The evolution of ransomware - past, present, and future

A profitable organized crime

Despite its brief spurt of fame, the effects of WannaCry ransomware had certainly left its mark. According to McAfee Labs’s estimates from mid-May, the ransomware struck over 10,000 organizations, and 200,000 individuals across 150 countries, collecting at least US$145,168.96 in just 20 days. It’s not like any organized crime we’ve known since cartels and black markets take decades to consolidate its influence and profits. In fact, ransomware has a relatively short history compared to regular malware, such as viruses, trojans, and adware.

The earliest instances of ransomware were first spotted in Russia as long ago as 2005. Their encryption methods were primitive, in comparison to modern strains like CryptoLocker and WannaCry. A 2006 ransomware called TROJ_CRYZIP.A zipped particular file types (.doc, .xls, .jpg, etc.) with password protection, and demanded US$300 in ransom via a simple .txt file.

It was only after 2012 when ransomware started actively targeting other territories, such as Europe and North America. One of the more memorable examples was Reveton, which uses location tracking to display a fake enforcement agency notification that’s relevant to the victims. For example, a US-based user would get a fake FBI warning about their alleged “illegal activities” online. Folks in France would see the same message in French, while it spoofed the Gendarmerie Nationale emblem instead. According to cyber security blog Malwarebytes Lab, this variant persists in March 2016, and further improvements allow it to target Mac OS X users. It also included a wider panel of impersonated authorities, such as the Royal Canadian Mounted Police and Europol.

Cyber security firms, in general, have a consensus on what ransomware entails. According to Kaspersky Labs, Trend Micro, and Norton by Symantec, it is just another variant of malware that cripples your system, usually through encryption methods. What sets it apart is the ransom fee it demands, promising access to victims once it’s paid up.

Collecting that ransom is what truly separates it from typical malware – and it’s lucrative to do so. According to Symantec’s Ransomware and Businesses 2016 white paper, the average ransom demand was US$679 per person last year. SonicWall’s 2017 Annual Threat Report showed businesses paying a total of US$209 million to ransomers in the first quarter of the year alone. CryptoLocker, a ransomware that made its run 2013, received US$27 million in Bitcoins over three short months. Malicious coding isn’t just a prank by script kiddies; it’s now a full-time career with multi-million dollar revenues.

Along with its increase in profits and exposure, ransomware also updated their collection methods. In Reveton’s case, payment was made via anonymous prepaid cash cards like MoneyPak, while newer variants like WannaCry use Bitcoins instead.

The obsession with Bitcoin

In more recent times, Bitcoin has become a prominent cog in the ransomware machination. For the uninitiated, Bitcoin is merely one of the many cryptocurrencies that exist on the Internet, but it was one of the first decentralized cryptocurrencies back in 2009. Bitcoin transactions are done user-to-user (without a middle person), and the ledger of these operations are held by publicly-run, decentralized Bitcoin servers managed by Bitcoin miners all over the globe. These ledgers are copied across all servers, therefore making it easy to refer to and keep track of, but extremely difficult to be altered.

Bitcoins’ security lies in its SHA-256 encryption strength and its decentralized record-keeping. Combined with its transaction transparency and durability, Bitcoin amassed significant intrinsic value in a few short years.

The increase attracted the attention of banks and payment logistics firms (such as Paypal); these services started accepting Bitcoins as part of a transaction. The increase in recognition and accessibility made it easier for people to get into the cryptocurrency, and in turn, also attracted bad actors in cyberspace. If you remember the WannaCry screenshots, you’d realized that buying Bitcoins is as easy as swiping a credit card now.

While Bitcoins allow malicious hackers to collect ransom without a real-world bank account, Bitcoins aren’t truly anonymous because of its precise record-keeping nature. To overcome that, they can be laundered by using a ‘tumbler’ that randomizes your Bitcoins with other users’ BT, or through using multiple e-wallets, and disposable payment addresses. With these tools available, it’s no surprise that any competent ransomware coder would prefer Bitcoin over a more traceable alternative.

How does Bitcoin maintain its value?

The restrictive encryption on Bitcoin controls the creation of additional units, as new blocks are only produced when the encryption is solved – we covered the technicalities of Bitcoin’s blockchain recording in HWM March 2017. Its availability and growth strongly resemble the effort required for mining of gold and silver in the early days; in Bitcoin’s case, it takes significant computational power to solve its encryption, and it has a hard upper limit for its total circulation. When it was relatively unknown in July 2010, 1BT (one Bitcoin) was mere US$0.07. As of early June 2017, 1BT is worth US$2,824.99, according to Google’s currency exchange rate.

Ransomware to go

Ransomware isn’t a PC-only problem. One recent mobile example that came to mind is Charger. Discovered in January this year, its host app saw at least one million installs across Android OS devices. Like WannaCry, it demanded Bitcoin payment, but it threatened to sell the victim’s personal information if demands aren’t met. While it sounds like your typical ransomware misfortune, what made Charger more dangerous was how it rode in through the official Google Play store.

Mobile ransomware is also on the rise. When observing mobile trends from April 2015 to April 2016, Federico Maggi, Trend Micro’s Senior Threat Researcher, saw a 140% growth in Android ransomware samples, with up to 22% of all mobile malware being ransomware.

Ransomware on mobile devices is an evolution based off typical smartphone malware. In our HWM November 2016 issue, we looked at CallJam: a clear example of a ransomware variant that managed to infect 500,000 users via a Google Play-verified app. According to Check Point cyber security firm, it forces the mobile device to dial expensive premium calls, and it displays fraud advertisements that profit the creators. What makes CallJam more interesting is how it baits the user with more in-app features, asking them for a glowing Google Play store review in exchange for additional content.

As with the examples given above, only looking at star-based ratings or downloading official APKs from legitimate app stores isn’t sufficient malware protection anymore. Some 4,000 apps were removed from the Google Play app store in the past year, with more than 500,000 devices around the world still holding onto these apps. Google did not notify their users when an app is no longer supported, leaving many orphaned apps on phones.

Are phones more susceptible to their PC-counterparts? Well, the McAfee Mobile Threat Report for 2017 reasoned that malicious apps have a simple time infecting smartphones due to a lack of transparency in app stores, combined with the ease of getting an app approved for sale. Trend Micro’s 2016 report found more than 400 malware-laden apps on the official Play store itself. In fact, a known alert window vulnerability that existed since Android 6.0 will only get a fix in “Android O” this August, which emphasizes how vulnerable the mobile ecosystem can be.

Preventing the dark future of ransomware

McAfee Labs’ 2017 Threats Predictions report paints a grimmer future – by their analysis, the next logical step for malicious actors is to take over IoT products using malware. IoT products are no longer one-trick ponies with Wi-Fi connectivity, since the future promises smart driverless cars with machine learning abilities, and household appliances that store user preferences and personal information in a cloud network.

WannaCry was an excellent example of the damage that could be done with IoT malware – entire facilities such as hospitals, banks, and businesses are halted, costing precious staff-hours and putting lives at stake. For IoT malware to take off, McAfee hazards that it’s up to cyber criminals to decide what they can accomplish with these gadgets and it won’t take more than four years for them to figure it out.

As the general population evolves into tech-savvy, multi-device users, it has become our prerogative to protect ourselves from developing ransomware, be it on your PC, smartphone, or IoT device. Besides relying on anti-virus software, here are some tips by security experts that are executable on your end, helping you to stay one step ahead from becoming the next hostage.

• Keep your operating system up-to-date. In the case of WannaCry ransomware, the latest Windows 10 operating system was not vulnerable, since the flaw wasn’t present in the new operating system.
• Bookmark all your trusted sites – be it your preferred social media network or e-banking site on PC, mobile, or whichever futuristic interface you surf the web from. Malicious sites can look almost identical to the real thing, with similar URLs. Trend Micro’s ransomware white paper found that 20% of all ransomware infections in 2016 came from accessing ransomware-laden web pages.
• Do not entertain spam messages. The same white paper by Trend Micro found that 79% of all ransomware came via spam. Spam is also more sophisticated these days, as they employ social engineering techniques to lure its reader into clicking emotionally. 
• Back up your information, preferably with the 3-2-1 rule. Create three backup copies across two different types of media, with one of them in a separate location.
• Reduce the amount of sensitive data stored in the cloud. Any information that can be retrieved with an Internet connection will always face the risk of it being hacked by malicious users.
• Do not pay the ransom, ever. Paying the ransom can encourage ransomware makers to invest in this method since it’s profitable to them.

Advice from security experts

Our foray into cybersecurity columns brought forth a trove of worthy reminders from cyber security experts.

“The moment you unbox your phone, ensure that your operating system is up to date. Additionally, ensure that any pre-installed applications and applications that you download are also of the latest version. Updates help to patch vulnerabilities that expose your device to cyber security risks such as ransomware and malware.”

– David Freer, Vice President, Consumer, APAC, Intel Security



“Click-bait sites and fake bank sites pretend to give the user their dues, while they inject info-stealing malware and Trojans into your computers. Exercise common sense and use legit sources at all times.”

- Ryan Flores, Senior Manager, Future Threat Research TrendLabs, Trend Micro, Asia Pacific

This article was first published in the July 2017 issue of HWM. Subscribe today.

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.