Ransomware celebrates its 30th year

In May 2017, the WannaCry attack has touched nearly 300,000 computers across 150 countries and has been ranked the most widespread malware over the last two years, affecting several companies and manufacturers. The Shadow Brokers hacker group (TSB) has published recently the EternalBlue exploit used by this extortion and leveraging an SMB vulnerability to spread. The same exploit was used to carry out Petya cyberattack in June 2017. These two attacks introduced the “Ransomware” terminology which is by far the most prolific cyber threat nowadays. However, this type of malware appeared for the first time in 1989 when a Harvard scholar, in preparation to the "AIDS Information - Introductory Diskettes" conference, created a payload that warned the user that a certain license of a certain software will expire, by encrypting files on the hard disk, and asking the user to pay $ 189 to unlock the system. Then, it took 16 years for someone else to reuse the idea of ransomware - developing much more powerful encryption methods - when the earlier ransomware infections appeared in Russia in 2005.

 

What is a ransomware?

Ransomware falls into the category of malicious software designed specifically for financial gain. A ransomware works by disrupting normal computer operations, rendering it unusable. Those who initiated the attack then embed a ransom demand to the owners, asking for money against the system's restoration.
Most ransomware examples fall into two categories. Some ransomware lock users out of their systems, freezing the CPU, taking the hostage verification system, or other similar method. Other types of ransomware, usually called crypto-ransomware, encrypt storage drives and their contents, making files and folders impossible to open and programs inexecutable.

 

Ransomware evolution

2019 reflects the 30th year ransomware anniversary. Ransomwares have undergone several transformations from Archievus & GPCoder that infected windows system using 1024-bit RSA encryption, WinLock that requires to buy an activation key, Police ransomware that confiscates files, Cryptolockers that created 2028-bit RSA asymmetric schemes, the locky ransmoware targeting mainly healthcare, to  GrandCrab offering a ransomware as a service (RAAS).

Since 2013, the payments were done in Bitcoin. Nowadays, cybercriminals are moving increasingly towards the use of Monero, Dash and Verge.

New versions and techniques are used every day. Ransomware continues to evolve and attackers are leveraging advanced mechanisms to evade anti-ransomware protection such as applying a Doppelgänging process, that attempts to make the malicious process legitimate; opening the executable code before compilation; checking procedures to make sure it is not monitored in a controlled environment; stopping processes and services to ensure access to important files; cleaning event logs to block post-incident analysis…

The cost of a ransomware

Ransomware damages reached billions of dollars. Ransomware targeting mobile phones have amplified by more than 250% since early 2017. Moreover, the number of anti-ransomware protection software protections has increased by 62% in the last two years.

This category of malware is very harmful because, like the flu virus, it is constantly mutating. The increase of ransomware, their attacks and ransoms are at least as dramatic as the unconsciousness of businesses and users!

Criminal groups carefully select their victims before organizing a campaign of harpooning. To inform the public about the dangers of ransomware and help victims who want to recover their data, the “No more ransom” project was created to develop the partnership between the public sector and private sector. The cooperation between the two is essential to be able to fight effectively against this scourge. Victims are encouraged to report the attacks: Each target holds an element of essential evidence that helps to better understand the phenomenon.

Regardless of how it evolves, this menace will become more prevalent over the years. Watch for the emails you open, the sites you visit, and always stay up to date, or you could be a victim yourself!