with video games — saved games, maps, downloadable content, and the like. These files are at once precious to hardcore gamers but also more likely to be stored locally rather than in the cloud or backed up on an external drive. By 2016, TeslaCrypt made up 48 percent of ransomware attacks.
One particularly pernicious aspect of TeslaCrypt was that it was constantly improved by its creators, with some holes that allowed infected computers to be repaired patched by early 2016, making files essentially impossible to restore without help from the malware's creators. But then, shockingly, those creators did just that two months later, announcing that they were done with their sinister activities and offering the master decryption key to the world.
As more and more valuable files migrate to mobile devices, so too are the ransomware scammers. Android was the platform of choice to attack, and in late 2015 and early 2016, ransomware Android infections spiked almost fourfold. Many were so-called "blocker" attacks that merely made it difficult to access files by preventing users from getting at parts of the UI, but in late 2015 a particularly aggressive ransomware called SimpleLocker began to spread, which was the first Android-based attack to actually encrypt files and make them inaccessible without the scammers' help. SimpleLocker was also the first known ransomware that delivered its malicious payload via a trojan downloader, which made it more difficult for security measures to catch up to. While SimpleLocker was born in Eastern Europe, three-quarters of its victims are in the United States, as scammers chase the money.
Now the good news: while the SimpleLocker era saw a big rise in Android malware infections, the numbers overall are still relatively low — about 150,000 as of late 2016, which is a vanishingly small percentage of Android users. And most victims get infected by attempting to download porn apps or other dodgy content from outside the official Google Play store. Google is working hard to assure users that it's very hard to actually get infected by a ransomware. But it's still a lurking threat.
CryptoLocker marked the beginning of an era where ransomware was more than just a curiosity. But in mid-2017, two major and intertwined ransomware attacks spread like wildfire across the globe, shutting down hospitals in Ukraine and radio stations in California, and that was when ransomware became an existential threat.
The first of the two major attacks was called WannaCry, and "was easily the worst ransomware attack in history," says Avast's Penn. "On May 12th, the ransomware started taking hold in Europe. Just four days later, Avast had detected more than 250,000 detections in 116 countries." (That really puts 150,000 Android infections over more than a year into perspective.)
But WannaCry's real importance goes beyond the numbers: ReliaQuest CTO Joe Partlow points out that it was "the first wave of attacks that maliciously utilized leaked hacking tools from the NSA" — in this case EternalBlue, an exploit that takes advantage of a defect in Microsoft's implementation of the SMB protocol. Although Microsoft had already released a patch for the defect, many users hadn't installed it. WannaCry "blindly took advantage," of this hole, says Penn, "spreading aggressively across devices on the network because user interaction isn’t required for further infection." And, Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, points out that "many organizations had the SMB port, 445, openly exposed to the Internet, which helped propagate the worm."
If WannaCry had heralded the new age, then NotPetya confirmed it. Petya was a ransomware package that actually dated back to 2016, but just weeks after the WannaCry outbreak, an updated version began to spread that also used the EternalBlue package as WannaCry had, leading researchers to dub it "NotPetya" because it had advanced so far beyond its origins. Speculation abounded that NotPetya wasn't ransomware at all, but rather a Russian cyberattack on Ukraine in disguise.
Either way, though, Varun Badhwar, CEO and co-founder of RedLock, sees a lesson. "There was a lot of discussion around who could have been behind the WannaCry attack," he says. "But knowing that information won’t prevent further attacks like it from occurring. Malware exploits and toolkits are easily available on the internet to everyone from script kiddies to organized crime units and state sponsored attackers. The fact that NotPetya spread so rapidly showed that organizations worldwide were still not taking cybersecurity as seriously as they should. Being proactive in monitoring on-premise network traffic and ensuring they’re monitoring the traffic within cloud infrastructure environments could have prevented some of the NotPetya infections. Those with comprehensive network visibility and monitoring tools can automatically detect network traffic on non-standard ports, which have been used to launch such attacks as WannaCry."
Indeed, as is the case with so many breaches, the fault could be found not in our code but in ourselves — not in our technical infrastructure but in the way we as IT pros build and maintain it. And then there's the human factor. "Most ransomware attacks begin with a simple email phish," says Wombat Security advisor Alan Levine, "often very general and untargeted. They are vaguely addressed and absent of personally attractive content. Thus, it is our end user base, not every technical or procedural defense, but our people who stand between us and potential disaster. Their choices matter."
Related video: Ransomware marketplaces and the future of malware