A Brief History Of Ransomware
A top ten chronicle of more than a decade of notable ransomware variants and trends.
April 21, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltefc21159a1568129/64f0db8f598d808d9b5a973f/01-ransomware.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The rise in ransomware extortion as a reliable weapon for cybercriminals to make the most of victims' system vulnerabilities has now spanned the better part of a decade. But the last year has seen hockey stick growth as attackers perfected their methods and targeted victims. At this point ransomware has established itself as $60 million a year criminal enterprise, with that number sure to rise as the income is funneled into improving the next ransomware generation.
"Businesses often believe that paying the ransom is the most cost effective way of getting their data back - and this may also be the reality," writes William Largent, threat researcher with Cisco Talos. "The problem we face is that every single business that pays to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we're seeing ransomware evolve at an alarming rate."
In order to understand where ransomware is going, it is important to understand its roots. In this slide show, we take a look at some of the notable variants that have cropped up over the years. Special thanks to Largent and researchers at Cisco Talos who accumulated and condensed much of the info included here. You can check out their take on Ransomware: Past, Present and Future here.
While the modern crypto ransomware variants didn't really come into the forefront until about 2005, the AIDS Trojan actually kick started the category decades earlier. Spread via floppy disk, the Trojan piggybacked on programs that "measured a person's risk of contracting AIDS based on their responses to an interactive survey," writes Alina Simone in a really interesting article about the virus in Unhackable. When the user rebooted, the trojan encrypted victims' files and asked for a "licensing fee" of $189 to be mailed to Panamanian PO Box.
Some of the first instances of ransomware appeared in the wild starting in about 2005 with the emergence of variants like Krotten, Archiveus and GPCoder. GPCoder stood out from the crowd through its use of strong encryption--it used 1024-bit RSA encryption when obfuscating files to trip up recovery through brute force.
The emergence and evolution of Vundo in 2009 illustrated how malware makers who had been leaning on scareware tactics to convince users to load rogue security software eventually figured out that ransomware extortion was more profitable. Vundo started as scareware and eventually became ransomware that targeted personal file types like .pdf, .doc and .jpg files, then, in conjunction with a program called FileFix Pro, would decrypt them for a fee.
Some of the early gains ransomware attackers made in bilking money from victims stemmed from the fear of embarrassment or imprisonment. Around 2012 we saw the rise of police-themed ransomware, which often targeted pornography sites and threatened victims of police action due to bogus copyright or kiddie porn claims. These variants played out most notably through Reveton, but also through Kovter, which has actually reemerged this year as a more traditional ransomware variant. Based on Zeus and Citadel, Reveton threatened action from the FBI other law enforcement agencies and asked users to pay a 'fine' to authorities using cash cards or bitcoins in order to get their files back.
Best estimates from researchers with Symantec pegged the burgeoning blackmarket for ransomware extortion to be netting crooks at least $5 million per year by the end of 2012. Though that estimate could have been low-- some sources claimed bad guys were netting $44,000 per day just from a single country targeted by Reveton.
One of the most successful variants in the short history of modern crypto ransomware, CryptoLocker first grew into prevalence in around late 2013. Primarily distributed by the Gameover Zeus botnet, in the months of its heyday its said that its creators made off with about $3 million in $300 increments from its victims. In May 2014 its infrastructure was debilitated with the Gameover takedown, but by then CryptoWall and a host of other clones picked up where the original CryptoLocker left off.
First spotted in November 2013 as a CryptoLocker clone, by March of 2014 CryptoWall came into being in its own right. At that time, CryptoWall 1.0 utilized proper RSA public/private key pairs and by October of that year it tweaked its C2 communications to connect directly to Tor to exchange information with its C2 server. This highly successful variant just keeps getting more advanced over time.
In just about three years, the ransomware market size grew nearly exponentially. According to a best guess figures from Cisco Talos, ransomware distributed just through the Angler exploit kit were garnering criminals $60 Million annually.
Heading into the early part of this year, ransomware started becoming more aggressive in its proliferation methods and targets, as evidenced by Locky, which in February reportedly was infecting 100,000 new machines per day. Locky not only targeted large numbers of file extensions on infected systems but also encrypted data on unmapped network shares connected to those systems. Also notable about Locky was its shift in the ransomware business model, working on an affiliate system that gave its creators a percentage of the profits reaped by criminals who purchased the malware from them.
Last month saw another first for ransomware as KeRanger became the first fully functional Mac ransomware found in the wild. KeRanger not only attempts to encrypt standard files, but also Time Machine backups, which are Mac user's standard means of creating file redundancy.
Last month saw another first for ransomware as KeRanger became the first fully functional Mac ransomware found in the wild. KeRanger not only attempts to encrypt standard files, but also Time Machine backups, which are Mac user's standard means of creating file redundancy.
The rise in ransomware extortion as a reliable weapon for cybercriminals to make the most of victims' system vulnerabilities has now spanned the better part of a decade. But the last year has seen hockey stick growth as attackers perfected their methods and targeted victims. At this point ransomware has established itself as $60 million a year criminal enterprise, with that number sure to rise as the income is funneled into improving the next ransomware generation.
"Businesses often believe that paying the ransom is the most cost effective way of getting their data back - and this may also be the reality," writes William Largent, threat researcher with Cisco Talos. "The problem we face is that every single business that pays to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we're seeing ransomware evolve at an alarming rate."
In order to understand where ransomware is going, it is important to understand its roots. In this slide show, we take a look at some of the notable variants that have cropped up over the years. Special thanks to Largent and researchers at Cisco Talos who accumulated and condensed much of the info included here. You can check out their take on Ransomware: Past, Present and Future here.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024