1) The document traces the origins of ransomware back to 1989 with the creation of the AIDS Trojan which encrypted files and demanded payment. 2) It discusses early proof-of-concept ransomware in the 1990s and 2000s that used encryption and demanded small payments. 3) By the 2010s, ransomware like Cerber, Spora, and Locky were infecting victims worldwide and highlighting the global impact of ransomware attacks. Events like the NotPetya attack in 2017 caused widespread damage.

1. Ransomware as a Cyber Weapon
Alexander Adamov
CEO & Founder
@ NioGuard Security Lab

2. The beginning: AIDS Trojan
Date: 1989
Author: Dr. Joseph Popp
Payment: $189 to a post office box
in Panama
Delivery: 20,000 diskettes
dispatched to 90 countries as AIDS
education software

3. The beginning: AIDS Trojan
License agreement:
If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing
these programs...
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal
action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use
program mechanisms to ensure termination of your use...
These program mechanisms will adversely affect other program applications...
You are hereby advised of the most serious consequences of your failure to abide by the terms of
this license agreement; your conscience may haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others…

4. Jim Bates - the author of AIDSOUT and
AIDSCLEAR tools
Source: https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf
The beginning: AIDS Trojan
Virus Bulletin, January 1990

5. 1996
A. Young, M. Yung, Cryptovirology: Extortion-Based Security Threats and
Countermeasures. In: McHugh J, Dinolt G (eds) Symposium on Security &
Privacy. IEEE Computer Society Press, Washington DC, pages 129-141,
1996.
The beginning: Cryptolocker PoCs
Source: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3120&rep=rep1&type=pdf

6. 2005
A. Young, Building a Cryptovirus Using Microsoft’s Cryptographic API. In
Proceedings of the International Conference on Information Security,
2005, pp. 389–401. (Encryption: 3DES)
The beginning: Cryptolocker PoCs
Source: https://link.springer.com/chapter/10.1007/11556992_28

7. The beginning: Virus.Win32.Gpcode
Date: 2006
Encryption: RSA-660
Payment: $120 via SWIFT / IBAN
Source: https://www.knowbe4.com/gpcode

8. The beginning: Virus.Win32.Gpcode.ak
Date: June 2008
Encryption: AES-256 + RSA-1024
Payment: $120 E-gold, Liberty Reserve

9. Ransomware In-the-wild
● Cerber
● Spora
● Serpent
● Locky
● PsCrypt/Filecoder
Source: https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/

10. The global impact of ransomware
Source: https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/

11. The global impact of ransomware
Source: https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/

12. NotPetya Attack through M.E.Doc

13. XData ransomware

14. NotPetya attack through M.E.Doc

15. Victims’ comments
Source: https://ain.ua/2017/05/22/ukraincev-atakuet-novyj-virus-xdata

16. MEDoc’s reply
https://www.virustotal.com/intelligence/s
earch/?query=d462966166450416d6ad
dd3bfdf48590f8440dd80fc571a389023b
7c860ca3ac

17. NotPetya attack through M.E.Doc

18. WannaCry (.NET) ransomware
https://blockchain.info/addr
ess/13KBb1G7pkqcJcxpRH
g387roBj2NX7Ufyf

19. NotPetya attack through M.E.Doc

20. NotPetya wiper
https://blockchain.info/
address/1Mz7153HMu
xXTuR2R1t78mGSdza
AtNbBWX

21. Compare MEDoc updates

22. NotPetya launcher

23. Спасибо за внимание!
Alexander Adamov
ada@nioguard.com
Twitter: @Alex_Ad
facebook.com/alex.adamoff
Thank you for attention