Cloud 101CircleEventsBlog
Register for CSA's AI Summit at RSAC on May 6!

The Web’s Greediest Villain: Ransomware

The Web’s Greediest Villain: Ransomware

Blog Article Published: 10/07/2015

By Aimee Simpson, Integrated Marketing Manager, Code42

President Obama designated October as National Cyber Security Awareness Month (NCSAM). This U.S. observance is meant to engage, educate and raise awareness of the importance of cybersecurity to our nation. This month, Code42 is celebrating with a series of blog posts, giveaways and juicy content all about protecting your users and network from the growing threats that haunt our digital lives. This post covers one of the darkest, greediest threats out there: ransomware.

Over the last few decades, hundreds of thousands of computer users have had the great misfortune of having messages like these pop up on their screens (see Example A).

Becoming infected with a ransomware program—be it CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker, or one of their many variants—can feel like the digital equivalent of getting mugged. The software encrypts targeted files on the infected computer and holds them hostage until a payment is made when a decryption key is delivered. Demands for payment range from $100-$500, depending on the victim. This past year, several U.S. city police departments admitted to paying ransoms around $500 each for retrieving files that were stolen from them.

With criminal groups all over the world reaping exponential rewards, ransomware is now big business. By tracking bitcoin transactions, a computer science grad student reported that on January 15, 2013, a single address associated with ransomware received over $1 million in bitcoin. For criminals in the ransomware game, the average ROI is 1,425%.

With returns like that, it is no wonder that ransomware has grown into an enormous, notorious global extortion machine. It’s one of the web’s most costly nemeses—a true super villain—with an equally evil origin story.

An Evil Villain with an Evil Origin

Ransomware, first known as cryptoviral extortion, was born in 1989. The malware was quaintly distributed on 20,000 floppy disks by post. Instead of an adult website advertisement or an email attachment promising 70 percent off select items at J.Crew—two of the many ways malware distributes and disguises itself today—this first incarnation’s disguise was something much crueler.

The floppy disks, distributed to scientific research institutions throughout 90 countries, were masquerading as AIDS education software. The program became known as the “AIDS Trojan.” When you first inserted the disk, you were taken through a questionnaire that calculated your risk of contracting AIDS. The file encryption was programmed to begin after the computer was rebooted a certain number of times. When their ransom notes arrived—also by post—the victims were instructed to turn on their printers, which spat out the demand for a payment of $189. They had no clue that the seemingly innocent AIDS app was to blame. Payments were made to a P.O. box in Panama. Only then did the victims receive the decryption key—also on a floppy disk in the mail.

After analysis, the code used in this first iteration of ransomware was found to be weak and easily reversible. The story was well covered by British media where the first attacks were reported. The mastermind, Dr. Joseph L. Popp, was a Harvard-educated biologist loosely associated with the victims through the World Health Organization, where he had recently been denied a job. In the end, Popp pled insanity and was set free. (Read the whole story here.)

More important than Popp’s fate, the World Health Organization scandal or the product of the software itself was the concept. In 1989, an idea was born. You could steal someone’s files without physically stealing them. You could blackmail the owner. You could perform cyber extortion.

This legacy left a massively destructive blueprint for a generation of criminals to come. Today’s cybercriminals are smarter, stealthier and have the benefits of ubiquitous Internet connectivity, unbeatable open-source cryptography resources and nearly anonymous online bitcoin depositories. Today, ransomware follows the same pattern as Popps’ AIDS Trojan, only everything is bigger: larger criminal organizations, higher ransom payments and malware with greater reach.

Earlier this year a strain called VirRansom was released. Experts have already dubbed it, “the AIDS of ransomware.” How evil! How…fitting.

Share this content on your favorite social network today!