Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
Feature Articles

The evolution of ransomware - past, present, and future

By Liu Hongzuo - 6 Sep 2017

The evolution of ransomware - page 1

A profitable organized crime

Despite its brief spurt of fame, the effects of WannaCry ransomware had certainly left its mark. According to McAfee Labs’s estimates from mid-May, the ransomware struck over 10,000 organizations, and 200,000 individuals across 150 countries, collecting at least US$145,168.96 in just 20 days. It’s not like any organized crime we’ve known since cartels and black markets take decades to consolidate its influence and profits. In fact, ransomware has a relatively short history compared to regular malware, such as viruses, trojans, and adware.

The earliest instances of ransomware were first spotted in Russia as long ago as 2005. Their encryption methods were primitive, in comparison to modern strains like CryptoLocker and WannaCry. A 2006 ransomware called TROJ_CRYZIP.A zipped particular file types (.doc, .xls, .jpg, etc.) with password protection, and demanded US$300 in ransom via a simple .txt file.

WannaCry.

It was only after 2012 when ransomware started actively targeting other territories, such as Europe and North America. One of the more memorable examples was Reveton, which uses location tracking to display a fake enforcement agency notification that’s relevant to the victims. For example, a US-based user would get a fake FBI warning about their alleged “illegal activities” online. Folks in France would see the same message in French, while it spoofed the Gendarmerie Nationale emblem instead. According to cyber security blog Malwarebytes Lab, this variant persists in March 2016, and further improvements allow it to target Mac OS X users. It also included a wider panel of impersonated authorities, such as the Royal Canadian Mounted Police and Europol.

Reveton ransomware, impersonating Gendarmerie Nationale.

Cyber security firms, in general, have a consensus on what ransomware entails. According to Kaspersky Labs, Trend Micro, and Norton by Symantec, it is just another variant of malware that cripples your system, usually through encryption methods. What sets it apart is the ransom fee it demands, promising access to victims once it’s paid up.

Collecting that ransom is what truly separates it from typical malware – and it’s lucrative to do so. According to Symantec’s Ransomware and Businesses 2016 white paper, the average ransom demand was US$679 per person last year. SonicWall’s 2017 Annual Threat Report showed businesses paying a total of US$209 million to ransomers in the first quarter of the year alone. CryptoLocker, a ransomware that made its run 2013, received US$27 million in Bitcoins over three short months. Malicious coding isn’t just a prank by script kiddies; it’s now a full-time career with multi-million dollar revenues.

Along with its increase in profits and exposure, ransomware also updated their collection methods. In Reveton’s case, payment was made via anonymous prepaid cash cards like MoneyPak, while newer variants like WannaCry use Bitcoins instead.

 

The obsession with Bitcoin

In more recent times, Bitcoin has become a prominent cog in the ransomware machination. For the uninitiated, Bitcoin is merely one of the many cryptocurrencies that exist on the Internet, but it was one of the first decentralized cryptocurrencies back in 2009. Bitcoin transactions are done user-to-user (without a middle person), and the ledger of these operations are held by publicly-run, decentralized Bitcoin servers managed by Bitcoin miners all over the globe. These ledgers are copied across all servers, therefore making it easy to refer to and keep track of, but extremely difficult to be altered.

Bitcoins’ security lies in its SHA-256 encryption strength and its decentralized record-keeping. Combined with its transaction transparency and durability, Bitcoin amassed significant intrinsic value in a few short years.

The increase attracted the attention of banks and payment logistics firms (such as Paypal); these services started accepting Bitcoins as part of a transaction. The increase in recognition and accessibility made it easier for people to get into the cryptocurrency, and in turn, also attracted bad actors in cyberspace. If you remember the WannaCry screenshots, you’d realized that buying Bitcoins is as easy as swiping a credit card now.

While Bitcoins allow malicious hackers to collect ransom without a real-world bank account, Bitcoins aren’t truly anonymous because of its precise record-keeping nature. To overcome that, they can be laundered by using a ‘tumbler’ that randomizes your Bitcoins with other users’ BT, or through using multiple e-wallets, and disposable payment addresses. With these tools available, it’s no surprise that any competent ransomware coder would prefer Bitcoin over a more traceable alternative.

 

How does Bitcoin maintain its value?

The restrictive encryption on Bitcoin controls the creation of additional units, as new blocks are only produced when the encryption is solved – we covered the technicalities of Bitcoin’s blockchain recording in HWM March 2017. Its availability and growth strongly resemble the effort required for mining of gold and silver in the early days; in Bitcoin’s case, it takes significant computational power to solve its encryption, and it has a hard upper limit for its total circulation. When it was relatively unknown in July 2010, 1BT (one Bitcoin) was mere US$0.07. As of early June 2017, 1BT is worth US$2,824.99, according to Google’s currency exchange rate.