Happy Birthday, Ransomware...Now Go Away
We’ve locked up your files. Want ‘em back? Then pay us before the clock runs out. Tick, tock.
That’s the ugly essence of ransomware, one of the more ironic and insidious attacks played out routinely around the globe. Who’d have ever thought we’d develop such a dependency on digits we’d pay good money to bad people just to get them back? Thanks to the electric era we now live in, we’ve put all our informational eggs into one fragile basket and now we’re paying the price—literally! Funny times. Funny times.
While it may feel like a new attack, it was actually 30 years ago—well before the internet made every one and every thing remotely accessible—that the tactic of ransomware was born. The year was 1989, and the method of deployment was an infected floppy disk. Crude, crafty and calculating, it ushered in an uncomfortable reality: digital extortion was suddenly a thing.
Reflecting on the anniversary of this incident, it would almost be enough to say that an evil, enteprising computer hobbyist created a program to seize his victims’ computers and demand money for the key, but the story has some odd elements worth mentioning. The malware’s author was Dr. Joseph Popp, a Harvard-educated biologist who used the World Health Day’s AIDS conference to serve as the springboard for his scheme. He had compiled a legitimate computer program to help the medical community better understand the risks of contracting the AIDS virus, and apparently felt entitled (very entitled) to be compensated for his work. Mailing some 20,000 disks to conference attendees, Dr. Popp hid a sinister little counter in his application, and after 90 reboots, it prompted the user to print a message: “A virus has infected your system. Now what do you have to say about that? Ha ha ha.” The target computer was rendered useless, but the message went on to offer an antidote of sorts. For $189, mailed to a P.O. box in Panama, the user would receive a password that would restore their system.
How did the saga end? Dr. Popp was easily apprehended—there was no dark web to hide behind back then—but displayed such erratic pre-trial behavior he was ultimately declared unprosecutable. What’s more, his weak encryption lent itself to a quick solution and a free fix almost immediately.
What came and went as something of a novelty quietly revealed the realm of the possible for ransomware. Empounding hard drives with a secret key carried some rather grim criminal implications, a fact not lost on a team of researchers (Young and Yung) pioneering the topic of cryptovirology. They put forth the idea that while cryptography itself is a boon to secure computing, it could be weaponized and “used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.”
It would be another 15 years before these “extortion based attacks” would begin to appear, and while they received some buzz in the trades, they brought only glancing blows in terms of any real damage. In fact, most all of these ransomware campaigns—PGPcoder, Arhiveus, Cryzip—were deliberately limited so as not to alert antivirus companies and law enforcement, and many passwords could be guessed or retrieved outright thanks to programmer error. Regardless of their lukewarm success, however, the attacks began wrapping in asymmetric encryption, (the mathematical mash-up of a public and private key that is nearly impossible to reverse engineer) which malware researchers predicted would make data recovery extremely unlikely for future cases of ransomware.
As if to make the point, in 2013, the dreaded Cryptolocker virus descended upon the scene, taking the art of the cyber shakedown to a whole new level. It was hardly an amateur effort—distributed predominantly in the US through very convincing sham e-mails aimed at corporate users—and once activated, it worked silently in the background, seeking out everything that resembled a drive or storage device. Once that mapping pass was complete, the program looked for 72 known file extensions to coil its creepy tentacles around. Got a Power Point (.ppt)? Not anymore. How about a Word doc (.docx)? Consider it hijacked. Even a Casio digital camera file (.bay)? Come on!
Once everything was successfully encrypted (with a wildly complex key in the hands of the hackers), a bold, red countdown clock appeared on the victims’ screen: YOUR PERSONAL FILES ARE ENCRYPTED. But not to worry, the malware contained a menu option that allowed for easy payment, from MoneyPak, to Ucash, to Bitcoin. For a paltry 300 bucks, the key would be happily handed over and the files unlocked. It was estimated that in just a few months, the Cryptolocker gang raked in $30M from thousands of victims desperate to restore their data.
So there it was. Ransomware had finally gone pro. Distribution networks were mature enough, encryption was strong enough, and avenues of payment anonymous enough to finally make it the scourge we were warned of by early cryptovirologists. After Cryptolocker, new strains of ransomware started steamrolling their way through cyberspace, each with its own fiendish tactic for fueling panic and prying open wallets. Chimera, for example, threatened to publish sensitive data in the open if no payment was received. Jigsaw goaded victims by deleting a file every hour until collection. Today, there are nearly 800 named iterations of ransomware in the wild with no hint of sputtering out. The volume of exploits merely testifies to the fact that, for better or worse, modern encryption is uncrackable, the crime is untrackable, and victims will pay to get their data…backable?
So where are we today, 30 years after Popp’s pioneering prank? Ransomware is still flexing its malicious muscle by finding footholds, mapping drives and freezing files, but no longer is it content with nickel and dime returns. A recent FBI announcement declared that “the losses from ransomware attacks have increased significantly,” with criminals now seeking larger payouts by targeting digital entities with deep(ish) pockets (such as school districts and local governments), entities that may be more inclined to push dollars at the perpetrators. The captors may even coolly negotiate an insurance payout, as was the case with New York’s Rockville School District, which was originally told to pay $176K, but instead settled through their cyber-insurer for $88K.
Some organizations, in order to disincentivize the crime, are pre-emptively vowing to rebuff online extortionists altogether. At the most recent Conference of Mayors, 255 city leaders agreed not to roll over if ransomware comes calling. Such a stance, while well principled, can carry a heavy recoil. For example, when the City of Baltimore took a broadside ransom hit in May (following Atlanta, GA and Greenville, NC, among others), the mayor nobly refused to bend to the bitnapper’s $76K demand, but was forced to spend millions (even scooping money from the parks fund) for network overhaul and recovery.
While some victims dig in their heels, ransomware still finds enough of a paying public to remain a threat, so the best offense comes through a good digital defense. Backing up data is the obvious course of action, but clearly this strategy has failed multiple victims who thought they had sufficiently stockpiled files only to have them rendered useless. There are third party solutions that carry access control and file restore capability, so a few extra bucks invested in smart backup can save big dollars when the ransom note arrives. Of course, user training and system patching remain valuable tools in the fight as well.
So, we see that a curious little cybercrime committed three decades ago has blossomed into a modern scourge for anyone using a keyboard (and yes, a smart phone too). Ransomware is here and uncomfortably near, so we should all take stock of how vulnerable our files may be, plan accordingly, and do our best to stand firm against those who would turn panic into profit.
(Want to know more about cybercrime? Check out Chasing Vapor on Amazon.)