ClickCease

The Beginning of Ransomware

Andrew Mason

Co-Founders

Andrew is one of the co-founders of Pentest People. He is a veteran of the Cybersecurity industry with many years of experience in building and running Security focussed businesses

The Beginning of Ransomware

Ransomware’s ascent from a minor crime to a multi-billion-dollar industry shows the seriousness of the danger to corporations. But even though Ransomware has been making the news regularly for the past five years, it is not new to hold user data or systems hostage and then demand a payment to get them back.

This article will look at the evolution of ransomware, from its first known attack in 1989 to the vicious threat it has become in the present.

What is Ransomware?

A malicious software known as Ransomware can lock down systems or files after gaining access to them and prevents users from accessing them. The victim then gets coerced into paying a ransom to receive a decryption key, which holds all files or entire devices hostage. The user can only access the software’s systems or data encrypted by the key.

The First Known Ransomware Attack

Since 2005, ransomware has remained one of the major concerns; however, the first attacks happened far earlier. The healthcare sector was the target of the first documented ransomware attack in 1989.

The first documented attack was carried out by AIDS researcher Joseph Popp, Ph.D., who distributed 20,000 floppy disks to AIDS researchers in more than 90 countries under the pretense that the disks contained a program that assessed a person’s risk of contracting AIDS using a questionnaire.

The disk also had malware, albeit it was initially inactive in machines and did not begin to operate until the device had made 90 restarts. The malware presented a message requesting payments of $189 and an additional $378 for a software lease when you met the 90-start barrier.

This ransomware attack came to be known as either the AIDS Trojan or the PC Cyborg.

The Spread of Ransomware

Admittedly, the original ransomware attack was, at best, crude. However, this attack is significant because it paved the way for ransomware to advance into the sophisticated attacks carried out today.

Early ransomware developers wrote their code. Today’s attackers rely on tougher libraries to crack spear-phishing efforts rather than classic phishing email blasts blocked by spam filters. Some skilled attackers are creating toolkits that can be downloaded and used by attackers without a high level of technical expertise. Moreover, some of the most skilled hackers use Ransomware-as-a-service programs to monetize their operations.

Until the middle of the 2000s, when assaults started leveraging increasingly advanced and difficult-to-crack encryption methods like RSA encryption, ransomware attacks remained rare after the first known attack in 1989.

By 2011, it was difficult for consumers to distinguish between legitimate Windows Product Activation alerts and dangers since a Ransomware virus replicated that notice. From 2015 to the present, users worldwide are dealing with constantly changing ransomware tactics running on various platforms.

The Rise of Ransomware Groups that Make Attacks more Regular

Early cybercriminals could distribute ransomware as more firms and individuals went online. Still, their tactics had a fatal weakness: The encryption and decryption keys were identical and acquired from the Trojans.

Thus, after finding malware, cybersecurity businesses developed universal decryption tools. The attackers immediately understood they needed to make each victim unique, so you could not recover data until you paid the ransom. Hence, the ransomware species evolved.

In the following stage of ransomware evolution, an attacker generates a key pair. Crypto Viruses store a public key, while attackers preserve a secret key. After infecting a computer, the virus produces a new symmetric key and encrypts all files. The newly-generated key is encrypted and removed from the victim’s system. Each infected machine needs a unique key, and the attacker cannot decrypt files without the session key. Moreover, each victim’s unlock key is unique, and the secret key is never shared.

This asymmetric cryptography made it much harder for victims to eliminate ransomware, which led to more victims choosing to pay the ransom. But, attackers still required a more effective method of dispersing their malware. Attackers previously relied on spreading their malware through spam emails or phishing scams that only succeeded in infecting a single individual, not a whole enterprise. In 2017, the WannaCry worm appeared, and all of that changed.

What is the WannaCry Worm?

Once inside, WannaCry takes advantage of an SMB weakness to quickly propagate over the whole network, even though you brought it in via phishing. Using an exploit known as EternalBlue, the ransomware could quickly spread throughout a network without requiring further user involvement after the first infection. One estimate puts the number of machines affected by WannaCry at 200,000 in 150 countries worldwide.

Eventually, the same exploit was weaponized and used in the cyberattacks known as NotPetyaand BadRabbit, in addition to the Retefe Banking Trojan.

WannaCry Ransomware Example
Example of WannaCry Ransomware

How WannaCry Impacts Security

Attackers now have powerful tools for coercing victims into paying the ransom and the ability to quickly and widely disseminate their infections after successfully breaking into a network. Moreover, hackers could buy exploit kits from cybercriminal organisations on the Dark Web. The ransomware would be concealed as a malicious file and used in phishing efforts by those hackers, who would then profit from anyone who downloaded the file.

Ransomware companies today chose to privatise their most efficient malware strains, license them to affiliates, and share the revenues instead of selling their exploit kits and letting bad actors use them at will.

Before, assaults were opportunistic and worm-like (WannaCry), centred on monetization. Under today’s profit-sharing paradigm, threat actors utilise Advanced Persistent Threat (APT) methods, techniques, and procedures to maximize harm and pressure, not speed. This option lets ransomware outfits demand multimillion-dollar ransoms today.

Conclusion

As sure as the sun rises, ransomware will adapt to its environment and market variables that affect payouts; thus, security professionals should not expect it to disappear anytime soon. What companies can do, however, is build their tactics and implement various layers of defences to prevent falling victim to ransomware attacks. Something we will explain in the next part of this Ransomware series.

Here at Pentest People, our Ransomware Defence Assessment is designed to highlight all the areas of your business’s infrastructure and processes to determine where you may be vulnerable to ransomware attacks.

Video/Audio Transcript