The History of Ransomware: Where it Started and Where It’s Going…

by Ladan Nikravan Hayes

Ransomware is one of the largest threats you can face today, both on your own PC at home and at work, too. From humble beginnings, it has become an immense global business that nets millions, sometimes billions, for its creators.

The name ransomware, derived from the two words, ransom and software, is malicious software designed to extort money from a victim, by either holding specific files hostage or by locking the entire computer until a ransom is paid.

Hackers realize that victims are willing to pay to obtain access to their files, specifically ones that hold important, personal content, such as photos, documents or security keys. Additionally, they know that once the ransomware has been developed, the system will remain low maintenance. Because this crime does not involve credit card fraud, which typically requires mules or cloners, making financial transactions is much easier. Whether extorting $300 per user from a small business or $30 million from a multinational enterprise, the level of effort is often similar.

Over the years there have been two distinct varieties of ransomware which remain consistent: crypto and locker based. Crypto-ransomware is ransomware variants that actually encrypt files and folders, hard drives, etc. Whereas locker-ransomware only locks users out of their devices, most often seen with Android based ransomware.

New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to easily and widely distribute new strains as well as advanced development techniques such as using crypters to ensure reverse-engineering is extremely difficult.

What’s important to note is that ransomware isn’t new. In fact, it’s nearly 30-years-old. Below is a look at how this threat started and highlights of how it has evolved over time.

1989: The First of its Kind

1989: The first ransomware virus predates email, even the Internet as we know it, and was distributed on floppy disk by the postal service. It was named the 1989 AIDS Trojan, also known as PS Cyborg. Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.

But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer. To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama. Popp was eventually caught and it didn’t take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks.

2005-2006: The Return

2005: Fake programs for spyware removal emerged. These software programs claimed to fix critical issues and wanted you to buy a license in the average of 50 U.S. dollars. In actuality, they fixed next to nothing and only exaggerated with the errors they uncovered.

2005: In September 2005, Susan Schaibly wrote an article, “Files for Ransom,” for NetworkWorld magazine which contained the first known use of the term “ransomware.”

2006: Almost two decades after the first ransomware malware was distributed, another strain was released. But unlike before, this new strain was much more difficult to remove and used RSA encryption for the first time in ransomware history. The Archiveus Trojan encrypted everything in the “My Documents” directory on a system and required users to make purchases from specific websites to obtain the password to decrypt the files.

2008-2009: Fake Antivirus Applications

2008: Two years after GPcode ransomware was created, GPcode.AK was unleashed and began spreading from PC to PC.  Each computer GPcode.AK infected, it would lock or encrypt the victim’s files and require the user to pay a ransom or fee to get a code which would unlock their files. The difference between the first GPcode and GPcode.AK was the use of a 1024-bit RSA key used to lock or encrypt the victim’s files, making this newer version more of a nuisance and harder to crack.

2008: Bitcoin was introduced in 2008, followed by the release of its open-source software in January 2009. These developments led to an incredible spike in ransomware attacks that have continued to increase ever since.

2009: In 2009 a lot of fake antivirus programs compromised computer systems. They looked and acted almost the same as their legitimate counterparts, but could demand up to 100 U.S. dollars for “fixing” problems on your PC. As a reason for the higher price, these applications provided fake technical support for years on end.

2011-2012: Locker Ransomware

2011: A new type of ransomware emerged in 2011: Rather than encrypt files, Trojan.Winlock displayed a fake Windows Product Activation notice which could only be removed if the victim input an activation key. In order to acquire this key, the user was required to call an international premium rate number.

These early strains of ransomware had one thing in common: they were easily defeated due to the weak encryption and unsophisticated infection methods used. However, cybercriminals would learn from these early failures.

2012: A major ransomware Trojan known as Reveton began to spread throughout Europe. Based on the Citadel Trojan, the piece of ransomware claimed the computer under attack had been used for illegal activities and that in order to unlock the system, the user would be required to pay a fine using a voucher from an anonymous prepaid cash service. In some strains, the computer screen displayed footage from the computer’s webcam to give the illusion that the “criminal” was being recorded. Shortly after this incident, there was a flurry of “police-based” ransomware including Urausy.

Researchers discovered new variants of Reveton in the U.S., claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.

2013 and Beyond: The Emergence of Bitcoin

2013: 2013 saw the birth of Cryptolocker, a crypto-ransomware that was spread via email. Cryptolocker demanded that the victim pay $400 in Bitcoin within 72 hours. This ransomware infected half a million computers, and 1.3 percent of the victims paid the ransom. The attackers netted an estimated $27 million from their victims.

An international collaborative effort called Operation Tovar was formed to crack down on Cryptolocker and another ransomware program, the Gameover Zeus botnet. As a result, Russian hacker Evgeniy Mikhailovich Bogachev was caught and charged as an administrator of both Cryptolocker and Gameover Zeus.

2014: CryptoDefense is released. It uses Tor and bitcoin for anonymity and 2,048-bit encryption. However, because it uses Windows’ built-in encryption APIs, the private key is stored in plain text on the infected computer. Despite this flaw, the hackers still manage to extort at least $34,000 in the first month, according to Symantec.

2015: An aggressive Android ransomware strain started to spread across America in September. Security researchers at ESET discovered the first real example of malware capable of resetting the PIN of your phone to permanently lock you out of your own device. Dubbed LockerPin, the ransomware changes the infected device’s lock screen PIN code and leaves victims with a locked mobile screen. LockerPin then demanded $500 to unlock the device.

2016: The first official Mac OSX-based ransomware, KeRanger was discovered in 2016, delivered via a Transmission BitTorrent client for OSX. The ransomware was signed with a MAC development certificate, allowing it to bypass Apple’s GateKeeper security software.

2016: The Jigsaw ransomware became the first of its kind in which the ransom note contained the popular Jigsaw characters from the movie series SAW. It also threatened to delete a file every 60 minutes if the $150 ransom was not paid. Additionally, if a victim attempted to stop the process or restart their machine, it then deleted 1,000 files.

See a detailed account of the dozens of attacks since 2013 here.

2017: Massive Ransomware attack

On May 12, 2017, various organizations around the world had been affected by a massive ransomware attack. WannaCry infected more than 200,000 networks in 150 countries. The attackers exploited a Windows XP vulnerability used by the NSA for espionage and surveillance.

What’s Next?

The threat of ransomware continues to evolve, with a new spin on extortionware, called doxware, that’s designed to target and potentially expose sensitive data of ransomware victims. The term "doxware" is a combination of doxing — posting hacked personal information online — and ransomware. Attackers notify victims that their sensitive, confidential or personal files will be released online. If contact lists are also stolen, the perpetrators may threaten to release information to the lists or send them links to the online content.

Doxware and ransomware share some similarities. They both encrypt the victim’s files, both include a demand for payment, and both attacks are highly automated. However, in a ransomware attack, files do not have to be removed from the target; encrypting the files is sufficient. A doxware attack is meaningless unless the files are uploaded to the attacker’s system. Uploading all of the victim’s files is unwieldy, so doxware attacks tend to be more focused, prioritizing files that include trigger words such as confidential, privileged communication, sensitive or private. 

Want to better protect yourself, your family or your business? Check out these best practices for better information security.