Since 2005, ransomware has become the most common cyber threat. According to data, in the past 11 years, ransomware infections have been involved in more than 7,694 to 6,013 data breaches. For years, there have been two main types of ransomware: encryption-based and locker-based ransomware. Cryptoransomware typically encrypts files and folders, hard drives, etc. Locker ransomware, which locks user devices, is usually Android-based ransomware. New-age ransomware combines advanced distribution techniques (such as pre-built infrastructure for rapid and widespread distribution of ransomware) with advanced development techniques (such as the use of crypters to ensure reverse engineering is extremely difficult). Additionally, offline encryption methods are becoming increasingly popular, in which ransomware exploits legitimate system features (such as Microsoft's CryptoAPI) to eliminate the need for command-and-control communications. Terrance DeJesus of Solutionary's Security Engineering and Research Team (SERT) discusses the history and highlights of ransomware over the years. AIDS Trojan The first ransomware virus, AIDS Trojan, was created in 1989 by Harvard graduate Joseph L. Popp. 20,000 infected floppy disks were distributed to attendees of the International Health Organization's International AIDS Conference. The Trojan's main weapon is symmetric encryption. Decryption tools quickly recover file names, but this kicks off nearly 30 years of ransomware attacks. Archievus Nearly two decades (17 years) after the first ransomware malware appeared, another ransomware has emerged. The difference is that this ransomware is more difficult to remove and uses RSA encryption for the first time in the history of ransomware. This Archiveus Trojan encrypts all contents in the "My Documents" directory on the system and requires users to purchase from a specific website to obtain a password to decrypt the files. Archiveus is also the first ransomware case to use asymmetric encryption. 2011 Anonymous Trojan Five years later, mainstream anonymous payment services have made it easier for attackers to use ransomware to collect money from victims without revealing their identities. In the same year, products related to ransomware Trojans became popular. A Trojan ransomware simulates a user's Windows product activation notification, informing the user that their system installation needs to be reactivated due to fraud, and directs the user to a fake online activation option, requiring the user to make an international long distance call. The malware claims the call is free, but the call is actually routed to a fake operator and placed on hold, resulting in the user being charged high international long distance charges. Reveton A major ransomware Trojan called Reveton is beginning to spread across Europe. This software is based on the Citadel Trojan, which claims that the computer has been compromised and is being used for illegal activities, requiring users to pay a fine using a cash advance payment service to unlock the system. In some cases, the computer screen will display footage recorded by the computer's camera, giving the user the impression that illegal conduct has been recorded. Shortly after this incident, a lot of police-based ransomware emerged, such as Urausy and Tohfy. Researchers discovered a new variant of Reveton in the United States, claiming that you need to use a MoneyPak card to pay a $200 fine to the FBI. Cryptolocker September 2013 was a pivotal moment in the history of ransomware because CryptoLocker was born. CryptoLocker is the first encryption malware to be downloaded from infected websites or sent as email attachments to business people. CryptoLocker infections spread rapidly as the threat exploited existing GameOver Zeus botnet infrastructure. Operation Tovar terminated the GameOver Zeus Trojan and CryptoLocker campaigns in 2014. CryptoLocker utilizes AES-256lai to encrypt files with a specific extension, and then uses a 2048-bit RSA key generated by the command control server to encrypt the AES-256-bit key. The C2 server is located on the Tor network, which makes decryption difficult because the attacker places the RSA public key on their C2 server. The attackers threatened to delete the private keys if the money was not received within three days. Cryptodefense In 2014, CryptoDefense began to appear. This ransomware leveraged Tor and Bitcoin to remain anonymous and used 2048-bit RSA encryption. CryptoDefense uses Windows' built-in encryption CryptoAPI, and the private key is saved on the infected computer in plain text format - the vulnerability was not immediately discovered at the time. The creators of CryptoDefense soon launched a renamed version of CrytoWall. Unlike CryptoDefense, CryptoWall does not store encryption keys where they are accessible to the user.
CryptoWall quickly spread widely because it took advantage of the Cutwail email campaign, which primarily targeted the United States. CryptoWall is also delivered via an exploit kit and was found to be the last payload downloaded in the Upatre campaign. CryptoWall has had multiple active campaigns, all performed by the same attackers. CryptoWall demonstrates advancements in malware development, maintaining persistence by adding additional registry entries and copying itself to the startup folder. In 2015, the Cyber ??Threat Alliance announced a global CryptoWall campaign with a total amount of US$325 million. Sypeng and Koler Sypeng can be considered the first Android-based ransomware to lock the user's screen and display an FBI penalty warning message. Sypeng is spread via fake Adobe Flash updates in text messages and costs MonkeyPak $200. The Koler ransomware is very similar to Sypeng in that it also uses fake police officers to impose penalties and demands MoneyPak to pay a ransom. Koler is considered the first Lockerworm because it contained self-propagating technology that sent customized messages to each person's contact list, directing them to a specific URL to download the ransomware again and then lock down their systems. CTB-Locker and SimplLocker Unlike other variants in the past, CTB-Locker communicates directly with the C2 server in Tor rather than having multiple layers of infrastructure. It was also the first ransomware variant to start deleting Shadow Volume copies in Windows. In 2016, CTB-Locker was updated to target targeted websites. SimplLocker, also discovered in 2014, is believed to be the first Crypto-based ransomware targeting Android mobile devices, simply encrypting files and folders rather than locking the user's phone. LockerPin In September last year, an aggressive Android ransomware began to spread across the United States. ESET security researchers have discovered the first real malware that can reset a phone's PIN to permanently lock the device. Known as LockerPin, the malware modifies the lock screen PIN of an infected device, making the victim unable to access the screen. LockerPin then requires $500 to unlock the device. Ransomware-as-a-service (RaaS) started to emerge in 2015. These services usually contain user-friendly ransomware toolkits, which can be purchased on the black market, usually selling for $1,000 to $3,000. The buyer also needs to share 10% to 10% with the seller. 20% profit. Tox is often considered the first and most widely distributed RaaS toolkit/ransomware. TeslaCrypt TeslaCrypt also appeared in 2015 and will likely remain a continuing threat as developers have produced four versions. It was first distributed via the Angler exploit kit and subsequently via others. TeslaCrypt utilizes AES-256 to encrypt files, and then uses RSA-4096 to encrypt the AES private key. C2 domains within Tor are used for payments and distribution. It contains multiple layers within its infrastructure, including proxy servers. TeslaCrypt itself is very advanced and contains features that allow flexibility and persistence on the victim's machine. In 2016, TeslaCrypt writers failed to hand over their master decryption to ESET. LowLevel04 and Chimera LowLevel04 ransomware was discovered in 2015 and mainly targets Remote Desktop and Terminal Services. Unlike other ransomware campaigns, attackers do this manually, remotely gaining access to servers and mapping internal systems. In this case, the attacker was found to delete application, security, and system logs. Chimera ransomware was discovered at the end of 2015. It is considered the first doxing ransomware, which threatens to publicly publish sensitive or private files online. Chimera uses BitMessage’s P2P protocol for C2 communication, and these C2s are just Bitmessage nodes. Ransom32 and 7ev3n Ransom32 is believed to be the first ransomware written in JavaScript. The malware itself is larger than the others at 22MB, and it uses NW.js, which allows it to process and perform similar operations to other ransomware written in C++ or Delphi. Ransom32 is considered revolutionary because it can theoretically run on multiple platforms, such as Linux, Mac OSX, and Windows. 7ev3n ransomware has begun to attract attention in the past few months. In 13bitcoin, it is probably the ransomware with the highest ransom demand. 7ev3n ransomware not only performs typical encryption and then ransomware, it also destroys Windows systems. The malware developers appear to be heavily focused on ensuring that 7ev3n can subvert any method of recovering encrypted files.
7ev3n-HONE$T was subsequently released, lowering the ransom demand and adding some useful features. Locky In 2016, the malware authors of EDA2 and Hidden Tear publicly released the source code on GitHub, claiming to do so for research purposes, and attackers who quickly copied the code and made custom changes resulted in a large number of Random variations appear. The notorious Locky ransomware was also discovered in 2016. Locky quickly spread through phishing campaigns and exploiting Dridex infrastructure. Locky also made headlines for infecting hospitals across the United States. Attackers soon discovered that compromised healthcare organizations were quick to pay ransoms, resulting in phishing emails containing ransomware downloads being widely distributed across the healthcare industry. SamSam SamSam or SAMAS ransomware was discovered to be distributed specifically to vulnerable JBoss servers. Initially, the attacker will perform reconnaissance on the JBoss server through the JexBoss tool, then exploit the vulnerability and install SamSam. Unlike other ransomware, SamSam contains a channel that allows attackers to communicate with victims in real time through the .onion website. KeRanger The first official Mac OSX-based ransomware, KeRanger, was discovered in 2016 and was delivered via the Transmission BitTorrent client for OSX. The ransomware was signed using a MAC development certificate, allowing it to bypass Apple's GateKeeper security software. Petya Petya, which became popular in 2016, is delivered via Drop-Box and overwrites the infected machine's master boot record (MBR), then encrypts the physical drive itself. It still uses the fake CHKDISK prompt when encrypting the drive. If the ransom of $431 is not paid within 7 days, the payment fee will be doubled. The Petya update contains a second payload, a variant of the Mischa ransomware that does not encrypt the hard drive. Maktub Maktub was also discovered in 2016 and shows that ransomware developers are trying to create very advanced variants. Maktub is the first ransomware to use Crypter, software used to hide or encrypt malware source code. Maktub leverages the Windows CryptoAPI to perform offline encryption, rather than using C2 to retrieve and store encryption keys. Jigsaw The Jigsaw ransomware includes the popular Jigsaw character from the SAW film series in the ransom message and threatens to delete files every 60 minutes if a $150 ransom is not paid. Additionally, 1,000 files will be deleted if the victim attempts to block the process or restart the computer. CryptXXX At the end of May 2016, CryptXXX was the latest ransomware topic to be widely distributed. Researchers believe it is related to the Reveton ransomware variant due to a similar footprint during the infection phase. CryptXXX is spread via multiple exploit kits, primarily Angler, and is commonly observed following bedep infections. Its features include but are not limited to: anti-sandbox detection, mouse activity monitoring capabilities, customized C2 communication protocols, and payment via TOR. ZCryptor Microsoft published an article detailing a new ransomware variant, ZCryptoer. In addition to its tweaked functionality (such as encrypting files, adding registry entries, etc.), Zcryptoer is also considered the first Crypto worm. Distributed via spam emails, it has self-reproduction techniques to infect external devices as well as other systems while encrypting every machine and shared drive. The future of ransomware? Experts predict that we will continue to see multiple new variants in 2016, and of these variants, only a few may have a significant impact—depending on the malware writers and the cyber gangs involved. Now that ransomware writers continue their development efforts, updating pre-existing ransomware or creating new ones, we predict that increased flexibility and persistence will become the ransomware standard. If ransomware had this ability, it would be a global nightmare. Recent ransomware use of crypters suggests that ransomware writers are aware that many researchers are trying to reverse engineer their software, and this reverse engineering and analysis could lead ransomware developers to improve their ransomware variants.