Ransomware was all over the media last year but the scourge that haunts Windows users has been around for more than a decade, a new study says.
In the study, entitled Ransomware: Past, Present and Future, Trend Micro researchers point out that the very first cases of ransomware infection were seen in Russia between 2005 and 2006.
At that time, the attackers were zipping up files with certain extensions — apart from those in the Windows system and system32 directories — adding a password to the zipped file and deleting the originals.
The malware then created a text tile with the ransom demand, which at that time was US$300.
{loadposition sam08}In later years, ransomware variants began to diversify, with the ability to infect mobile phones and even the master boot record on a Windows computer. The latter would prevent the operating system from loading.
Number of known ransomware families that encrypt business-related files, 2016.
Some attackers used what came to be called fake anti-virus to scare their would-be victims. Simply put, this worked by sending a pop-up to the screen and claiming that there were numerous forms of malware on the PC in question, Trend Micro senior architect Dr Jon Oliver told iTWire.
Also conveniently provided was a box where the user could input their credit card details in order to supposedly pay for a program that would get rid of all the malware alleged to be on the machine.
In reality, once the user had entered the card details and clicked OK, the only thing that happened was that the malware deleted itself, as the attackers had achieved their aim: stealing the credit card details.
Another ruse, which persists to this day, was to use bogus notices from law enforcement authorities. This was often used on porn sites, Oliver said, with a pop-up appearing and claiming that the user in question was going to get into trouble for accessing child porn.
Then, again credit card details were extracted, and the pop-ups disappeared. (Graph above, right shows number of newly added ransomware families, 2016.)
A switch to targeting small and medium-sized businesses rather than individuals started in 2015, according to the study.
Oliver said these categories of businesses were the easiest to target: they lacked sophisticated IT staff, they were quick to pay up and they rarely made a noise about it. The chance of retaliation were minimal.
Business models had changed over the years, with ransomware now available as a service. "The ransomware-as-a-service business model made it possible for cyber criminals to offer their malicious creations to others for a fee or a cut of the buyers’ profits," the study said.
"Ransomware do-it-yourself kits were also sold in underground markets and/or forums. And those who are short on budget can even frequent Web repositories where open-source ransomware like Hidden Tear can be had free of charge."
Oliver also pointed out that the tactics used by ransomware authors had been refined. There were cases where the files relating to filing tax would be encrypted close to the deadline for filing tax returns.
"In such cases, the victims are much more inclined to pay up, and quickly too," he said.
Or there were cases where computer-aided design files were locked by ransomware. If these design files were needed close to the deadline for submission, once again extortion was made much easier, Oliver said.
Asked why the study did not go into much more detail about the history of ransomware, he said it had been primarily designed to show that the fuss over ransomware was real; to this end, there was a comprehensive list of all the ransomware that Trend Micro had tracked and the kind of files each one would lock.
"People must realise that we are not trying to scare the daylights out of them," he said. "These security concerns are not hype. These threats are very real."
The conclusion of the study does not offer much hope. "It will not be surprising if ransomware change in a few years," the authors write. "In terms of potential, they can evolve into malware that disable entire infrastructure (critical not only to a business’s operation but also a city’s or even a nation’s) until the ransom is paid.
"Cyber criminals may soon look into approaches like hitting industrial control systems and other critical infrastructure to paralyse not just networks, but ecosystems. A key area that could become a bigger target for cyber criminals are payment systems, as seen with the Bay Area Transit attack in 2016 where the service provider’s payment kiosks were targeted with ransomware.
"The return on investment and ease with which cyber criminals can create, launch, and profit from this threat will ensure it continues in the future."
Images: courtesy Trend Micro.