The Evolution of Ransomware

3

Ransomware has been dominating the news for several weeks, and is likely to stay in the news for most of the year. Ransomware is a distinct type of cyber attack, in that it extorts payment from the victim in exchange for allowing access to something that was encrypted in the attack. The most prevalent type of malware used in this kind of crime is ‘crypto-ransomware’, which normally encrypts the files on the compromised system, and then demands a ransom in return for the ability to decrypt and recover the files. The latest iteration of crypto-ransomware is called Locky, and is the most advanced version of ransomware we have seen in the wild.

Ransomware isn’t new; the first piece of ransomware was distributed via 5 1/4 floppy drives through snail mail back in 1989 (pdf). It wasn’t very successful, but criminals obviously recognized the potential of generating revenue through extortion. Modern ransomware was first discovered in the wild in May of 2005, as a “low risk” Trojan horse named Trojan.Gpcoder. This Trojan would encode files and create an “ATTENTION.txt” file that contained the following message:

Some files are coded.

To buy decoder mail: [user]@yahoo.com

with subject: PGPcoder 000000000032

Early ransomware disguised itself as spyware removal or PC cleanup applications. These did not rely on encryption, but they damaged the PC and offered to fix the damage upon payment for the application. After a couple of years, these scams gave way to attacks using fake antivirus applications. These fake AV applications were similar to earlier ransomware attempts, but also attempted to trick users into paying for multiple years of support.

Encryption-based ransomware first came into prominence in 2011, in the form of malware that prevented access to the computer system. As defenses and recovery methods improved, ransomware evolved into the crypto ransomware that is so prominent now. There are three variants that currently dominate the crypto ransomware landscape:

There are several reasons why ransomware attacks have been spreading so quickly over the last few years:

The growth in ransomware attacks is expected to continue throughout the year, and expand to other platforms such as Macs, smartphones, and IoT endpoints. Even the most successful iterations of ransomware will evolve to stay ahead of defenses. Users should deploy multiple layers of protection to secure their networks.

  • Advanced Threat Detection: suspicious or unknown files are executed in a sandbox environment prior to being forwarded to the user.
  • Email protection: stop Email messages that carry ransomware and other attacks before they get to the inbox.
  • Web filtering: prevent drive-by downloads and “phone home” activity with a web security gateway or other secure web filtering solution.
  • Endpoint scanning: scan every file before use at the endpoint. This detects malware and prevents the file from opening.
  • Security policies: disable Office macros and other potential means of attack.
  • Data backups: keep good backups of all data, and have a disaster recovery plan in place to recover from ransomware.

Cybercriminals do not seem to care who they target with ransomware attack, as long as the victim is willing to pay. All sizes of organizations have been targeted, with the health care sector taking an especially heavy hit recently. Several hospitals have confirmed ransomware attacks since the beginning of the year, including Hollywood Presbyterian Medical Center, Lukas Hospital, and Klinikum Arnsberg, and the Ottawa Hospital. Additionally, three more US-based hospitals have confirmed ransomware attacks as well.

Share.

About Author

Christine Barry is the Chief Blogger and Social Content Manager for Barracuda Networks. Connect with her on LinkedIn at https://www.linkedin.com/in/clbarry/