We studied the history of ransomware viruses and found out what path they have traveled over many years.

In May 2017, almost all the world’s leading news agencies wrote about the WannaCry ransomware virus attack. It was then that ransomware viruses became world-famous.

Of course, among cybersecurity and IT professionals, ransomware viruses have been known for a long time. In the last ten years, it was ransomware viruses that have been the most common cyber threat. According to US government reports, the number of ransomware attacks exceeded the number of cases where attackers took advantage of data leakage.

Perhaps ordinary users still have not heard about ransomware viruses. It may be because their attacks have never taken on a global scale. After WannaCry, everything changed. More than 300 thousand computers worldwide were affected by this virus. WannaCry was in all the headlines because the main state bodies and institutions of several countries suffered from it. For example, the British Ministry of Health.

WannaCry was a global cyberattack that forced the world to pay attention to threats of this type. There is every reason to believe that the situation could happen in the future, more than once. Computer worms, through which ransomware viruses spread, are becoming more and more complex and effective. The likelihood of more and more large-scale attacks is increasing.

In this article, we will take a closer look at the history of ransomware viruses and trace their development to one of the largest cyber threats of the 21st century. 

We will recall the main attacks of ransomware viruses, look at the methods of spreading viruses and find out what innovations have made possible a sharp increase in the number of such cyber attacks. Also, we will try to make a cautious forecast for the future.

What is a ransomware virus?

Let’s start with the terminology. Ransomware viruses are malicious software designed specifically for profit. Unlike viruses that are used to hack data, ransomware viruses are not created to steal data from the victim’s computer. Such viruses do not even have the task of sucking out all the money from the victim (unlike, for example, phishing attacks and fake antiviruses).

But this, of course, does not mean that ransomware viruses are harmless. The harm from them is felt in a very, very sensitive way.

Ransomware viruses disrupt the normal operation of the computer’s operating system, making it impossible to use the device. Then the creators of the virus send a ransom request to their victims, promising in return to roll back all the changes made to the OS.

Most of the ransomware viruses can be divided into two groups. Some viruses block the user device at the processor level, interfering with the operation of the user verification system (or in a similar way). Other viruses, also known as “ransomware,” simply encrypt the contents of all hard drives, and then users can neither launch programs, nor even open folders and view files.

Typically, when a ransomware virus is launched on a device, it also shows the user a ransom request. A message can be displayed on the screen of a locked device or, more commonly, for encryptor attacks, can be sent to the victim’s email.

Background

AIDS Trojan

The very first ransomware virus incident, widely known, occurred a long time ago. It was in 1989: a Harvard scientist named Joseph L. Popp attended an AIDS conference organized by the World Health Organization. In preparation for his speech, he recorded 20 thousand floppy disks called “AIDS Information – Introductory Diskettes”, which he sent to other participants in the conference.

But no one expected a computer virus to lurk on floppy disks. The virus did not make itself felt for a certain time even after all the other files from the diskette were viewed by the victim. Only after 90 downloads (turning on or restarting the computer) did the virus begin to act and began to encrypt files and hide folders. At the same time, a message was displayed on the computer screen demanding a ransom of $ 189, which had to be sent somewhere to the PO box in Panama.

The genius of Dr Popp was ahead of his time: the ransomware viruses returned to the topic only 16 years later, already with the advent of the Internet era. Popp, of course, was arrested, but charges were never brought against him – he was recognized insane.

2005: year zero

By the time new ransomware viruses appeared, everyone had long forgotten about Dr. Joseph L. Popp and the Internet had completely transformed the computer world. It was the Internet that greatly simplified the task of spreading computer viruses to criminals. In the future, data encryption methods have been continuously improved and improved. Dr Popp’s methods quickly became obsolete – methods, but not their essence.

Gppoder

One of the first ransomware viruses spreading over the network was the GPCoder Trojan virus. It was first discovered in 2005. GPCoder infected computers running Windows and encrypted a variety of files. The principle of the virus was as follows: finding the appropriate files, he made a copy, encrypted it and deleted the original. New versions of the files could not be read, and the use of a reliable RSA-1024 encryption system meant that attempts to crack the encryption were doomed to failure. Of course, on the computer screen flaunted a message from criminals, which suggested opening a text file located on the desktop. In that file, it’s not hard to guess, there were instructions on how to pay the ransom and decrypt the files after that.

Archives

In the same year, when the world learned about GPCoder, another Trojan virus appeared using 1024-bit RSA encryption. Unlike GPCoder, aimed at files of certain formats and extensions, Archievus simply encrypted the My Documents folder on the victim’s computer. In theory, this meant that the user could continue to work and use files from any other folders. In practice, it turned out that most people store important documents in this folder, so the harm from Archievus was more than noticeable.

To get rid of Archives, users had to go to the site and buy a 30-digit password there. You understand that there was practically no chance to guess such a password …

2009 – 2012: money on the table!

In the world of cybercrime, they did not immediately discern the full potential of ransomware viruses. And this is not surprising: the income from trojans like GPCoder and Archives was relatively low since such viruses could be easily and quickly detected using any antivirus. In other words, the criminals were far from always making money.

In general, to this day, cybercriminals prefer data hacking, phishing attacks and scam attacks with fake antiviruses.

But in 2009, the situation began to change. That year, the fake Vundo antivirus started working as a ransomware virus. Previously, after infecting the victim’s computer, he simply announced to the user that his device was teeming with viruses, and offered to “take action”. But in 2009, analysts noticed that Vundo began encrypting files on victims’ computers and selling them a decryption key.

This was the first call:

hackers finally figured out how to make money on ransomware viruses. Also, by this time, anonymous online payment services had become widespread, which greatly simplified the task of obtaining a ransom. Again, ransomware viruses were getting harder and harder.

By 2011, the number of ransomware attacks increased in the most significant way: in the first quarter of this year alone, 60 thousand new ransomware viruses were detected. A year later, by the end of the first quarter of 2012, there were 200 thousand such attacks. As Symantec experts predicted, by the end of 2012, the black market of ransomware viruses would be $ 5 million.

Trojan Winlock

In 2011, another ransomware virus called WinLock Trojan appeared. It is believed that this is the first widespread ransomware virus belonging to the sub-type of “blockers”. Such viruses do not encrypt files on the victim’s computer. But simply do not allow the user to access them, for example, by blocking the computer’s boot.

It was WinLock Trojan that gave rise to countless ransomware viruses. They mimic useful and necessary programs (the tactics are old but true). By infecting a Windows computer, the virus copied the Windows Product Activation activation system and blocked the computer. The creators of the virus offered the victims to buy an activation key to regain access to their blocked devices. The highlight of this cake was the ransom demand message itself. A fake Windows activation screen was displayed. Where users were informed about the need to re-activate the account due to some fraudulent actions. Also in this message, it was proposed to call the “free” number, by which you could get all the support. Needless to say, the toll-free number turned out to be very, very paid? Supposed

Reveton and other viruses in the form

Fantasy hackers did not stop at ransomware viruses that mimicked useful programs to force users to buy fake subscriptions. Soon, viruses appeared, hiding behind the words “Police,” “FSB,” and so on. The virus informed users that their devices were allegedly blocked by law enforcement agencies for illegal activities. Since it seemed that illegal content was found on these devices themselves. It was further proposed to pay a “fine” to unlock the computer.

Such viruses could often be caught on porn sites, file-hosting sites and any other platform that could be used for potentially illegal actions. Ransomware viruses tried to intimidate or play on the victim’s shame and force a person to pay a ransom. It was important to formalize everything convincingly enough so that people would never begin to think about how real the threat of criminal punishment could be.

To do this, viruses in the form often displayed information about the victim’s location, his IP address, and in some cases also broadcasted from the user’s webcam (say, we follow you and record everything).

One of the most striking examples of this type of ransomware virus is Reveton.

 Initially, it infected computers in Europe, but after some time Reveton appeared in the United States. The virus informed users that they were under the supervision of FBI agents. And now they should pay a “fine” of $ 200 to regain access to their devices. It was proposed to pay the fine through services such as MoneyPak and Ukash. This moment was borrowed from other similar viruses, namely Urausy and Kovter.

2013 – 2015: encryption returns

In the second half of 2013, the world saw a new type of ransomware viruses that encrypted data on victims’ computers. The CryptoLocker virus has become an almost new quality standard. For example, the creators of the virus did not go around the bush, pretending to intimidate the user. They directly, honestly and openly informed the victims that all of their files were encrypted. And that it will be deleted in three days … unless the victim pays the ransom.

Also, it was CryptoLocker that made it clear that encryption algorithms have become much more advanced. Using C2-type servers hidden on the Tor network, CryptoLocker developers could generate public and private keys of 2048-bit encryption standard RSA to infect files of certain formats. It was a double-edged sword. those who were looking for a public key to decrypt files with it had to look for it on the Tor network (finding a needle in a haystack would be easier and faster); and the private key that the hackers had was extremely intrinsically safe.

Also, CryptoLocker revolutionized the spread of viruses. 

Now the infection went through the Gameover Zeus botnet, a network of infected computers that worked on one single task: to spread the virus across the network. CryptoLocker, respectively, was the first ransomware to spread through infected sites. However, traditional methods of infection were also used, especially emails with fake attachments: CryptoLocker sent organizations letters with attachments that looked like a client complaint.

All these features are now the basic characteristics of the ransomware virus, so getting an idea of ​​the success of CryptoLocker is easy. The virus demanded $ 300 for returning access to the infected system. It is believed that he brought his creators about three million US dollars.

Onion networks and bitcoins

They managed to get rid of CryptoLocker in 2014 when the Gameover Zeus botnet was finally disconnected from the network. However, the holy place does not happen empty: almost immediately the CryptoWall virus took it. It worked on the same principle using public and private RSA encryption keys generated on the Tor network and spread through phishing attacks.

The Tor network has begun to play an increasingly prominent role in the creation and spread of ransomware viruses. Tor is also known as the onion network. The global network of servers through which traffic is redirected is somewhat similar to the onion layers. Tor is an anonymous network that allows its users to remain in the shadows. This could not fail to attract to Tor various criminals who wanted to hide their affairs from law enforcement agencies. In other words, everything was almost predetermined …

Also, using the example of CryptoWall, you can trace how bitcoin begins to play an increasingly important role for ransomware viruses. By 2014, most often they began to demand a ransom in bitcoins. Prepaid electronic bank cards were inconvenient in that it was difficult to withdraw money from them (it was necessary to launder them), while bitcoin was deprived of this drawback.

By 2015, it is believed that CryptoWall alone brought its creators $ 325 million in profit.

Android under attack

Another milestone in the history of ransomware viruses was the emergence of mobile versions of viruses. At first, such viruses infected only devices running Android OS, as it is an open-source system.

The first viruses of this kind appeared in 2014, and these were viruses in shape. The Typing virus-infected devices, prompting users to update Adobe Flash, and then blocked the screen and displayed a message of greeting from the FBI and a ransom demand of $ 200. You can also recall Keller, a similar virus, one of the first examples of self-replicating ransomware worms. Keller automatically sent a message to the entire victim’s contact list with a link that couldn’t download anything except Kohler himself.

Contrary to its name, SimplLocker was one of the first types of mobile device encryption viruses. Most mobile viruses of that time simply blocked the devices of their victims. Another innovation that appeared almost simultaneously with the spread of ransomware viruses for the Android OS was the emergence of a kind of do-it-yourself virus pattern. Criminals could acquire such a pattern on the network and configure it to fit their needs. One example of such a pattern is the Pletor Trojan virus, which sold for $ 5,000.

2016: a new threat

For ransomware viruses, 2016 was largely a landmark year. New ways of spreading viruses, new platforms, new types of viruses – all this has made the danger of infection even more acute, topical, relevant. Moreover, it was in 2016 that they were founded for global viral attacks.

Cryptowall

Unlike many ransomware viruses that have been neutralized in one way or another, the CryptoWall virus is still a threat to everyone. This virus had 4 releases. It was CryptoWall who first applied the methods that later became used by other ransomware viruses. For example, using copies of system registry keys to download the virus after each reboot. This, by the way, is a very competent solution. Viruses do not start immediately, first, they need to connect to a remote server with an encryption key. Automatic virus download after a device reboot, respectively, increases the likelihood of a successful connection.

Locky

Locky virus spread very aggressively through phishing attacks and soon became the first in terms of speed and reach. We can say that Locky set a precedent, became the initiator of the case, picked up by WannaCry and other similar viruses. It is alleged that at the peak of activity, Locky infected 100 thousand devices per day with a kind of franchise that encouraged criminals to participate in the spread of the virus. Also, Locky used to start attacking hospitals and other health care facilities before WannaCry: its creators calculated that such organizations pay ransom much more often to return their devices to working condition as soon as possible.

Transition to multi-platform

In 2016, the first ransomware viruses for Mac saw the light. So, the KeRanger virus was especially remembered: it infected not only ordinary files of the operating system but also its backup copies, which made getting rid of the virus a real headache.

Soon after KeRanger, the first ransomware viruses appeared that could infect several operating systems at once. Written in JavaScript, the Ransom32 virus was able (in theory) to infect devices running Windows, Mac, and Linux.

Known Vulnerabilities

The so-called “exploit kit” is malware distribution protocols that attack user devices through known vulnerabilities in their software. Here you can recall the Angler exploit kit, which was used to conduct ransomware viruses back in 2015. But in 2016, such kits began to be used much more often, and now complex and advanced ransomware viruses infected their victims’ computers through vulnerabilities in Adobe Flash and Microsoft Silverlight. One of these viruses, by the way, was CryptoWall 4.0.

Cryptoworm

Cryptographic worms, which Kohler gave rise to, became in 2016 an integral part of the ransomware virus world. Here you can recall the ZCryptor worm, which was first found by Microsoft employees. The virus spread through phishing attacks with spam emails and could automatically infect computers connected to the same local network due to self-copying and the ability to start independently.

2017: the golden year of ransomware viruses

In 2016, ransomware virus attacks became more and more complex and widespread, and very quickly. Many cybersecurity experts were convinced that a truly global attack, comparable to the largest hacks and data theft, would not take long. WannaCry acknowledged all these concerns and made headlines around the world. However, WannaCry was far from the only ransomware virus that threatened the world in 2017.

Wannacry

On May 12, 2017, the ransomware worm, which will become known to the world as WannaCry, infected the first computers in Spain. Within a few hours, the virus spread to hundreds of computers located in dozens of countries. A few days later, the number of infected devices exceeded 250 thousand, which made WannaCry the most widespread ransomware virus attack in world history. After this, the world could not help but pay attention to the new threat.

WannaCry is short for WannaCrypt, and it follows that WannaCry is an encryption virus. More precisely, it is a cryptographic worm that can create its copies and automatically spread to other devices.

The effectiveness of WannaCry was based on the distribution method. 

There was no phishing, no offers to download the necessary file from a suspicious network, nothing. With the advent of WannaCry, a new era has begun for the exploitation of known software vulnerabilities by ransomware viruses. The creators of WannaCry taught the virus to search for and infect computers running outdated versions of Windows Server that had a known security vulnerability. Having infected one computer on the local network, WannaCry began to search for other devices with the same vulnerability and infect them.

That is why WannaCry spread so quickly, which is why large organizations (banks, transport companies, universities and health authorities), for example, the British Ministry of Health, suffered from its attack. It was through this approach that WannaCry managed to secure a place in the news headlines around the world.

However, the most shocking in the whole story was the fact that the Windows vulnerability that WannaCry used was discovered by the US National Security Agency many years ago. But instead of informing her promptly, the NSA has developed its system using this vulnerability. The NSA created a cyber weapon, and the creators of WannaCry just modified it a little.

Petya

No sooner had the world recovered after WannaCry than another global ransomware virus attack hit thousands of computers on all continents. This virus was called Petya, and the most remarkable fact associated with it is that it used the same Windows vulnerability as WannaCry. A pretty clear demonstration of the effectiveness of a potential NSA cyberweapon, isn’t it? Also, Petya demonstrated that it is very difficult for many users to follow the news of the world of cybersecurity. Because immediately after WannaCry, this vulnerability was closed with a patch, which, however, still needed to be downloaded and installed.

Leakerlocker

Speaking about all the variety of dangers posed by ransomware viruses, one cannot but recall the LeakerLocker virus. It also hit the headlines of major news publications. LeakerLocker was closer in spirit to the old blackmail viruses. This virus infected Android devices. It threatened to send all the contents of a user’s mobile phone to the entire contact list. The calculation is simple. If there is something private or incriminating on your phone, then you would rather pay than let all your friends see it.

What is the future of ransomware viruses?

Given just the cosmic profit that hackers were able to extract from ransomware viruses. It would be naive not to assume that in the future we will face such attacks more and more. The success of WannaCry, based on a combination of a self-replicating worm and the use of known software vulnerabilities, means that shortly we will have to face many more similar attacks. But do not think that virus developers do not think about a more distant future and do not create new, more ingenious and dangerous methods to make money.

What to expect?

We fear that ransomware viruses will soon start blocking digital devices other than computers and smartphones. The Internet of things is increasingly entering our lives, more and more devices around us are connected to the network. This creates huge opportunities for cybercriminals: for example, you can block a car or a heating system in a house. And what? If someone does not want to freeze, then he will pay the ransom. In other words, the influence of ransomware viruses on our daily lives will only become more noticeable.

We also fear that one day the attention of ransomware viruses will shift from individual users and their devices to something more global. Why try to infect files on one computer when you can infect a database on a server using SQL injection ?! The consequences of such attacks will be catastrophic because this will allow the one-touch operation to disrupt the global infrastructure of enterprises and Internet services, which will affect hundreds of thousands of users.

Ransomware viruses should be considered one of the main cyber threats of the near future, and this is a fact. So do not open all emails in a row, keep track of which sites you go to, install the latest security updates. Otherwise, you can replenish the number of victims of the virus.

Will a VPN help against ransomware viruses?

Using a VPN does not protect you from viruses, but in general, it will make your device more secure. VPN technology has many advantages.

  • When you use the VPN service, your real IP address is hidden, and you can surf the Internet anonymously. As a result, it becomes more difficult for hackers to track your computer. Usually, hackers do not bother and attack the most insecure users.
  • When you exchange or access data on the network using a VPN service, all your data is encrypted and out of the reach of the malware creators.
  • Reliable VPN services will simply not let you visit suspicious sites.

In other words, using a VPN server will to some extent protect you from malware, including ransomware viruses. There are currently many VPN services. When choosing a service for yourself, pay attention to the reputation and measures to ensure the online security of users.

If you are looking for a VPN service, check out our list of recommended VPNs compiled by trusted users.