ransomware - the growing threat

Ransomware The Growing Threat

History of RansomwareRansomware has evolved considerably since 26 years ago with the appearance of the AIDS Trojan. The AIDS Trojan was released into the unsuspecting world

through snail mail using 5¼” floppy disks in 1989. The AIDS Trojan was ultimately unsuccessful due to a number of factors - few

people used personal computers, the web was just an idea, and the internet was mostly used by experts. The availability/strength of encryption technology was also somewhat limited at the time and international payments were harder to

process than they are today. While the emergence of the AIDS Trojan established the ransomware threat, this type of malware didn’t get widely used in cybercrime until many years later. The

threat landscape was considerably different back in the nineties and early noughties - An era when malware was used in pranks and vandalism to gain

notoriety.Nowadays, malware is mostly being deployed for financial gain.

The evolution of ransomware, particularly crypto ransomware, accelerated in recent years as more copycat criminal enterprises jumped into the arena to build

on others’ success.

Two main types of ransomware:• Locker ransomware (computer locker): Denies access to the computer or device

• Crypto ransomware (data locker): Prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does. Both types of ransomware are aimed squarely at our digital lifestyle. They are designed to deny us access to something we want or need and offer

to return what is rightfully ours on payment of a ransom.

Despite having similar objectives, the approaches taken by each type of ransomware are quite different.

Variations of RansomwareReveton (Early 2012)

Based on the Citadel trojan (which is based on the Zeus trojan), its payload displays a warning purportedly from a law enforcement agency (a characteristic referred to as the "police trojan" or "cop trojan"), claiming that the computer has been used for illegal activities, such as downloading pirated software or child pornography. The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address, while some versions display footage from a victim's webcam to give the illusion that the user is being recorded.

Variations of Ransomware

CryptoLocker (September 2013)The trojan is known as CryptoLocker, which generated a 2048-bit RSA key pair and uploaded to a command-and-control server. This was used to encrypt files using a whitelist of specific file extensions. The malware threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the trojan considered CryptoLocker extremely difficult to repair. Even after the deadline passed, the private key could still be obtained using an online tool, but the price would increase if not paid on time.

Variations of RansomwareCryptoLocker.F (September 2014)

In September 2014, a wave of ransomware trojans surfaced that first targeted users in Australia, under the names CryptoWall and CryptoLocker (which is, as with CryptoLocker 2.0, unrelated to the original CryptoLocker). The trojans spread via fraudulent e-mails claiming to be failed parcel delivery notices from Australia Post; to evade detection by automatic e-mail scanners that follow all links on a page to scan for malware, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded, preventing such automated processes from being able to scan the payload. Symantec determined that these new variants, which it identified as CryptoLocker.F, were again, unrelated to the original CryptoLocker due to differences in their operation. A notable victim of the trojans was the Australian Broadcasting Corporation; live programming on its television news channel ABC News 24 was disrupted for half an hour and shifted to Melbourne studios due to a CryptoWall infection on computers at its Sydney studio.

Variations of RansomwareCryptowall (September 2014)

Another major ransomware trojan targeting Windows, Cryptowall, first appeared in 2014. One strain of Cryptowall was distributed as part of a malvertising campaign on the Zedo ad network in late-September 2014 that targeted several major websites; the ads redirected to rogue websites that used browser plugin exploits to download the payload. It was also noted that the payload was signed with a digital signature in an effort to appear trustworthy to security software. Cryptowall 3.0 used a payload written in JavaScript as part of an email attachment, which downloads executables disguised as JPG images. To further evade detection, the malware creates new instances of explorer.exe and svchost.exe to communicate with its servers. When encrypting files, the malware also deletes volume shadow copies, and installs spyware that steals passwords and Bitcoin wallets.


TorrentLocker (September 2014)Another trojan in this wave, TorrentLocker, initially contained a design flaw comparable to CryptoDefense; it used the same keystream for every infected computer, making the encryption trivial to overcome. However, this flaw was later fixed. By November 2014, it was estimated that over 9,000 users had been infected by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.


KeRanger (March 2016) (Mac)KeRanger is the first malware and ransomeware on the OS X operating system. It encrypts the Mac user's files then demands a sum of one Bitcoin to decrypt the files. It appeared on March 2016. There is an executable in the .DMG that is disguised as a Rich Text File. The virus sleeps for three days, then starts to encrypt the files. It adds a text document for instructions on how to decrypt the files. It uses 2048-RSA public key to encrypt the files. It actually is a copy of Linux.Encoder.1.

Variations of RansomwareRSA4096 (2015)

RSA4096 is one of the latest iterations of ransomware to encrypt personal computers and connected devices. It first appeared in 2015 and like all malware uses the 2 key system of public and private keys. Like all other

ransomware decryption requires purchasing private keys using Bitcoins bought through brokers in the Dark web of which there is no guarantee payment results

in obtaining those keys. There are variants of this virus, of which most are unbreakable. Depending on the variant it adds various extensions to your files

together with the ransom note. The only method to recover from such an attack is through restoring files from an external disc or purchasing Bitcoins. The cost of Bitcoins has increased significantly over the years which has increased the

value of the ransom. At time of writing the ransom is about 300 thousand pounds.

Variations of RansomwareLocky (2016)

This one is spreading using an "Invoice" email, attached is a macro word document containing this malware. It will encrypt other shares on the network, not only mapped drives. Files will be encrypted and renamed to *.lockyTimestamp of the encrypted file stays the same. It also uses an AES 128 Bit encryption with 2048 Bit RSA Key. Locky will delete all shadow copies (vssadmin.exe Delete Shadows /All /Quiet)Creates registry key HKEY_CURRENT_USER\Software\LockyInfo file will be placed: _Locky_recover_instructions.txt and also replace desktop background with the same message.

Variations of RansomwareRansom32

Already this year, ransomware attacks have been rampant. There is now a new form of what is now being called "ransomware as a service." The program, called Ransom32, uses AES encryption with a 128-bit key to lock up files and extort Bitcoins from unsuspecting users. The timeline given is four days, at which point, if the payment isn't made, the price of decryption will increase to 1 Bitcoin, or $350 according to the ransom message. It was created using Javascript, which marks a difference between this and other ransomware. An underlying NW.js application is the driving force behind the program. NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything 'normal' programming languages like C++ or Delphi can do.This ransomware is being peddled to would-be hackers as a complete package. In other words, instead of having to develop their own malicious code, less tech-savvy cyber criminals are able to purchase a program with which to inflict these kinds of problems. The sellers of this service simply ask for a percentage of the profits and for an upfront purchasing fee.

Ransomware predictionsLikely threats due to ransomware in the future:

•Attacks on automobile systems •Infrastructure attacks

•Warehousing and sale of stolen data •Hardware attacks

•Cloud services• Integrity attacks

• Below-the-OS attacks• Corporate Cyberespionage

• Privacy challengesThe Internet Crime Complaint Center (IC3) has received nearly 7,700 public

complaints regarding ransomware since 2005, totaling $57.6 million in damages. Those damages include ransoms paid — generally $200 to $10,000, as well as costs incurred in dealing with the attack and estimated value of data lost. In 2015, victims paid over $24 million across nearly 2,500 cases reported

to the IC3.