The history of ransomware: attacks threaten online security for businesses

While it leaves you tantalisingly close to your data, ransomware also keeps it very far away from you. The files are still on the hard drive, but thanks to complex cryptography, they are completely inaccessible. It’s a form of malware that will continue to spread and one that is difficult to stamp out.

Ransomware does pretty much exactly what it says on the tin – it holds data hostage in exchange for a ransom. The program gets into a computer system, usually through an attachment or under the guise of another program, and places some form of lock on the computer or the information it holds, sometimes under the pretence of being from a law enforcement agency. Users are unable to access data until a specified fine is paid. While the scams were pretty simple at first, modern ransomware may as well be considered unbreakable.

Hacked history
Paul Ducklin, a senior security advisor at Sophos with decades of experience in cybersecurity, said ransomware attacks date back as far as 1989. “Obviously there was no internet so the guy mailed out floppy disks. Supposedly it was an expert system that gauged your risk of contracting HIV, called an ‘AIDS Information Program’, but in fact it was really a cover for the fact that, if you didn’t pay his licence fee upfront, then after 90 days he scrambled the data.”

Fortunately, the software was relatively easy to crack. Due to the lack of internet, the key needed to unscramble the information was the same for every disk. Ducklin said the software was decoded by one of the founders of Sophos, and the hacker never made any money from the scheme.

“Amazingly, the money he was after was almost exactly the same price point as today. It’s not like petrol where the price goes up and down as the price of oil changes; it stays surprisingly steady in the long run. It was $378 you had to send via banker’s draft to Panama.”

During early ransomware attacks, crooks struggled to find a way of effectively eliciting a payment. Between mailing out disks and today’s complex attacks, ransomware used to be lockscreen programs: the software locked a computer, but left the data untouched. Ducklin said this was easily bypassed by booting an antivirus program from a USB or CD, and removing the malicious software.

Ransomware does pretty much exactly what it says on the tin – it holds data hostage in exchange for a ransom

Ransomware became far more threatening with the advent of Cryptolocker in 2013. Cryptographic ransomware – much like the earliest attacks – scrambles files and demands payment for the key. The difference is the key is now generated by the attackers and stored remotely, meaning it can’t be calculated or guessed without breaking into the attacker’s servers or cracking the incredibly robust code. While a high-profile break-in of a scammer’s server was staged by security experts in 2014, a similar feat would today be unlikely.

Attacks are now on the rise. According to a report published by the Australian Cyber Security Centre, 17 percent of businesses had experienced a ransomware incident in 2013. By 2015, that number had jumped to 72 percent. Attacks have been recorded across Windows, Mac OS and Android devices.

Ducklin said the recent rapid increase could be attributed to criminals now having access to strong cryptography software and a secure, untraceable payment method. “The crooks have figured: ‘Hey, we should just read some books on cryptography and maybe use Microsoft Crypto API, which is all built into Windows.’ You can get strong cryptography for free if you like. It’s easy to do it right.”

Previously, payments were demanded through Green Dot MoneyPak Cards – reloadable prepaid debit cards. Green Dot decided to stop selling them in 2015 due to their widespread use in illegal activities. Now ransoms are typically demanded in Bitcoin.

Cheaper to give in
Ducklin said the success ransomware has recently found could also be because the scammers tend to come good on their promise to decrypt the scrambled files. “Annoyingly there’s been a vague, what you might call if you want to be really keen, honour among thieves. For all that these guys are rogues and cybercrooks, generally the gangs who’ve been successful are the ones who’ve quickly developed a reputation that, if you pay, you will get your data back. That seems to be the tipping point, if you like, I’m guessing for most people.”

When a person or company could spend hundreds of dollars on repairs to find their data could not be unlocked, a comparatively cheap unlock key is probably the easiest fix. This was certainly the case in February, when the Hollywood Presbyterian Medical Center was hit by a ransomware attack. The ransomware reportedly shut down the system used to share patient information across departments. After two weeks, the hospital cracked and paid 40 Bitcoins for the unlock code, roughly $17,000 at the time.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key”, said CEO Allen Stefanek in a statement released after the payment was made. “In the best interest of restoring normal operations, we did this.”

Similar stories have come out of some police departments in the US. Police in Tewksbury, Massachusetts paid $500 to unlock a computer in 2014, according to the Tewksbury Town Crier. If you haven’t got a backup, paying is the only way to get back your files. But even if a company has backed up files, Ducklin said it still might be cheaper and easier to pay the ransom.

“You hear stories of people in the business environment who regret they’ve been hit by malware but for them it’s never been the end of the world. They do the arithmetic and they go: ‘You know what, if we go to IT and raise a backup request and someone goes on their little scooter and gets the tapes from safe deposit and brings them back and loads the tapes, we’ll get the data back, but it’ll take a couple of days and it’ll probably cost us $500-$600 in internal operating costs. Versus if we just pay the guys the bloody bitcoins, and then we can think about how not to get caught again.’ From a sort of business and security perspective, Sophos’s opinion would be: ‘Don’t pay’, but we’re not so hard hearted as to say it would be morally indefensible if you did.”

Ducklin said that, although ransomware is confronting and frustrating, it’s by no means the worst thing a business could be hit with. At the end of the day, the malware isn’t destructive and the data is retrievable and more or less secure.

If a business were to put resources into protecting against ransomware, it would also protect it from far more destructive forms of malware. Ducklin said educating staff in a judgement-free environment and setting up a way for people to easily ask an expert cybersecurity questions is the best preventative measure a business could take, after installing security software, that is.

Malware continues to be a profitable endeavour for thieves, with Trustwave recently estimating a criminal could bank $84,100 per month once a ransomware campaign is active. With such a profitable system, attacks are not going to stop anytime soon. The best way for businesses to protect against any and all threats is to keep staff informed and, as always, back everything up.