Malware that holds data for ransom has been around for years. In 1991, a biologist spread PC Cyborg, the first ever ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid 2000s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early 2010s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught.
Over the years, ransomware has grown from a curiosity and an annoyance to a major crisis deeply entwined with top-secret spy agencies and international intrigue. And the biggest ransomware attacks of the past half-decade together do a good job of telling the story of ransomware as it's evolved.
Originally claiming to be one of those CryptoLocker variants, this ransomware soon had a new name — TeslaCrypt — and a clever M.O.: it targeted ancillary files associated with video games — saved games, maps, downloadable content, and the like. These files are at once precious to hardcore gamers and also more likely to be stored locally rather than in the cloud or backed up on an external drive. By 2016, TeslaCrypt made up 48% of ransomware attacks.
One particularly pernicious aspect of TeslaCrypt was that it was constantly improved upon. By early 2016, it was essentially impossible to restore files without help from the malware's creators. But then, shockingly, in May 2016 TeslaCrypt's creators announced that they were done with their sinister activities and offering the master decryption key to the world.
As more and more valuable files migrate to mobile devices, so too are the ransomware scammers. Android was the platform of choice to attack, and in late 2015 and early 2016, ransomware Android infections spiked almost fourfold. Many were so-called "blocker" attacks that merely made it difficult to access files by preventing users from getting at parts of the UI, but in late 2015 a particularly aggressive ransomware called SimpleLocker began to spread, which was the first Android-based attack to actually encrypt files and make them inaccessible without the scammers' help. SimpleLocker was also the first known ransomware that delivered its malicious payload via a trojan downloader, which made it more difficult for security measures to catch up to. While SimpleLocker was born in Eastern Europe, three-quarters of its victims are in the United States, as scammers chase the money.
Now the good news: while the SimpleLocker era saw a big rise in Android malware infections, the numbers overall are still relatively low — about 150,000 as of late 2016, which is a vanishingly small percentage of Android users. And most victims get infected by attempting to download dodgy apps and content from outside the official Google Play store. Google is working hard to assure users that it's very hard to actually get infected by a ransomware. But it's still a lurking threat.
In mid-2017, two major and intertwined ransomware attacks spread like wildfire across the globe, shutting down hospitals in Ukraine and radio stations in California, and that was when ransomware became an existential threat.
The first of the two major attacks was called WannaCry, and "was easily the worst ransomware attack in history," says Avast's Penn. "On May 12th, the ransomware started taking hold in Europe. Just four days later, Avast had detected more than 250,000 detections in 116 countries." (That really puts 150,000 Android infections over more than a year into perspective.)
But WannaCry's real importance goes beyond the numbers: ReliaQuest CTO Joe Partlow points out that it was "the first wave of attacks that maliciously utilized leaked hacking tools from the NSA" — in this case EternalBlue, an exploit that takes advantage of a defect in Microsoft's implementation of the SMB protocol. Although Microsoft had already released a patch for the defect, many users hadn't installed it. WannaCry "blindly took advantage," of this hole, says Penn, "spreading aggressively across devices on the network because user interaction isn’t required for further infection." And, Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, points out that "many organizations had the SMB port, 445, openly exposed to the Internet, which helped propagate the worm."
If WannaCry had heralded the new age, then NotPetya confirmed it. Petya was a ransomware package that actually dated back to 2016, but just weeks after the WannaCry outbreak, an updated version began to spread that also used the EternalBlue package as WannaCry had, leading researchers to dub it "NotPetya" because it had advanced so far beyond its origins. Speculation abounded that NotPetya wasn't ransomware at all, but rather a Russian cyberattack on Ukraine in disguise.
Either way, though, Varun Badhwar, CEO and co-founder of RedLock, sees a lesson. "There was a lot of discussion around who could have been behind the WannaCry attack," he says. "But knowing that information won’t prevent further attacks like it from occurring. Malware exploits and toolkits are easily available on the internet to everyone from script kiddies to organized crime units and state sponsored attackers. The fact that NotPetya spread so rapidly showed that organizations worldwide were still not taking cybersecurity as seriously as they should. Being proactive in monitoring on-premise network traffic and ensuring they’re monitoring the traffic within cloud infrastructure environments could have prevented some of the NotPetya infections. Those with comprehensive network visibility and monitoring tools can automatically detect network traffic on non-standard ports, which have been used to launch such attacks as WannaCry."
Attacks using software known as SamSam started appearing in late 2015, but really ramped up in the next few years, gaining some high-profile scalps, including the Colorado Department of Transportation, the City of Atlanta, and numerous health care facilities. What makes SamSam special is more organizational than technical: it's not software that indiscriminately looks for some specific vulnerability, but rather ransomware-as-a-service whose controllers carefully probe pre-selected targets for weaknesses, with the holes it's exploited running the gambit from vulnerabilities in IIS to FTP to RDP. Once inside the system, the attackers dutifully work to escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.
Although the initial belief among security researchers was that SamSam had an Eastern European origin, the overwhelming majority of SamSam attacks targeted institutions within the United States. In late 2018, the United States Department of Justice indicted two Iranians that they claim were behind the attacks; the indictment said that those attacks had resulted in over US$30 million in losses. It's unclear how much of that figure represents actual ransom paid; at one point the Atlanta city officials provided local media with screenshots of ransom messages that included information on how to communicate with the attackers, which led them to shut that communications portal down, possibly preventing Atlanta from paying ransom even if they wanted to.
Ryuk is another targeted ransomware variant that hit big in 2018 and 2019, with its victims being chosen specifically as organizations with little tolerance for downtime; they include daily newspapers and a North Carolina water utility struggling with the aftermath of Hurricane Florence. The Los Angeles Times wrote a fairly detailed account of what happened when their own systems were infected. One particularly devious feature in Ryuk is that it can disable the Windows System Restore option on infected computers, making it all the more difficult to retrieve encrypted data without paying a ransom. Ransom demands were particularly high, corresponding to the high-value victims that the attackers targeted; a holiday season wave of attacks showed that the attackers weren't afraid to ruin Christmas to achieve their goals.
Analysts believe that the Ryuk source code is largely derived from Hermes, which is a product of North Korea's Lazarus Group. However, that doesn't mean that the Ryuk attacks themselves were run from North Korea; McAfee believes that Ryuk was built on code purchased from a Russian-speaking supplier, in part because the ransomware will not execute on computers whose language is set to Russian, Belarusian, or Ukrainian. How this Russian source acquired the code from North Korea is unclear.
Honorable mention: CryptoLocker
Falling just outside our 5-year timeframe was CryptoLocker, which burst onto the scene in 2013 and really opened the age of ransomware on a grand scale. CryptoLocker spread via attachments to spam messages, and used RSA public key encryption to seal up user files, demanding cash in return for the decryption keys. Jonathan Penn, Director of Strategy at Avast, notes that at its height in late 2013 and early 2014, over 500,000 machines were infected by CryptoLocker.
CryptoLocker was somewhat primitive, and was ultimately defeated by Operation Tovar, a white-hat campaign that brought down the botnet that controlled CryptoLocker, in the process discovering the private keys CryptoLocker used to encrypt files. But as Penn put it, CryptoLocker had "opened the floodgates" to many other varieties of file-encryption ransomware, some of which were derived from Crypto Locker’s code and some of which was given the CryptoLocker name or a close variant but was written from scratch. The variants overall harvested about US$3 million dollars in ransom fees; one such them was CryptoWall, which by 2015 accounted for more than half of all ransomware infections.
Despite these very real threats, ransomware has actually been in decline over 2018 and 2019. The drop was steep: ransomware affected about 48% of organizations in 2017, but only 4% in 2018. There are a couple of reasons for the drop. One is that ransomware attacks are increasingly tailored for specific targets and run by sophisticated controllers in real time, like SamSam and Ryuk. That 48% figure for 2017 may sound shockingly high, but much of the "affected" organizations are just companies that received generic phishing emails with ransomware payloads that are simple for IT security to detect and deflect. Targeted attacks affect fewer organizations but have a much higher success rate; the decline in infections has not matched a decline in revenue for attackers.
Then there's the fact that ransomware is a splashy sort of attack that requires its victims to actively take a number of steps to achieve a payoff. Victims need to figure out how bitcoin works (something you can't guarantee they'll know), then assess whether or not they're willing to pay a ransom rather than attempt some other kind of remediation — and even if it's more expensive to restore systems without paying, many will do so to avoid giving money to criminals.
And it turns out that, if an attacker's goal is to acquire bitcoin by infiltrating someone else's computer systems, there's a much easier ways to go about it: cryptojacking. Cryptojackers follow the script that spammers and DDoS attackers have been using for years: surreptitiously gaining control of computers without their owners knowing. In the case of cryptojacking, the compromised machines become bitcoin mining rigs, quietly generating cryptocurrency in the background and eating up idle computing cycles while the victim is none the wiser. As ransomware attacks declined over the course of 2018, cryptojacking attacks shot up by 450%, and researchers believe those two stats are related.