One day in December 1989, Eddy Willems got a floppy disk that changed his life. His boss gave it to him after finding the label intriguing: AIDS Version 2.0, a disease that was new and strange at that time. The company, based in Antwerp, Belgium, sold medical insurance, among other things, and some AIDS statistics might prove lucrative, the boss thought. So, he asked the 27-year-old Willems to test the software.
A jack-of-all-tech-trades, Willems put the 5.25-inch black plastic diskette into his PC. He ran the programme, filling out a complete survey meant to tell if someone could be infected with AIDS or not. “And that was it,” Willems says. “I thought, okay, nothing extraordinary here. I’m probably going to throw it away.” Soon, he switched off the computer and went home.
When he turned on his computer the next day, Willems noticed it had fewer folders, but he didn’t put a lot of thought into it. On the third day, however, when he booted up his computer, something strange happened. “There was a message on the screen asking me to pay,” Willems says. “It was asking me to mail $189 to a PO Box in Panama, or I couldn’t use my computer anymore. I thought, ‘What is this?’”
Willems switched off the computer and used a bootable floppy to restart it. He saw that his directories were still there, but they were hidden, and the names of the files were changed to strings of random characters. Luckily, the contents of his files were unaltered, only their names looked weird.
“Little did he know that the AIDS Trojan, also known as PC Cyborg, was wreaking havoc all over the world. It is believed that 20,000 computer enthusiasts, medical research institutions, and researchers who attended the WHO’s international AIDS conference in Stockholm received diskettes as the one Willems got.”
“I thought, This was encryption,” he says. “But it was completely ridiculous. The program wasn’t created by a real IT guy.” An analysis of the malware published a month later in the Virus Bulletin January 1990 edition said pretty much the same thing. “While the concept is ingenious and extremely devious, the actual programming is quite untidy.”
Willems wrote a small script to restore the names of the files. “It took me ten minutes to solve the bloody thing,” he says. Then, he went to his boss again and told him that there was possibly a bug in the AIDS program. “I said the diskette is of no use to us, and I’m throwing it away.”
AIDS Trojan the first ransomware
Little did he know that the AIDS Trojan, also known as PC Cyborg, was wreaking havoc all over the world. It is believed that 20,000 computer enthusiasts, medical research institutions, and researchers who attended the WHO’s international AIDS conference in Stockholm received diskettes as the one Willems got. This sneaky software was attributed to American evolutionary biologist Dr. Joseph Popp, who held a Ph.D. from Harvard. Popp was arrested for spreading the computer virus, charged with several counts of blackmail. He was, however, declared mentally unfit to stand trial.
When Willems saw the names of his files encrypted, he didn’t think it was a security issue. Only a few days later he watched a report on a Belgian TV station explaining the magnitude of what was happening. Journalists interviewed him, and soon his decryption method was used not only in Belgium but also in faraway countries such as Japan. “The bloody thing” made him famous and, without him realising it, it paved the way to a successful career. Willems is now a security evangelist at G DATA.
I never thought ransomware would become such a trend.
During that crazy week in December 1989, Willems did one more thing right: He didn’t throw away the diskette after all. He proudly keeps it on display at his home because “ït’s one of the only AIDS floppies left in the world,” he says.
The floppy foreshadowed a new type of attack that cost companies billions of dollars in total each year. “I never thought ransomware would become such a trend,” Willems says.
“The answer lay in the movie Alien. They took inspiration from face-hugger, a creature that wraps its legs around a victim’s face, becoming impossible to detach. Removing the most devastating computer virus should be “even more damaging than leaving it in place,” they thought.”
Refining the ransomware concept: Cryproviral extortion
Ransomware had slow beginnings. The idea of encrypting people’s data and asking for money laid dormant for a few years after that AIDS Trojan incident. However, it resurfaced in 1995, when two cryptographers, Adam L. Young and Moti Yung, were placed in the same room at Columbia University in New York City. In the name of research, they were given “ample time with which to contemplate the dystopia of tomorrow,” as they later wrote in a paper.
The two were aware of the AIDS Trojan and its limitations, namely that the decryption key could be extracted from the code of the malware. So, given the experiment they were doing, they asked themselves: How devastating would the most powerful virus be?
The answer lay in the movie Alien. They took inspiration from face-hugger, a creature that wraps its legs around a victim’s face, becoming impossible to detach. Removing the most devastating computer virus should be “even more damaging than leaving it in place,” they thought.
The idea they came up with was, however, slightly different. The two coined the term “cryptoviral extortion,” a concept in which the attacker uses a public and a private encryption key. It places the public key in the cryptovirus while keeping the private decryption key private. The malware generates a random symmetric key, which is used to encrypt the victim’s data. Then, that key is encrypted with the public key. After that, it “zeroizes the symmetric key and plain-text and then puts up a ransom note containing the asymmetric ciphertext and a means to contact the attacker,” the paper reads.
Young and Yung thought that electronic money could be extorted through this process, although electronic money didn’t exist at that time. They presented their idea at the 1996 IEEE Security and Privacy conference in Oakland, California, and it was seen as being both “innovative and somewhat vulgar.”
PGPCoder led the next wave of modern ransomware
Yet soon after the conference ended, the method was shelved. Ransomware attacks only started to become a thing in 2005, when PGPCoder or GPCode was found in the wild. This virus encrypts files that have certain extensions such as .doc, .html, .jpg, .xls, .rar and .zip. It also creates a ‘!_READ_ME_!.txt’ file in each folder laying out instructions on how one could get their data back. The victim was asked to pay between $100 and $200 to an e-gold or Liberty Reserve account. In addition to GPCode, other Trojans such as Krotten, Cryzip, TROJ.RANSOM.A, MayArchive, and Archiveus started to use more refined RSA encryption, with increasing key size.
By around 2010, the cybercriminals knew well how to make money out of ransomware. A Trojan named WinLock, built in Russia, reportedly brought their creators US $16 million. WinLock didn’t use encryption at all; instead, it restricted the victim’s access to the system by showing pornographic images. Those who wanted to use their machines again were told to send an SMS to a premium number. That cost around $10, and many embarrassed victims decided to pay. The Russian police eventually arrested the gang in Moscow.
“Ransomware gangs wanted more clever schemes to make money, so they kept diversifying their strategies. In 2012, the Reveton malware family made headlines, marking the advent of the so-called “law enforcement ransomware.”
In addition to premium SMSes, phone calls were also used to pay the ransom. In 2011, a Trojan mimicked the Windows Product Activation notice. It told users that they had to re-activate their OS because they had been victims of fraud. This meant that they had to call an international number and provide a six-digit code. These calls were supposed to be free, yet they were routed through an operator that charged high fees.
Ransomware gangs wanted more clever schemes to make money, so they kept diversifying their strategies. In 2012, the Reveton malware family made headlines, marking the advent of the so-called “law enforcement ransomware.” The infected computer’s screen showed a page that would include the logos of the Interpol, the FBI, or the local police, telling users that they’ve committed a crime such as downloading illegal files, which is why this type of malware is also called scareware. The victim was instructed to pay a few hundred or even a few thousand dollars with a prepaid card.
In the first years of the 2010s, ransomware was profitable, but it wasn’t pervasive. Cybercriminals had difficulties getting money from victims without using traditional channels. This underground industry blossomed when Bitcoin emerged. In 2013, the world met the destructive CryptoLocker, the malware that kicked off the ransomware revolution.
Ransomware, a straightforward business model
Around mid-September 2013, Chester Wisniewski was in a hotel room in Seattle, Washington, watching the Seahawks on TV. It was one of the strongest teams in that NFL season, and its defence was among the best in the history of the American Football League. But Wisniewski, a security researcher at Sophos, couldn’t enjoy the game.
“I got tipped off by somebody in the lab that they were looking at some ransomware,” he says. “And I’m like: Ransomware? I thought of the AIDS Trojan.”
That’s how Wisniewski ran into CryptoLocker, the malware that marked the beginning of a new era. CryptoLocker targeted Windows computers, and most users got it through a zip file attached to an email that appeared to be coming from a legitimate company. Inside that zip archive was a double extension file — it looked like a PDF, but it was, in fact, an executable. (The Trojan has also spread using the Gameover ZeuS Trojan and botnet.)
Once the file was run, it called the command-and-control servers, which generated a 2,048-bit RSA key pair. It kept the private key, but it sent the public one to the infected computer and used it to encrypt files that have certain extensions. The Trojan was also capable of mapping the network to look for more files to scramble. Then, the user got a red screen instructing them to pay the ransom within the next 72 or 100 hours. The victim could choose the preferred currency: US dollars, euros or the equivalent amount in Bitcoin.
“In the beginning, the criminals were using just one Bitcoin wallet,” Wisniewski says. “I thought this would be a way to track how many victims are paying these guys.” The researcher kept an eye on that wallet week after week, and, at the end of October, the cybercriminals finally realised that the security researchers were watching and started changing the Bitcoin wallet. Meanwhile, millions of US dollars traversed that wallet, Wisniewski says.
“The researcher kept an eye on that wallet week after week, and, at the end of October, the cybercriminals finally realized that the security researchers were watching and started changing the Bitcoin wallet.”
CryptoLocker was taken down in June 2014, and in August the security company Fox-IT got its hands on the database of private keys so that users could decrypt their files free of charge.
The success of this ransomware inspired a crowd of copycats. “All of a sudden, boom! It wasn’t just CryptoLocker. There were 50,” Wisniewski says. “Once people caught on to the fact that the gang made millions in just a few weeks, the cat was out of the bag.”
Security company Symantec observed that the number of ransomware families exploded in 2014. The straightforward Bitcoin-powered monetisation model helped. Soon, another malware, CryptoWall, made over $18 million, the FBI estimated, and reached a market share of almost 60%. Smaller players such as TorrentLocker made a name for themselves by targeting countries in Europe, Australia, and New Zealand.
Ransomware targets smartphones, Macs and Linux
In 2014 and 2015, as smartphone penetration rose above 50%, ransomware gangs saw even more opportunities. The Android market had four significant players at that time: Svpeng (the first to emerge), Pletor, Small, and Fusob, which had some thief-ethics built into it. Whenever Fusob infected phone, the first thing it did was to check the language of the device. If it was Russian or some other Eastern European language, the malware did nothing–suggesting that its authors were based in the region and they didn’t want to steal money from their people. If there was a different language, Fusob displayed a fake screen that accused the user of wrongdoing. It claimed that a criminal case could be opened if they don’t pay a fine ranging between $100 and $200. Most of the victims were from Germany, the UK, and the US.
Dozens of new ransomware families were appearing, targeting individual users as well as companies. A Kaspersky report published that year claimed that business was hit every 40 seconds, and an individual every 10 seconds. Virulent strains such as Chimera, Cerber, Locky, CryptXXX, CTB-Locker, and TeslaCrypt (which ended up having a market share of almost 50%) appeared, and the ransomware-as-a-service model started to become popular.
It looked like the bad guys were thriving, while users and companies were paying piles of money. Some of the cybercriminal gangs were indeed taken down during cross-border operations, but it still appeared that they had an edge in the race. Something needed to be done to help companies and users avoid paying the ransom. All it took was a short meeting in The Hague.
The good guys unite
Security researchers felt they were playing a hopeless game of whack-a-mole against ransomware gangs. The more cases they closed, the more that appeared. Solving one incident at a time was not enough to discourage cybercriminals. “Everyone thought we should do something bigger,” says Raj Samani, chief scientist at McAfee.
In the spring of 2016, Samani was at Europol’s European Cybercrime Centre in the Netherlands. He was there with security experts from Kaspersky and the Dutch Police. At some point, they booked a small meeting room and started to talk about joining forces. Would it be possible for security companies to unite with law enforcement and build a platform where users could find all the decryption keys free of charge?
“I was like: Absolutely,” Samani says. “We need to do this.” Everyone in that room quickly agreed, and the NoMoreRansom.org project was born. “I don’t think that meeting was more than 10 minutes,” says the McAfee researcher.
Immediately, they divided their tasks for the NoMoreRansom project. Samani’s responsibility was to identify a company that would host the platform. “I’m good friends with AWS, and so I asked my buddies: Can you host something for us if I don’t want to pay for it?” he says. “And by the way, it’s probably going to be one of the most targeted websites in the world.”
Amazon Web Services’ executives were supportive. They asked Samani how many hits he expected this platform to get daily. He made a guess and said 12,000. “On day one, there were 2.4 million hits,” Samani says.
“I was like: Absolutely,” Samani says. “We need to do this.” Everyone in that room quickly agreed, and the NoMoreRansom.org project was born. “I don’t think that meeting was more than 10 minutes,” says the McAfee researcher.”
The NoMoreRansom project officially launched in July 2016, gathering accolades. “To me, it’s a wonderful example of how public-private partnerships should work,” says Samani. Four years into the making, the project had more than 100 partners–security companies and law enforcement agencies from across the world.
Yet, shortly after NoMoreRansom launched, the cybercriminal gangs regrouped. “They had to adapt their techniques to make people pay the ransom,” says Samani. “We were forcing them to innovate.”
Ransomware takes different shapes
Malware analyst Benoît Ancel, who works for CSIS Security Group in Denmark, saw how this whole process unfolded. He’s often reading forums where ransomware gangs exchange “best practices,” develop game plans and talk about making a fat profit. He saw them innovate, echoing Samani.
These forums are highly collaborative, according to Ancel. Even competitors work together to create better schemes. “As long as they are making money, everybody is friends with everybody else,” Ancel says.
The cybercrime market is highly specialised. “There are people who know how to send spam, people who collect email addresses. There are developers, network engineers, people who cash out.” Each person gets their share when a ransomware operation is successful.
At some point, when cybercriminals noticed that fewer victims were paying the ransom, several threads on these forums debated the problem, says Ancel. Some groups came up with the idea of changing how ransomware works. Instead of encrypting a company’s files, they could steal them and then threaten to post them online if a ransom is not paid. Hackers behind the Maze and REvil/Sodinokibi strains have used this tactic.
Ancel is afraid that ransomware gangs will increasingly target critical infrastructure, municipalities, and sectors such as healthcare that are vital to society. That is exactly what the actors behind the SamSam ransomware did. They attacked the city of Atlanta, Georgia, and several other municipalities, hospitals, and universities looking for victims that would suffer the most, thus being more likely to pay the ransom. At the end of 2018, the Department of Justice indicted two Iranians believed to be behind these attacks, saying that they got $6 million in ransom payments while causing $30 million in losses to victims.
SamSam is hardly the only example. The actors behind the Russian-speaking Ryuk ransomware, which appeared in the second half of 2018, have also hit large organisations, governmental networks, and municipalities. The victims include schools in Rockville Centre, New York, as well as the cities of New Orleans (Louisiana), Riviera Beach and Lake City (Florida), Jackson County (Georgia), and LaPorte County (Indiana).
Ancel is also worried about the growth of the ransomware-as-a-service in recent years. One notable name is the GandCrab, discovered in 2018. A Russian-speaking group created it and, like the early Android malware Fusob, it checks the language of the machine. If it’s Russian or a language spoken in a former Soviet republic, it will not drop the malicious payload.
Cybercriminals are invited to join the operation, since GandCrab follows an affiliate business model. Still, they must agree to split their earnings with the core team of the project, which gets between 30 per cent and 40 per cent. This system made GandCrab famous. By the beginning of 2019, it had 40 per cent of the ransomware market, according to Bitdefender, which estimated that there were 1.5 million victims around the world, both home users and organisations.
By May 2015, the cybercriminals behind this project announced they made enough money and wanted to retire. They bragged about earning more than $2 billion in less than a year and a half. However, researchers at Secureworks saw many similarities between GandCrab and a new strain of ransomware called REvil or Sondinokibi, suggesting that maybe not everyone associated with GandCrab has retired.
Nation-state groups get into the ransomware act
Swimming in money is not the idea that powers every attack, says Ancel. He argues that ransomware is no longer ransomware as we know it since some groups use it as a decoy.
WannaCry, for instance, which affected more than 230,000 computers in 150 countries in May 2017, was likely the work of a nation-state actor, North Korea. The malware used a leaked NSA tool, and a Windows exploit named EternalBlue. When a computer was attacked, the victim was indeed asked for money $300 in Bitcoin within three days, or $600 within seven days. Yet, those orchestrating the operation didn’t strike it rich. They only made about $140,000, which prompted analysts to say two things: that WannaCry was meant to cause disruption, and that it could have been politically driven.
WannaCry was followed in June 2017 by NotPetya, which also relied on the EternalBlue exploit. It mostly targeted Ukraine and was attributed to the Sandworm hacking group, which is part of the GRU Russian military intelligence organisation.
Given all this, the lines between cybercriminals and nation-state actors are becoming blurred. Everyone learns new techniques and adopts new tools. “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” FBI’s Internet Crime Complaint Center wrote in a Public Service Announcement issued in November 2019.
“At some point, you’ll be using a self-driving car. It’ll be hacked, there will be some demand for ransom, and you’ll only have 10 minutes to pay it. If you don’t pay, they will crash your car,”
Add up all these, and the future does not look promising, says Willems, the security researcher who still holds onto that AIDS floppy disk that changed his life. Ransomware, he says, will continue to wallop us: “I’m 100% sure about that.”
“At some point, you’ll be using a self-driving car. It’ll be hacked, there will be some ransom demand, and you’ll only have 10 minutes to pay it. If you don’t pay, they will crash your car,” he says.
Thoughts about the destructive ransomware of the future have occupied his mind recently, so he started working on a science fiction novel set around 2035. In this not so distant future, in which NATO controls the internet and all our devices are online, ransomware takes centre stage. Ovens can be switched on remotely to burn our houses if we don’t pay the hackers, and our personal data could also be shown to the public if we don’t comply with the demand.
“Well, this is not science fiction,” Willems says. “These are the trends we see more and more of.”
Write to us email@example.com