Citrix Blogs

On the Origin of Ransomware Species

It is not the strongest of the species that survives, nor the most intelligent, but the one that’s most responsive to change.

In the IT world, one of the best examples of perpetual change is security, especially the darker side of it. Sometimes, its evolution takes an unexpected twist (case in point: killer parrot or vegetarian vulture), but it generally morphs into smarter, faster, and more dangerous species over time. In this blog post, I’m going to take a look at the evolution of ransomware – a still relatively new, but already deadly species.

Ransomwarus Primus
The first specimen. And it was already ugly.

The core principle of the ransomware industry is pretty straightforward: It’s the desire to make money by demanding ransom. While there are a few exceptions (destructive, usually politically motivated attacks, like NotPetya), this has been the primary motivation behind ransomware. What was the first specimen like? Who created it and why?

The first ransomware (called “PC Cyborg,” but also known as AIDS or Aids Info Disk) was released in 1989. Its distribution method was rather primitive — it was distributed on floppy disks by the postal service. The disk was labeled “AIDS Information — Introductory Diskettes” and 20,000 copies were sent to attendees of an AIDS conference organized by the World Health Organization.

After installation, it would modify a machine’s AUTOEXEC.BAT file and, after 90 boots, encrypt the names (not content) of the files on the disk. To decrypt files, users would have to send $189 to a P.O. box in Panama.

Here comes an unexpected twist: This first species of ransomware wasn’t created by a hacker or a professional programmer, but by an evolutionary biologist — Dr. Joseph L. Popp — with a PhD from Harvard. Dr. Popp was actively involved in AIDS research and claimed that he planned to donate the profits to AIDS educational programs. He had been working on his plan for almost 2 years and was planning to send an additional 2 million disks.

Dr. Popp was later declared insane and unfit to stand trial. True story: After PC Cyborg had its day, he wrote a controversial book about evolution (Popular Evolution), spent 15 years studying baboons in East Africa, and then opened a butterfly sanctuary in upstate New York (still open).

Ransomwarus Dissimulatio
The next variation added teeth.

The work of Dr. Popp had one fatal weakness. He used symmetric cryptography, meaning that his encryption and decryption keys were the same and could be extracted from the Trojan itself. As a result, universal decryption tools were available soon after the infection. This was not desired behavior for adversaries; the goal for them was to make sure that each victim was unique, and that data could not be recovered until the ransom was paid.

The ransomware species had to evolve. What they needed to achieve was to attack the victim, paralyze it, and create a scenario where removal of the parasite would have worse consequences than just leaving it in place. Victims would stay trapped in this forced, symbiotic relationship until ransom was paid — and the parasite was finally released.

If the previous paragraph reminds you of a face hugger from the Alien movie franchise, you’re not far off the mark, as that was exactly the motivation for Adam L. Young and Moti Yung in 1995, when they presented the idea of using asymmetric cryptography for decryption.

With asymmetric cryptography, the attacker generates a key pair. A public key is stored in the cryptovirus, while a private key stays with the attacker. After a computer is infected, the cryptovirus will generate a new ransom, symmetric key and use it to encrypt all files on its disk. Finally, this newly-generated key gets locked inside an encrypted archive using the public key of the attacker and is completely removed from the victim’s machine.

After the ransom is paid, the victim sends this encrypted archive to the attacker. He then uses his private key to open it, extract the session key and send it back. Since the key is symmetric, the same key that was used for encryption can be used for decryption. It’s not as complicated as it sounds – ransomware encrypts all files and then puts the key in a box that can be opened only by the attacker, leaving no traces behind.

The result? A system where each infected machine requires a unique key and even the attacker cannot decrypt the files without the session key. If one victim pays the ransom, he cannot share his unlock key with anyone else. The private key is never shared with the victim. This idea, presented over 20 years ago, is now at the core of every cryptovirus.

Ransomwarus Secretum
The next variation added mimicry.

The second evolution cycle of ransomware made it a lot more dangerous. It could no longer be easily removed and, usually, the only way a victim could recover their files was to pay the ransom or restore them from a backup – if available. As a result, the number of “customers” that were willing to pay increased dramatically.

One of the principles of successful businesses is to make it as easy as possible for customers to pay for services. Take, for example, one-click purchases, which remove all the obstacles between the customer’s purchase and their bank account. This principle is no different for ransomware authors, but they want, at the same time, to remain anonymous.

This poses a particular challenge for ransomware authors: The first variant asked that a money order be sent to a P.O. Box in Panama, later variants often used premium SMS messages, prepaid gift cards, or various money transfer services.

What was it that cryptoviruses needed to evolve further? The answer, cryptocurrency: simple, decentralized digital currency that’s anonymous. The FBI predicted back in 2012 that cryptocurrency would attract cybercriminals. The first such ransomware was CryptoLocker in 2013 and it was extremely successful. It’s believed that CryptoLocker successfully extorted close to $3 million USD, with another variation – CryptoWall – extracting about $18 million (FBI estimates).

Ransomwarus Rapidus
The next variation added wings.

Ransomware was adapting well to its new environment. It had mastered the art of paralyzing its victims and extortion their money, however it was still inefficient in its distribution. Most ransomware relies on distribution through emails and browsers, targeted at users through spam or phishing attacks. While this approach has always been dangerous, it has never been truly catastrophic, as single users were the targets rather than whole organizations.

This all changed in 2017 with WannaCry. WannaCry was still relying on a phishing attack for the initial infection – but then it spread through networks using SMB vulnerability. This exploit (EternalBlue) was leaked by the Shadow Brokers hacker group in April 2017, and only 28 days later, it was weaponized as part of WannaCry. It was used again in the NoPetya cyberattack and as part of the Retefe banking Trojan.

EternalBlue allowed ransomware to spread massively without any interaction from the users (aside from the initial infection). Defenders had to be right 100 percent of the time, while attackers need to find just one weak entry point.

Ransomwarus Mortiferum
Just when the caterpillar thought the world was over, it became a butterfly.

The malware industry is part of this new, organized crime — and “organized” is an important part of the story to understand. The dark side of the internet is more rational than most of us realize and it follows basic economic principles. According to this 2017 Data Breach Investigations Report (DBIR) from Verizon, 93 percent of breaches have financial or espionage-related motives, meaning cybercriminals now have motivation to become more effective and dangerous.

As they say, there is honor among thieves. To this end, it’s incumbent on cybercriminals to behave professionally; victims need to know that there is relatively low risk in paying a ransom and not receiving a valid decryption key. Ransomware creators want to maintain good reputations, otherwise future victims will be less likely to pay. It is also important to understand that the supply chain of ransomware is not as simple as most people think — chances are that your computer has been infected by a botnet network, run by one cybercriminal group or another, which was hired by another criminal to deliver a payload that was bought from third criminal (and might have included an exploit bought from somewhere else). If the distributors cannot trust the ransomware creator, they’ll simply switch to another vendor. Many of these networks are well organized and even offer professional helpdesk assistance. If this is new to you, I highly recommend the book Spam Nation from Brian Krebs.

Now, how might ransomware authors evolve in the next generation? Let’s apply some economic principles to increase the impact. The goal for them is to find the ransomware equilibrium – the highest price that victims are willing to pay – and then find any variables that can further move the equilibrium to benefit the malware authors.

Reach more people faster

WannaCry already showed us that self-replicating ransomware can be far more dangerous than older variations of ransomware. In the future, we can expect that ransomware will focus more on using zero-day exploits and that time to weaponization (actively using a new vulnerability) will shorten dramatically.

Even with older variations, ransomware is a profitable business. The more profitable it becomes, the more sophisticated and complex threats we are going to encounter. If a cybercriminal group expects that ransomware can earn between 5 to 10 million dollars, paying $500,000 for a zero-day vulnerability makes economical sense.

Another possibility might be that they use other distribution methods. For example, NotPetya used the update mechanism of Ukrainian tax software. At DEF CON 2017, a technique was presented that could spread the malicious code even to sites that don’t even have an internet connection.

Reduce the decision time

Time is an important factor in making the decision whether or not to pay. Ransomware often displays a countdown on the screen, trying to force people into action before they have a chance to change the minds. For example, CryptoLocker would increase its ransom to a hefty 10 BTCs after a certain deadline ($100,300 USD at the time of this writing).

What could ransomware authors do to increase the price their demands? Increase the time pressure.

There is a reason that ransomware is especially scary for the healthcare industry: Ransomware accounts for 72 percent of malware incidents (DBIR). What if it takes over a patient’s insulin pump? Or worse, stays dormant while taking control of cardiopulmonary bypass? The consequences could be dire.

Look around your home. Ransomware could target your IoT-controlled HVAC system, stay dormant, and turn off cooling or heating only when extreme weather conditions are detected.

These are not new types of attacks, but if the next generation of ransomware is smart and stays dormant for an extended period of time, time, as a decision-making factor, could become more important. As many security companies are using machine learning (ML) to improve their defensive mechanisms, attackers are doing the same – and using ML to learn when is the right time to strike could have horrible consequences.

Increase the value of the target

The ransom demanded should never exceed the value of the target. Attackers can also focus on other targets, that are perhaps more valuable, reducing the number of infections, but greatly increasing the ransom demanded.

What if a whole building is held hostage, locking down all doors and preventing access to anyone? What if we start seeing ransomware focused on industrial control systems (ICS) that could potentially poison an entire city? We could start seeing ransom demands in the millions rather than in the hundreds of dollars.

Eliminate the primary response

Ransomware today is mostly based on the encryption of documents and files; however, nothing prevents it from evolving further. Based on research from MalwareBytes (and my experience is consistent with this), about 71 percent of businesses are addressing ransomware through backups rather than through defense.

I don’t believe this should be the only strategy. Especially with the rise of mobile ransomware, we might soon start seeing inverted attacks – instead of preventing access to data, ransomware could threaten to release it publicly. Whether it’s private data (e.g. photos, logon credentials, or messages) or business data (e.g. accounting numbers, emails). We might even have to pay double ransom — one to gain access to our files and another to prevent the rest of the world from seeing them.

Backup and recovery won’t be sufficient protection against these new attacks and proactive approach is needed.

Extinction of Ransomwarus?

We cannot expect ransomware to become extinct anytime soon. Even the current generation has a huge potential for malware authors to extort money; future generations will be even more dangerous.

Education of end users is always important and should not be undervalued, however, with more sophisticated attacks, even educated users can fall victim. And this doesn’t cover users that were infected through self-replicating malware without any action on their side.

Current approaches mostly consist of basic protection — antivirus, patching, and backups. While all of these are critical, they should be considered only a small part of the ransomware strategy.

Today, the prevalent method to attack a network is to exploit the humans by having them open a dangerous attachment or clicking on a link. Using an isolated, well-protected secure browser and email client is a great protection against ransomware. Together with Bitdefender, we’ve put together a technical whitepaper focused on this type of deployment that you can download here: Secure Browsing – powered by Citrix XenApp, Citrix XenServer Direct Inspect APIs and Bitdefender HVI.

The second (and related) strategy is the recommendation to implement security zones with different trust levels. With a new generation of self-replicating ransomware, it is important to stay in control and minimize the impact, with ability to recover the whole segment of the company if needed. I wrote about this topic previously and I’m a big believer in security benefits of this approach. You can read more in my blog post, “Unsinkable”: The Myth of Foolproof IT Security.

Instead of focusing only on recovery, companies need to better understand the different stages of the ransomware kill chain and apply defense-in-depth strategy. I’m planning another blog post on this topic, describing the different stages of the lifecycle and what’s the best protection in the upcoming weeks. Now is a good time to decide — you can either start preparing for the next wave of ransomware attacks, or you should start stashing bitcoins for unnecessary ransom payments…


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com

Exit mobile version