A History of the Ransomware Threat: Past, Present and Future
The massive WannaCry malware attack in May 2017 grabbed headlines the world over and brought a new phrase into common public use – Ransomware.
In cybersecurity and tech circles, however, ransomware has long been talked about for all too long already. In fact, over the past decade, ransomware has arguably been the most prolific and pervasive cyber threat out there. According to US government figures, ransomware attacks since 2005 have outnumbered online data breaches.
Perhaps the fact that ransomware attacks have not traditionally been global in scale helped to keep it under the radar of general public awareness. WannaCry changed all of that. Affecting more than 300,000 computers worldwide, WannaCry made the headlines for bringing down some major institutions, including the UK’s National Health Service (NHS).
If WannaCry was the kind of large-scale cyberattack capable of making the world sit up and take notice, the indications are that it could mark the shape of things to come. As the worms used to spread ransomware become ever more sophisticated and the methods used to distribute them more efficient, the likelihood of bigger and bigger attacks grows.
In this article, we will take a look at the history of ransomware, tracking its development until it emerged from the shadows as one of the biggest cybersecurity threats of the 21st Century. We will chart the major incidents, the various methods used, the major innovations leading to the recent spate of global attacks, before taking a look at what we might expect in the future.
What is Ransomware?
First of all, some definitions. Ransomware falls into a class of malware designed specifically for financial gain. But unlike the viruses used in hacking attacks, ransomware is not designed to gain access to a computer or IT system in order to steal data from it. Nor does it seek to con victims out of money, as seen with various fake antivirus 'scareware' and phishing scams.
Unfortunately for the victims, the effects of ransomware are only too real.
Ransomware works by disrupting the operation of a computer system, rendering it unusable. The perpetrators then send a ransom note to the owners, demanding money in return for reversing the changes.
Most examples of ransomware fall into one of two categories. Some ransomware viruses will lock a user out of their device, by freezing the CPU, taking over the user verification system, or a similar method. Other types of ransomware, usually referred to as crypto-ransomware, will instead encrypt the storage drives and their contents, making it impossible to open folders and files or run programs.
In most cases, once a piece of ransomware is executed on a system, it will also trigger the sending of the ransom message. This might pop up on the screen of a locked out system, or in the case of a crypto-attack, might even be emailed or IM’d to the victim.
The first widely recognized ransomware incident actually predates the emergence of the online threat we recognize today by almost two decades. In 1989, a Harvard academic named Joseph L Popp was attending a World Health Organization conference on AIDS. In preparation for the conference, he created 20,000 discs to send to delegates, which he titled “AIDS Information - Introductory Diskettes.”
What unsuspecting delegates did not realize was that the floppy discs actually contained a computer virus which, after the other contents of the disc were run, remained hidden on the victim’s computer for some time. After 90 reboots, the virus kickstarted into life, promptly encrypting files and hiding directories. A message was displayed, informing the user that their system would be returned to normal after they had sent $189 to a PO Box in Panama.
Dr. Popp’s ingenuity was ahead of its time, and it would be another 16 years before anyone took up the baton of his ransomware idea and made a run with it in the internet age. Popp himself was arrested but never faced trial due to poor mental health.
2005: Year Zero
By the time the next examples of ransomware appeared, Dr. Joseph L Popp had been long forgotten and the world of computing had been transformed by the internet. For all its merits, the internet had made the distribution of all types of malware much easier for cybercriminals, and the intervening years had also allowed programmers to develop much more powerful encryption methods than those used by Dr. Popp.
One of the first examples of ransomware distributed online was the GPCoder Trojan. First identified in 2005, GPCoder infected Windows systems and targeted files with a variety of extensions. Once found, the files were copied in encrypted form and the originals deleted from the system. The new encrypted files were unreadable, and the use of strong RSA-1024 encryption made sure that attempts to unlock them were extremely unlikely to succeed. A message was displayed on the users’ home screen, directing them to a.txt file posted on their desk top, which contained details of how to pay the ransom and unlock the affected files.
The same year GPCoder was identified, another Trojan using secure 1024-bit RSA encryption also appeared on the scene. Rather than targeting certain executable files and files extensions, Archievus simply encrypted everything in the victim’s My Documents folder. In theory, this meant the victim could still use the computer and any files stored in other folders. But as most people store a lot of their most important files, including working documents, in the My Documents folder by default, the effect was still debilitating.
To clear up Archievus, victims were directed to a website where they had to purchase a 30-digit password – not much chance of guessing that one.
2009 - 2012: Cashing In
It took a while for these early forms of online ransomware to gain traction in the cybercrime underworld. The returns from Trojans like GPCoder and Archievus were relatively low, mainly because they were easily detected and removed by anti-viral software, meaning their shelf life for making money was short.
By and large, the cyber gangs of the day preferred to stick to hacking, phishing, and tricking people with fake anti-viral scams.
The first signs of change started to appear in 2009. That year, a known ‘scareware’ virus called Vundo switched tactics and began to function as ransomware. Previously, Vundo had infected computer systems and then triggered its own security alert, guiding users to a fake fix. However, in 2009, analysts noticed that Vundo had started to encrypt files on victims’ computers, selling a genuine antidote to unlock them.
This was a first indication that hackers were starting to feel there was money to be made from ransomware. Aided by the proliferation of anonymous online payment platforms, it was also becoming easier to receive ransoms on a mass scale. Plus, of course, the sophistication of the ransomware itself was growing.
By 2011, the trickle had become a torrent. In the first quarter of that year, there were 60,000 new ransomware attacks detected. By the first quarter of 2012, that had soared to 200,000. By the end of 2012, Symantec researchers estimated that the ransomware black market was worth $5 million.
In 2011, a new form of ransomware emerged. The WinLock Trojan is considered to be the first widespread example of what became known as ‘Locker’ ransomware. Rather than encrypt files on a victim’s device, a locker simply makes it impossible to log into the device full stop.
The WinLock Trojan started a trend for ransomware which imitated genuine products, echoing the old scareware tactic. Infecting Windows systems, it copied the Windows Product Activation system, locking users out until they bought an activation key. To add a touch of bare-faced cheek to attack, the message displayed on the fake Activation screen actually told victims their Windows account had to be re-activated because of fraud, before guiding them to call an international number to resolve the issue. The phone number masqueraded as toll free, but actually racked up a large bill which presumably went into the pockets of the criminals behind the malware.
Reveton and ‘Police’ Ransomware
A variation on the theme of imitating software products to trick victims into paying fake subscriptions was the emergence of so-called ‘police’ ransomware. In these attacks, the malware would target infected systems with messages claiming to be from law enforcement agencies and state authorities, stating evidence had been found that the device had been used for illegal activities. The device would be locked as ‘confiscation’ until some sort of bribe or fine was paid.
These examples were often distributed via pornography sites, file sharing services, and any other web platform which could be used for potentially illicit purposes. The idea was no doubt to scare or shame victims into paying the bribe before they had a chance to think rationally about whether the threat of prosecution was genuine or not.
To make the attacks seem more authentic and threatening, police ransomware would often be customized according to the victim’s location, display their IP address, or in some cases a live feed from their own webcam, implying they were being watched and recorded.
One of the most famous examples of police ransomware was known as Reveton. Spread initially through Europe, Reveton strains became widespread enough to start appearing in the US, where victims were told they were under surveillance by the FBI and ordered to pay a $200 ‘fine’ to have their device unlocked. Payment was taken through pre-paid electronic token services like MoneyPak and Ukash. This tactic was picked up by other police ransomware such as Urausy and Kovter.
2013 - 2015: Back to Encryption
In the second half of 2013, a new variant of crypto-ransomware emerged which drew a new line in the sand in the cybersecurity struggle. CryptoLocker changed the game for ransomware in a number of ways. For one, it didn’t bother with the chicanery and con-artist tactics of scareware or police ransomware. CryptoLocker’s programmers were very direct about what they were doing, sending a blunt message to victims that all of their files had been encrypted and would be deleted if a ransom wasn’t paid within three days.
Second, CryptoLocker demonstrated that the powers of encryption cyber criminals could now employ were considerably stronger than those available when the first crypto-ware emerged nearly a decade earlier. Using C2 servers on the hidden Tor network, CryptoLocker’s programmers were able to generate 2048-bit RSA public and private key encryptions to infect files with specified extensions. This acted as a double bind – anyone looking for the public key as a base to work out how to decrypt the files would struggle as they were hidden on the Tor network, while the private key held by the programmers was extremely strong in its own right.
Thirdly, CryptoLocker broke new ground in how it was distributed. Infection initially spread via the Gameover Zeus botnet, a network of infected ‘zombie’ computers used specifically to spread malware through the internet. CryptoLocker, therefore, marked the first example of ransomware being spread via infected websites. However, CryptoLocker was also spread via spear phishing, specifically email attachments sent to businesses which were made to look like a customer complaint.
All of these features have become dominant characteristics of ransomware attacks since, influenced by how successful CryptoLocker was. Charging $300 a time to decrypt infected systems, it is thought its developers made as much as $3 million.
Onions and Bitcoins
CryptoLocker was largely put out of action in 2014 when the Gameover Zeus botnet was taken down, but by then there were plenty of imitators ready to take up the baton. CryptoWall was the most significant, operating the same RSA public-private key encryption generated behind the screen of the Tor network, and distributed via phishing scams.
The Onion Router, more commonly known as Tor, began to play a bigger and bigger role in the development and distribution of ransomware. Named after the way it routes internet traffic around a complex global network of servers, said to be arranged like the layers of an onion, Tor is an anonymity project set up help people keep what they do online private. Unfortunately, this has attracted cyber criminals eager to keep their activities hidden away from the eyes of law enforcement, hence the role Tor has come to play in the history of ransomware.
CryptoWall also confirmed the growing role Bitcoin was playing in ransomware attacks. By 2014, the crypto-currency was the payment method of choice. Prepaid electronic credits were anonymous but difficult to cash out without laundering, whereas Bitcoin could be used online like a normal currency to trade and transact directly.
By 2015, CryptoWall alone was estimated to have generated $325 million.
Another major step in the ransomware story was the development of versions targeting mobile devices. These were exclusively aimed at Android devices at first, making use of the open source Android code.
The first examples appeared in 2014 and copied the police-ware format. Sypeng, which infected devices via a counterfeit Adobe Flash update message, locked the screen and flashed up a fake FBI message demanding $200. Koler was a similar virus which is notable for being one of the first examples of a ransomware worm, a self-replicated piece of malware which creates its own distribution paths. Koler would automatically send a message to everyone in an infected device’s contact list, with a download link to the worm.
Despite its name, SimplLocker was an early type of crypto-ransomware for mobiles, with the majority of others taking the form of lock-out attacks. Another innovation which arrived with Android ransomware was the emergence of DIY toolkits which would-be cyber criminals could buy on line and configure themselves. One early example was a kit based on the Pletor Trojan which was sold for $5000 online.
2016: The Threat Evolves
2016 was to be a seminal year for ransomware. New modes of delivery, new platforms, and new types of malware all added up to a seriously evolving threat which set the stage for the massive global attacks to follow.
Unlike many examples of ransomware which have their day in the sun and are then neutralized by one fix or another, the threat from CryptoWall never went away. Evolving through four distinct releases, CryptoWall pioneered techniques imitated by other ransomware, such as using replicated registry key entries so the malware loads with every reboot. This is clever because malware doesn’t always execute immediately, waiting until it can connect to the remote server containing the encryption key. Automatic loading on reboot maximizes the chances of this happening.
With its aggressive phishing-based distribution, Locky set a precedent followed by the likes of WannaCry for the sheer speed and scale of its distribution. At its peak, it was reported to infect up to 100,000 new systems a day, using the franchise system first used by Android toolkits to incentivize more and more criminals to join in its distribution. It also foreshadowed the WannaCry attack by targeting health-care providers, as its originators caught onto the fact that essential public services were quick to pay ransoms to get their systems up and running again.
2016 also saw the arrival of the first ransomware script to affect Mac systems. KeRanger was particularly nasty because it managed to encrypt Time Machine back-ups as well as ordinary Mac files, overcoming the usual ability on Macs to roll back to earlier versions whenever a problem occurs.
Known threat vulnerabilities
So-called “exploit kits” are malware delivery protocols which target known vulnerabilities in popular software systems to implant viruses. The Angler kit is an example of one which was known to be used for ransomware attacks as early as 2015 at least. Things stepped up in 2016, with a number of high profile ransomware viruses targeting vulnerabilities in Adobe Flash and Microsoft Silverlight – one of which was CryptoWall 4.0.
Following on from the innovation of the Koler virus, cryptoworms became part of the ransomware mainstream in 2016. One example was the ZCryptor worm first reported by Microsoft. Spread initially through spam phishing attacks, the ZCryptor was able to spread automatically through networked devices by self-replicating and self-executing.
2017: The Year Ransomware Broke
Given the rapid advances in the sophistication and scale of ransomware attacks in 2016, many cybersecurity analysts believed it was only a matter of time before a truly global incident took place on a scale with the biggest hacking attacks and data breaches. WannaCry confirmed those fears, creating headlines around the world. But WannaCry is far from the only ransomware threatening computer users this year.
On 12 May 2017, the ransomware worm which would become known the world over as WannaCry struck its first victims in Spain. Within hours, it had spread to hundreds of computers in dozens of countries. Days later, that total had stretched to more than a quarter of a million, making WannaCry the biggest ransomware attack in history and ensuring the whole world sat up and paid attention to the threat.
WannaCry is short for WannaCrypt, referencing the fact that WannaCry is crypto-ware. More specifically, it is a cryptoworm, able to replicate and spread automatically.
What made WannaCry so effective, and so shocking to the general public, was how it was spread. There were no phishing scams, no downloads from compromised botnet sites. Instead, WannaCry marked a new phase in ransomware targeting known vulnerabilities on computers. It was programmed to trawl the net for computers operating on older versions of Windows Server – which had a known security flaw – and infect them. Once it had infected one computer in a network, it quickly searched out others with the same flaw and infected them too.
This was how WannaCry spread so quickly, and why it was particularly potent in attacking the systems of large organizations, including banks, transport authorities, universities and public health services, like the UK’s NHS. This was also why it grabbed so many headlines.
But what shocked many people was the fact that the vulnerability WannaCry exploited in Windows had actually been identified by the US National Security Agency (NSA) years ago. But instead of warning the world about it, the NSA kept quiet and developed its own exploit to use the weakness as a cyber weapon. In effect, WannaCry was built on a system developed by a state security agency.
Hot on the heels of WannaCry, another transcontinental ransomware attack brought down thousands of computers in all four corners of the world. Known as Petya, what was most remarkable about this attack was that it used the exact same Windows vulnerability used by WannaCry, showing just how potent the NSA’s planned cyber weapon could have been. It also showed, despite a patch being made widely available in the wake of the WannaCry attack, how difficult it is to get users to keep on top of security updates.
In a sign of just how fluid the threat from ransomware is, one of the latest large-scale attacks to hit the headlines harks back to the days of scareware and blackmail tactics, but with an updated twist. Targeting Android devices, LeakerLocker threatened to share the entire contents of a mobile user’s device with everyone in their contact list. So if you had something embarrassing or compromising stored on your phone, you better pay up, or all your friends, colleagues and relatives could soon be seeing what you had to hide.
What does the future hold for ransomware?
Given the exponential growth in revenue cyber criminals have been able to make from ransomware, it is a fair assumption that we will be hearing a lot more about it in the future. The success of WannaCry in combining self-replicating worm technology with the targeting of known system vulnerabilities has probably set the precedent for the nature of most attacks in the short term. But it would be naive to think that ransomware developers are not already thinking ahead and developing new ways to infect, spread, and monetize their malware.
So what can we expect?
One big concern is the potential for ransomware to start targeting digital devices other than computers and smartphones. As the Internet of Things takes off, more and more general equipment we use in everyday life is being digitized and connected to the internet. This creates a massive new market for cyber criminals, who may choose to use ransomware to lock car owners out of their vehicles or set the central heating thermostat in homes to freezing unless they pay a ransom. In this way, the ability of ransomware to directly affect our daily lives will only increase.
Another possibility is that ransomware will switch in focus away from individual devices and their users. Instead of targeting the files held on one computer, ransomware could feasibly aim to use SQL injections to encrypt databases held on a network server. The results would be catastrophic – the whole infrastructure of a global enterprise could be corrupted in one move, or entire internet services brought down, affecting hundreds of thousands of users.
However it evolves, we should prepare for ransomware to be a major cyber threat for years to come. So watch the e-mails you open, the websites you visit, and keep on top of your security updates, or you might wanna cry along with all the other ransomware victims before you.
Can a VPN Prevent Ransomware Attacks?
While using a VPN cannot safeguard you from malware attacks, it does boost the security level of your system, making it more secure. There are many advantages of a VPN.
- When you use a VPN, your IP address is hidden and you can access the web anonymously. This makes it harder for malware creators to target your computer. Typically, they look for more vulnerable users.
- When you share or access data online using a VPN, that data is encrypted, and it remains largely out of reach for malware makers.
- Reliable VPN services also blacklist dubious URLs.
Owing to these factors, using a VPN keeps you more secure from malware, including Ransomware. There are a lot of VPN services to choose from. Make sure the VPN provider you sign up with is reputable and has the necessary expertise in the field of online security.
If you're looking for a VPN, check out our most recommended VPNs from trusted users.
Your data is exposed to the websites you visit!
Your IP Address:
Your Internet Provider:
The information above can be used to track you, target you for ads, and monitor what you do online.
VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 49% off.