History of ransomware
The first ransomware, known as PC Cyborg or AIDS, was created in the late 1980s. PC Cyborg would encrypt all files in the C: directory after 90 reboots, and then demand the user renew their license by sending $189 by mail to PC Cyborg Corp. The encryption used was simple enough to reverse, so it posed little threat to those who were computer savvy.
With few variants popping up over the next 10 years, a true ransomware threat would not arrive on the scene until 2004, when GpCode used weak RSA encryption to hold personal files for ransom.
In 2007, WinLock heralded the rise of a new type of ransomware that, instead of encrypting files, locked people out of their desktops. WinLock took over the victim screen and displayed pornographic images. Then, it demanded payment via a paid SMS to remove them.
With the development of the ransom family Reveton in 2012 came a new form of ransomware: law enforcement ransomware. Victims would be locked out of their desktop and shown an official-looking page that included credentials for law enforcement agencies such as the FBI and Interpol. The ransomware would claim that the user had committed a crime, such as computer hacking, downloading illegal files, or even being involved with child pornography. Most of the law enforcement ransomware families required a fine be paid ranging from $100 to $3,000 with a pre-paid card such as UKash or PaySafeCard.
Average users did not know what to make of this and believed they were truly under investigation from law enforcement. This social engineering tactic, now referred to as implied guilt, makes the user question their own innocence and, rather than being called out on an activity they aren’t proud of, pay the ransom to make it all go away.
In 2013 CryptoLocker re-introduced the world to encrypting ransomware—only this time it was far more dangerous. CryptoLocker used military grade encryption and stored the key required to unlock files on a remote server. This meant that it was virtually impossible for users to get their data back without paying the ransom. This type of encrypting ransomware is still in use today, as it’s proven to be an incredibly effective tool for cybercriminals to make money. Large scale outbreaks of ransomware, such as WannaCry in May 2017 and Petya in June 2017, used encrypting ransomware to ensnare users and businesses across the globe.
In late 2018, Ryuk burst onto the ransomware scene with a slew of attacks on American news publications as well as North Carolina's Onslow Water and Sewer Authority. In an interesting twist, targeted systems were first infected with Emotet or TrickBot, two information stealing Trojans now being used to deliver other forms of malware like Ryuk, for instance. Director of Malwarebytes Labs, Adam Kujawa speculates that Emotet and TrickBot are being used to find high-value targets. Once a system is infected and flagged as a good target for ransomware, Emotet/TrickBot re-infects the system with Ryuk.
In recent news, the criminals behind the Sodinokibi ransomware (an alleged offshoot of GandCrab) have started to use managed service providers (MSP) to spread infections. In August of 2019, hundreds of dental offices around the country found they could no longer access their patient records. Attackers used a compromised MSP, in this case a medical records software company, to directly infect upwards of 400 dental offices using the record keeping software.