2. History of Ransomware
Ransomware has evolved considerably since 26 years ago with the appearance
of the AIDS Trojan. The AIDS Trojan was released into the unsuspecting world
through snail mail using 5¼” floppy disks in 1989.
The AIDS Trojan was ultimately unsuccessful due to a number of factors - few
people used personal computers, the web was just an idea, and the internet
was mostly used by experts. The availability/strength of encryption technology
was also somewhat limited at the time and international payments were harder
to process than they are today.
While the emergence of the AIDS Trojan established the ransomware threat,
this type of malware didn’t get widely used in cybercrime until many years later.
The threat landscape was considerably different back in the nineties and early
noughties - An era when malware was used in pranks and vandalism to gain
notoriety.
Nowadays, malware is mostly being deployed for financial gain.
The evolution of ransomware, particularly crypto ransomware, accelerated in
recent years as more copycat criminal enterprises jumped into the arena to
build on others’ success.
3. Two main types of ransomware:
• Locker ransomware (computer locker):
Denies access to the computer or device
• Crypto ransomware (data locker):
Prevents access to files or data. Crypto ransomware doesn’t necessarily have
to use encryption to stop users from accessing their data, but the vast majority
of it does. Both types of ransomware are aimed squarely at our digital lifestyle.
They are designed to deny us access to something we want or need and offer
to return what is rightfully ours on payment of a ransom.
Despite having similar objectives, the approaches taken by each type of
ransomware are quite different.
4. Variations of Ransomware
Reveton (Early 2012)
Based on the Citadel trojan (which is based on the Zeus trojan), its payload
displays a warning purportedly from a law enforcement agency (a characteristic
referred to as the "police trojan" or "cop trojan"), claiming that the computer has
been used for illegal activities, such as downloading pirated software or child
pornography.
The warning informs the user that to unlock their system, they would have to
pay a fine using a voucher from an anonymous prepaid cash service such as
Ukash or Paysafecard.
To increase the illusion that the computer is being tracked by law enforcement,
the screen also displays the computer's IP address, while some versions
display footage from a victim's webcam to give the illusion that the user is being
recorded.
5. Variations of Ransomware
CryptoLocker (September 2013)
The trojan is known as CryptoLocker, which generated a 2048-bit RSA key pair
and uploaded to a command-and-control server. This was used to encrypt files
using a whitelist of specific file extensions.
The malware threatened to delete the private key if a payment of Bitcoin or a
pre-paid cash voucher was not made within 3 days of the infection. Due to the
extremely large key size it uses, analysts and those affected by the trojan
considered CryptoLocker extremely difficult to repair.
Even after the deadline passed, the private key could still be obtained using an
online tool, but the price would increase if not paid on time.
6. Variations of Ransomware
CryptoLocker.F (September 2014)
In September 2014, a wave of ransomware trojans surfaced that first targeted
users in Australia, under the names CryptoWall and CryptoLocker (which is, as
with CryptoLocker 2.0, unrelated to the original CryptoLocker).
The trojans spread via fraudulent e-mails claiming to be failed parcel delivery
notices from Australia Post; to evade detection by automatic e-mail scanners
that follow all links on a page to scan for malware, this variant was designed to
require users to visit a web page and enter a CAPTCHA code before the
payload is actually downloaded, preventing such automated processes from
being able to scan the payload.
Symantec determined that these new variants, which it identified as
CryptoLocker.F, were again, unrelated to the original CryptoLocker due to
differences in their operation. A notable victim of the trojans was the Australian
Broadcasting Corporation; live programming on its television news channel
ABC News 24 was disrupted for half an hour and shifted to Melbourne studios
due to a CryptoWall infection on computers at its Sydney studio.
7. Variations of Ransomware
Cryptowall (September 2014)
Another major ransomware trojan targeting Windows, Cryptowall, first appeared
in 2014. One strain of Cryptowall was distributed as part of a malvertising
campaign on the Zedo ad network in late-September 2014 that targeted several
major websites; the ads redirected to rogue websites that used browser plugin
exploits to download the payload.
It was also noted that the payload was signed with a digital signature in an
effort to appear trustworthy to security software.
Cryptowall 3.0 used a payload written in JavaScript as part of an email
attachment, which downloads executables disguised as JPG images. To further
evade detection, the malware creates new instances of explorer.exe and
svchost.exe to communicate with its servers.
When encrypting files, the malware also deletes volume shadow copies, and
installs spyware that steals passwords and Bitcoin wallets.
8. Variations of Ransomware
TorrentLocker (September 2014)
Another trojan in this wave, TorrentLocker, initially contained a design flaw
comparable to CryptoDefense; it used the same keystream for every infected
computer, making the encryption trivial to overcome. However, this flaw was
later fixed.
By November 2014, it was estimated that over 9,000 users had been infected
by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.
9. Variations of Ransomware
KeRanger (March 2016) (Mac)
KeRanger is the first malware and ransomeware on the OS X operating system.
It encrypts the Mac user's files then demands a sum of one Bitcoin to decrypt
the files. It appeared on March 2016. There is an executable in the .DMG that is
disguised as a Rich Text File.
The virus sleeps for three days, then starts to encrypt the files. It adds a text
document for instructions on how to decrypt the files.
It uses 2048-RSA public key to encrypt the files. It actually is a copy of
Linux.Encoder.1.
10. Variations of Ransomware
RSA4096 (2015)
RSA4096 is one of the latest iterations of ransomware to encrypt personal
computers and connected devices. It first appeared in 2015 and like all malware
uses the 2 key system of public and private keys. Like all other ransomware
decryption requires purchasing private keys using Bitcoins bought through
brokers in the Dark web of which there is no guarantee payment results in
obtaining those keys. There are variants of this virus, of which most are
unbreakable. Depending on the variant it adds various extensions to your files
together with the ransom note. The only method to recover from such an attack
is through restoring files from an external disc or purchasing Bitcoins. The cost
of Bitcoins has increased significantly over the years which has increased the
value of the ransom. At time of writing the ransom is about 300 thousand
pounds.
11. Variations of Ransomware
Locky (2016)
This one is spreading using an "Invoice" email, attached is a macro word
document containing this malware. It will encrypt other shares on the network,
not only mapped drives. Files will be encrypted and renamed to *.locky
Timestamp of the encrypted file stays the same. It also uses an AES 128 Bit
encryption with 2048 Bit RSA Key. Locky will delete all shadow copies
(vssadmin.exe Delete Shadows /All /Quiet)
Creates registry key HKEY_CURRENT_USERSoftwareLocky
Info file will be placed: _Locky_recover_instructions.txt and also replace
desktop background with the same message.
12. Variations of Ransomware
Ransom32
Already this year, ransomware attacks have been rampant. There is now a new
form of what is now being called "ransomware as a service."
The program, called Ransom32, uses AES encryption with a 128-bit key to lock
up files and extort Bitcoins from unsuspecting users.
The timeline given is four days, at which point, if the payment isn't made, the
price of decryption will increase to 1 Bitcoin, or $350 according to the ransom
message. It was created using Javascript, which marks a difference between
this and other ransomware. An underlying NW.js application is the driving force
behind the program. NW.js allows for much more control and interaction with
the underlying operating system, enabling JavaScript to do almost everything
'normal' programming languages like C++ or Delphi can do.
This ransomware is being peddled to would-be hackers as a complete package.
In other words, instead of having to develop their own malicious code, less
tech-savvy cyber criminals are able to purchase a program with which to inflict
these kinds of problems. The sellers of this service simply ask for a percentage
of the profits and for an upfront purchasing fee.
13. Ransomware predictions
Likely threats due to ransomware in the future:
•Attacks on automobile systems
•Infrastructure attacks
•Warehousing and sale of stolen data
•Hardware attacks
•Cloud services
• Integrity attacks
• Below-the-OS attacks
• Corporate Cyberespionage
• Privacy challenges
The Internet Crime Complaint Center (IC3) has received nearly 7,700 public
complaints regarding ransomware since 2005, totaling $57.6 million in
damages. Those damages include ransoms paid — generally $200 to $10,000,
as well as costs incurred in dealing with the attack and estimated value of data
lost. In 2015, victims paid over $24 million across nearly 2,500 cases reported
to the IC3.