Ransomware is a type of malware that sneaks inconspicuously onto a victim’s computer, encrypting the files until the victim pays a ransom to decrypt the files. Ransomware attacks are generally carried out via trojans. A trojan horse (or simply, “trojan”) is any program which disguises itself in order to get a user to install or execute it. Trojans often masquerade as system or software updates, macros or other software add-ons. Ransomware attacks vary in level of severity, ranging from a simple “lock” message unless payment is made, to encrypting victim’s files and demanding a ransom to decrypt them, to encryption of the computer’s Master File Table (MFT) or the entire hard drive.
Though there have been many recent high-profile attacks, ransomware has been around for quite some time.
- The “AIDS” trojan ransomware attack took place in 1989 and was spread via floppy disk, infecting users who rebooted their computers by encrypting their files and asking for a $189 “licensing fee”. Fast-forward to 2005 to mid-2006, and various types of trojans like Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began exploiting RSA encryption schemes with ever-increasing key sizes.
- In early 2012, the ransomware known as Reveton spread worldwide. This type of attack masqueraded as warnings from law enforcement agencies claiming the computer was being used for illegal activities like downloading child pornography or violating copyright laws. In order for the victim to unlock their system, they would pay a “fine” to authorities using cash cards or Bitcoins.
- CryptoLocker is one of the more notorious and widespread ransomware attacks. In late 2013, CryptoLocker targeted Windows computers and spread via infected email attachments. Once activated, the malware encrypted specific files stored on local and mounted network drives using 2048-bit RSA public-key cryptography. The malware would threaten to delete the private key needed in order to decrypt the data. It displayed a message including instructions and a timeline to pay the ransom through Bitcoin or pre-paid cash cards. If the victim refused to pay, the malware would offer to decrypt the data via an online service for a significantly higher price. In late 2014, CryptoLocker was isolated by the US Department of Justice’s Operation Tovar that took down the Gameover ZeuS botnet that had been used to distribute the malware. It is estimated that victims paid over $300 million in ransom.
- CryptoWall became a popular clone of CryptoLocker. One strain of CryptoWall was distributed as part of a malvertising campaign that targeted several major websites. The ads redirected victims to rogue websites that used browser plugin exploits to download the payload, thus infecting the user’s computer. Another CryptoWall strain spread via infected email attachments. This sneaky malware evaded detection by requiring users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded.