blog posts

Evolution Of Ransomware; From AIDS Trojans To Triple Extortion

Today, The Number Of Ransomware Is Increasing Day By Day, And They Are Asking For Multi-Million Dollar Ransom By Encrypting And Locking The Victim’s Sensitive Data; But How Can This Process Be Stopped?

These days we hear a lot of news about new ransomware attacks. Initially, the requested fee was limited to a few hundred dollars; But today, it has reached millions of dollars; But how do we get to the point where we can save our data and services for ransom and pay millions of dollars for just one attack? Can we hope that this process will end one day?

The first ransomware

One of the achievements of Dr. Joseph L. The pope in biology was the use of computer software to demand ransom. In December 1989, Pope used the mail to publish nearly 20,000 floppy disks labeled “Preliminary Disk Information” among hundreds of medical research institutes in 90 countries. 

Each disk contained an interactive questionnaire that assessed the risk of contracting AIDS based on the answers. Next to this questionnaire was ransomware called AIDS Trojan. The ransomware encrypted users’ computer files after rebooting several times.

Printers connected to infected computers printed instructions for sending bank transfers, cash registers, or international money orders to the Panama Post Office for $ 189. Pope planned to send another two million records, but he was arrested at the World Health Organization’s AIDS seminar on his way back to the United States. For all the evidence against Dr. Pope, he was never convicted. 

Fortunately, Dr. Pope’s code included symmetric cryptography, and computer specialists at the time had the decryption tools needed to thwart the ransomware. There were no significant ransomware attacks between 1991 and 2004, But some saw this silence as the calm before the storm.

Technological advancement and evolution of ransomware

Cybercriminals had access to three major benefits that Dr. Pope denied in the early 2000s:

1. An ultra-fast and efficient transmission system that connects millions of computers worldwide (World Wide Web).

2. Access to stable asymmetric cryptography tools that were almost impossible to decrypt.

3. A payment platform that ensures speed, anonymity, and the ability to automate decryption tasks (such as Bitcoin).

The following is a summary of key events in the ransomware history:
  •  2006: Archives uses RSA-1024 to encrypt files; This made it impossible to decrypt the files. The victims had to buy a set of goods from an online pharmacy to get the password.
  • 2008: With the invention of Bitcoin, blackmailers created unique payment addresses for each victim. As a result, bitcoin became their priority.
  • 2011: Bitcoin grows, and the number of ransomware attacks increases exponentially: 30,000 transactions were reported in the first and second quarters of 2011. This figure doubled by the end of the third quarter.
  • 2012: Reveton acted like the Vundo virus is scary and methods used to pay victims. After encrypting the files, the Reveton worm impersonates the police and warns the victim that they have committed a crime by downloading or using illegal software.
  • Then came the Citadel. A tool for developing and distributing malware and managing botnets, and finally expanding ransomware with pay-per-install programs. Cybercriminals can pay a hefty fee to install their ransomware on malware-infected computers.
  • 2013-2015: A combination of public-key RSA-2048 encryption and C&C servers on the Tor network, which uses the Gameover Zeus botnet for distribution, made CryptLocker one of the most aggressive ransomware.
  • The Svpeng mobile trojan, originally designed to steal payment card information, evolved into ransomware in 2014. Victims were denied access to their mobile phones and charged with accessing child pornography.
  • In May 2015, ransomware launched as a service (RaaS). The service operators accounted for 20% of Bitcoin ransom payments.
  • 2016: Ransom32, fully developed in JavaScript, HTML, and CSS, is one of the first “Write Write Infect All” ransomware that can infect Windows, Linux, and macOS devices.
  • Locky was distributed through phishing attacks using infected Microsoft Word attachments. At peak times, it infected nearly 100,000 devices daily.
  • KeRanger was the first ransomware to target Mac files and Mac recovery systems and disabled the system restore feature that allowed them to return to non-encrypted status.
  • 2017: WannyCry and Petya return ransomware to the spotlight. WannaCry is a type of cryptoworm that is semi-automated and automatically distributed through vulnerabilities in target systems.
  • WannaCry infected more than 250,000 devices worldwide in early 2017, making it the most notable ransomware attack in history with a financial loss of nearly $ 4 billion worldwide.
  • NotPetya (a variant of the first Petya of 2016) is another cryptocurrency that exploits WannaCry-like vulnerabilities despite security updates. Both ransomware emphasizes the dangers of unsupported systems and the need to install security updates.
  • 2018: random cloud proves email accounts like Office 365 are also vulnerable to ransomware. Fortunately, this was done by a white-hat hacker (a harmless hacker who only shows security bugs).
  • Bitcoin anonymity is no longer guaranteed, which is why cybercriminals have moved to other cryptocurrencies. Newer versions such as Annabelle and AVCrypt, and a new version of SamSam, include advanced features to prevent detection and disrupt post-attack actions.
  • 2019: Redeemers launch two-stage attacks involving malware to extract data along with ransomware. Ransomware like MegaCortex was designed for enterprise networks and used domain controllers for distribution.

Recently, security researchers and attackers have been using virtual machines to hide ransomware encryption activity on host files and folders, so that antivirus programs could not detect them.

Evolution of ransomware methods

Today, ransomware attackers have become more aggressive thanks to advances in technology and are using creative methods to improve ransomware success. Cybercriminals have focused on basic infrastructure and larger organizations. In 2016, for example, several hospitals were targeted by ransomware, including Hollywood Medical Center, Ottawa Hospital, Kentucky Methodist Hospital, and several others. 

Some hospitals were lucky and used recovery and support policies; But unfortunately, others had to pay a ransom to restore their medical services.

In March 2018, many of Atlanta’s online services went offline after a ransomware attack. $ 55,000 bitcoin ransom not paid, But recovery costs reached $ 2.6 million. In May 2021, the DarkSide ransomware disabled essential infrastructure responsible for delivering 45 percent of a week’s gasoline consumption in 13 US states. 

Colonial Pipeline was the victim of the attack and paid $ 4.4 million to recover its systems. Such large-scale payments continue, leading even attackers to creative ways of using ransomware.

Attacking ransom on hospitals can cost lives.

There is another method called Encrypt and Exfiltrate. Based on this method, attackers identify network vulnerabilities and use them to extract data. In addition to encrypting the victim file, attackers steal sensitive data and publish it if they do not receive a ransom; Therefore, even if the organization can prevent a ransomware attack using backups, it cannot prevent its data from being hacked leaked.

Vastaamo, a Finnish psychiatric clinic with about 40,000 patients, was the victim of one of the newest methods called Triple Extortion. In this type of attack, medical files are encrypted, and a large ransom is required to obtain the password; But attackers also steal patients’ data.

 Vastamo patients received separate emails shortly after the initial attack asking for a small ransom. Otherwise, they eventually filed for bankruptcy due to data leaks and financial losses.

The future of ransomware

According to Cybersecurity Ventures, ransomware attacks have reached 57 percent since the beginning of 2021 and caused $ 20 million in damage in 2020 alone, which is 75 percent more than in 2019.

Ransom attacks are very meticulous in selecting victims and target organizations such as health care, facilities, insurance, and law that are essential service providers and are more likely to pay the ransom.

Nearly 40 percent of new ransomware attacks involve data breaches that use triple and double extortion methods. In addition, REVil (a Raas group) offers Distributed Denial of Service (DDoS) attacks and VoIP fraudulent calls as free services to its affiliates (real attackers who infiltrate the system) to ransom victims promptly. 

But why did ransomware attacks so suddenly increase? The reason for this is the high profit of these attacks. Even if a small percentage of these attacks succeed, they will still have a high return on investment. 

Consider, for example, the biggest profits of the biggest ransomware attacks:

  • CWT Global: $ 4.5 million in damages
  • Colonial Pipeline: $ 4.4 million in damages
  • Brenntag North American Division: $ 4.4 million in damages
  • Travelex: $ 2.3 million in damages
  • University of California, San Francisco: $ 1.14 million in damages

These attacks make up only a small percentage of successful ransomware campaigns. Unfortunately, large-scale payments encourage attackers to find new ways to infect and spread viruses.

Another criterion must be considered: the growing level of attacks. In 2017, fifty-five traffic cameras in Victoria, Australia, were targeted by WannaCry for human error. The impact of this attack was minimal, but it was evidence of new targets for cybercriminals. 

Due to the slow process of security updates and the increasing number of vulnerable Internet of Things (IoT) devices worldwide, the chances of ransomware attacks are increasing.

Experts also fear that ransomware will appear in cloud services, targeting infrastructure as a service (IaaS) and platform as a service (PaaS). 

Also, the younger generation is influenced by series like Mr. They will be robots and will have access to multiple resources, including Hack the Box, more than previous generations. Newcomers to ransomware are looking to learn and test their skills.

Underground ransomware is growing and complex, with all the hallmarks of a legitimate business: consider, for example, a community of skilled malware developers, RaaS providers, and their affiliates, IT customer support teams, and even attacker-responsive operators.

If you provide your personal data to service providers and rely on technology for all your tasks and routines, you have encouraged ransomware attackers to take hostages and steal information. 

As a result, it is possible to predict an increase in ransomware attacks, aggression, and the creation of ransom payments. In particular, the first payment can be for decryption of data and the second payment for non-disclosure.

Light in the dark encryption tunnel

Colonial Pipeline hacking emphasizes the vulnerability of modern society. The attack led to increased anxiety and concern among the affected cities, raising public fears for fuel purchases, fuel shortages, and rising gasoline prices.

Ransomware costs are not limited to ransom payments. Damage and data destruction, system shutdowns, reduced post-attack productivity, costs associated with subsequent investigations, system recovery, improved system security, and staff training are hidden and unplanned post-attack costs. 

Police agencies are also concerned about cyber-attacks on hospitals and their deadly consequences. The negative impact of ransomware on human life and society can no longer be denied or ignored.

The ransomware working group (RTF) started at the end of 2020; The coalition includes more than 60 members from various industrial, governmental, legal, and national sectors seeking a solution to stop ransomware attacks. 

RTF in 2021 report entitled “Fight against ransomware; Published a Comprehensive Practical Framework outlining 48 high-priority recommendations for solving ransomware problems.

Although no arrests were reported, the FBI recovered 63.6 bitcoins ransom ($ 2.3 million) paid in the Colonial Pipeline attack.

 The FBI and other law enforcement agencies worldwide were able to disrupt the ransomware element, and the NetWalker was used to communicate with victims. Earlier this year, the Emotet was thwarted, a necessary tool for transmitting ransomware to victims through phishing. 

These solutions are like a drop in the ocean compared to the number of ransomware attacks in recent years; But global and public awareness organizations, public and private, emphasize active work to neutralize ransomware threats.