The Evolution of Disruption: How Ransomware Has Changed the Face of Disruption

A History Lesson on Ransomware

The first known instance of what we now know as ransomware was seen in 1989. This first attempt was a poorly executed endeavor to extort $189 from the victims, but it was quickly discovered that recovering the files did not require the “tool” offered. The world and concept of ransomware remained relatively quiet for many years until two researchers Adam L. Young and Moti Yung wrote an academic treatise on the subject in 1996. In their paper and research, they demonstrated the fatal flaw in the first ransomware. The issue was using symmetric encryption which meant the encryption key was in the code of the first Trojan, so extraction of the data with the proper key was possible.

Their paper and proof of concept showed how the use of public key cryptography would eliminate this flaw by only including the public encryption key in the source code. The treatise also discussed how anonymously collecting the ransom money was exceedingly difficult without cryptocurrency like Bitcoin and even though Bitcoin did not exist at this time, they hypothesized of using “e-currency” to raise funds from the attacks.

Then it All Changed

For about ten years after that, the world of extortion supporting software (e.g. ransomware) stayed relatively quiet with only a few unsuccessful attempts. By mid-2006 there were new strains introduced such as Gpcode, Archiveus, Krotten, and Cryzi. However, that quickly changed in 2013 with the introduction of CryptoLocker ransomware.

Cryptolocker was the first major ransomware contender that used Bitcoin as a payment method. It is estimated that between October and December of 2013 the perpetrators gained upwards of $23 million worth of ransom payments. This was the beginning of ransomware becoming a major money-making enterprise for criminals because of Bitcoin’s inherently anonymous nature. Since these attacks have grown exponentially across the world and have impacted every industry.

Some enterprising criminals even taken it a step further by introducting ransomware-as-a-service (RaaS), which is exactly what it sounds like…pay for the use of a ransomware and give the owner some percentage of the takings. But, in general, the effects of an infection were not dramatically changed: infect the machine, encrypt the data, and demand money. Until recently there’s been a focus on quality and customer service. Now, most of the major ransomware strains are designed well enough that data is recoverable but only if the victim pays the to receive the appropriate keys to decrypt their data.

The “Customer” is Not the Focus Anymore

Recently there has been a dramatic shift away from customer service focused criminal attacks to straightforward disruption and destruction. In late May of 2017, we saw the WannaCry ransomware that was possibly the first example of ransomware that primarily did not focus was collecting money. It is less obvious in the case of WannaCry as with the Petya/NotPetya attack we will discuss shortly. However, WannaCry was not designed very well concerning money collection. They only had three hardcoded Bitcoin wallet addresses and only managed to collect around $130,000 despite reports of tens of thousands of infections around the world. These are oddities on the world of ransomware, and it seems pretty likely that this was an attack by a well-funded hacker group or possibly a nation-state. Wannacry was nothing compared to the malicious disruptive effect that Petya/NotPetya caused.

Petya/NotPetya, A Poorly Disguised Attack.

In the last week of June, a major revision of the known Petya ransomware emerged. Using vulnerabilities stolen from the NSA and parts of a standard open source hacking tool called MimiKatz. They used these tool just like a professional hacker would to spread across networks on which infected machines were. With the goal of infecting as many systems possible using known vulnerabilities to steal legitimate usernames and passwords from infected systems.

Peta/NotPetya malware deviated from its predecessors in that the ransom collecting features appear to just be a distraction from its real purpose, mayhem, and disruption. This is believed to be the case since this version of the malware does not appear to have a reliable method of collecting ransom and the methods of encrypting files are quite destructive. Because of these characteristics, it is widely believed that this most recent large-scale malware attack was a thinly veiled disruptive attack masquerading as ransomware targeting organizations in . Despite its limited target Petya affected 2,000 entities in 64 countries. Some particular attacks of note were the popular dictation software Nuance, the DLA Piper law firm, and several hospitals including this one in West Virginia.

What Can We Expect Going Forward?

This is certainly a disturbing trend, and there is a good chance this is the just the beginning. Many nation-states, including those that are not friendly towards the United States, have been investing heavily in armies of cyber hackers and analysts. This, coupled with the fragile state that many networks and systems are in, the constant zero-day vulnerabilities are increasing in number. The success that these early attacks have seen will likely lead to more attacks of this nature.

Organizations that desire to protect their critical information assets from these disruptive malware variants should take necessary precautions now, starting with adopting a sound cybersecurity strategy. This cannot be accomplished by any one fix, technology, or action. Instead, it requires a layered and comprehensive approach to security and awareness training as well as due diligence to keep on top of the quickly shifting sands that are the global web-based threats.

August 15th, 2017|

About the Author:

John Nye
John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).