Information Security Today Home

New Books

Securing Cyber-Physical Systems by Al-Sakib Khan Pathan; ISBN 9781498700986
Security without Obscurity: A Guide to PKI Operations by Jeff Stapleton and W. Clay Epstein; ISBN 9781498707473
Touchless Fingerprint Biometrics by Ruggero Donida Labati, Vincenzo Piuri, and Fabio Scotti; ISBN 9781498707619
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 9781482233971
A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) by Dan Shoemaker, Anne Kohnke, and Ken Sigler; ISBN 9781498739962
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

The Evolution of Ransomware

By Dodi Glen, VP of Cyber Security at PC Pitstop

A recent study titled, "Battling the Big Hack," by IT professional network Spiceworks, found that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But, how did we get here? And how can we avoid these growing attacks in the coming year and beyond?

In general, all ransomware pretty much works the same in that it tries to extort money from a user, but each variation of it does something slightly different. This article discusses the history of ransomware from the first known ransomware to GPCode (RSA encryption schemes), CryptoLocker (Bitcoin transactions), Cryptowall (targeting Windows), and Locky with many others in between. We'll close out the discussion with 2016 ransomware predictions, as well as how to mitigate future malware attacks.

What is Ransomware?

The name ransomware, derived from the two words: ransom and software, is malicious software designed to extort money from a victim, by either holding specific files hostage, or by locking the entire computer until a ransom is paid.

Hackers realize that victims are willing to pay to obtain access to their files, specifically ones which hold important content, such as photos, documents, or security keys. Additionally, they know that once the ransomware has been developed, for the most part, the system will remain low maintenance. The miscreants are aware that this crime does not involve credit card fraud, which typically requires mules or cloners, making financial transactions much easier.

The security industry isn't the only group concerned with the exponential growth of ransomware. Recent Google Trend searches show that computer users across the world are interested in ransomware.

A recent search on the term "ransomware" using Google Trends. (Source: Google)

The Start of Something Evil

Pakistani Brain was the first MS-DOS ransomware developed by two brothers in Pakistan, Basit and Amjad Farooq Alvi. They embedded some computer code into their heart monitoring software program, which contained a special ransom message, instructing a user to call them if they see a ransom warning. The warning was supposed to stop and track illegal copies of the disk.

The message stated, "Welcome to the Dungeon 1986 Brain & Amjads (pvt). BRAIN COMPUTER SERVICES 730 IZANAMI BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...".

Boot sector of an infected floppy disk. (Source: Wikipedia)

PC Cyborg/AIDS

AIDS, also called PC Cyborg or Aids Info Disk, was a Trojan horse that replaced the AutoExec.bat file used in Windows. Once an infected machine booted 90 times, the malware would begin hiding directories and encrypt filenames on the C: drive. Once completed, the victim would be told to renew their license by contacting PC Cyborg Corporation. They would then be instructed to send a payment of $189 USD to a post office box located in Panama. AIDS is sometimes known as the first-class of ransomware malware, since it was designed to be malicious from the very start.

AIDS ransomware notification. (Source: Fortinet, Inc.)

Archiveus and GPCode

In 2006, two more ransomwares were introduced to the cyber world. The first, called Archiveus, was a Trojan designed to encrypt a user's files. If the user wanted to decrypt the files, they would need to obtain a specific password, by making a purchase from one of three online drug stores. In May 2006, someone cracked the ransomware and found out the password to decrypt the files: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw.

The first version of GPCode was designed to encrypt the victim's files by using a custom written encryption routine. However, the author of the malware didn't create a very strong cryptographic algorithm, so the encryption was easily cracked. Victims didn't have to pay the ransom since they could easily decrypt the files.

Cashing In

During 2010-2011, security researchers noticed an uptick in the amount of ransomware applications. Many attributed this to ransomware being particularly effective in extorting money out of people and companies. Hackers realized that people are willing to pay. Unfortunately, paying the ransom only adds more fuel to the fire, and allows newer, more difficult to detect, malware to be written.

Top 10 Ransomware (June-November 2015). (Source: Microsoft)


Rather than holding individual files hostage, malware authors began creating software which would lock a user's entire Windows computer, forcing victims to pay the ransom in order to regain access to their computers. This was a very successful endeavor and yielded significant amount of revenue for the hackers. However, the security industry soon realized that most of these could be defeated by simply booting into Safe Mode or using a bootable CD to bypass and remove the ransomware.

A typical lock screen purporting to be from the Department of Justice. (Source: PCWorld)

The Age of Cryptos

Over the last 3 years, Crypto ransomware, or ransomware that encrypts files on the computer, has changed frequently. In 2013, we first saw a ransomware called CryptoWall, which was basically a clone of CryptoLocker. The authors behind CryptoWall, essentially took code from another ransomware application, and created a very basic, but working ransomware.

In 2014, we spotted CryptoDefense, which was the second iteration of CryptoWall. However, thankfully for the victims, this version had a bug in it, where the encrypted files were easily decrypted.

Also in 2014, we saw CryptoWall 1.0 come to light, which was the official ransomware known as "CryptoWall" by the miscreants. This version was interesting in that it had correctly implemented the public and private key pair system, ensuring files remained locked with a relatively strong encryption layer.

In the latter part of 2014, CryptoWall 2 was discovered. One of the major changes was in the way it communicated to the command and control server. Instead of using a proxy to connect into Tor, this version directly connected into Tor to retrieve it's instructions on what to do or report back to "home base."

CryptoWall 3.0, seen in early 2015, had a few new changes, primarily around anonymization. The malware authors used the L2P protocol, an anonymous network layer.

CryptoWall 4.0 was first seen in late 2015, where its authors removed the versioning of their files. This put a damper on tracking various versions of CryptoWall campaigns since it wasn't always clear as to what version security experts were tracking.

TeslaCrypt ransomware costs $500 USD to decrypt. (Source: PC Pitstop)

A New Player: Locky

The Locky ransomware isn't any more or less advanced than any other ransomware, however, what makes it notable is how fast it is spreading across the digital highway. According to Forbes, Locky is infecting at least 90,000 computers per day.

Locky is delivered via two reliable mechanisms. One method is via spam emails, which rely on social engineering. Another is via exploit kits, where the hacker relies on the victim's computer not having the latest security patches.

Regardless of how Locky is installed on a computer, its ultimate modus operandi is to seek out as many files on the computer as possible, and encrypt them with a very strong encryption layer, RSA-2048 and AES-128. If the victim wants access to the locked files, which can be identified by the .locky file extension, they must pay a ransom of roughly $200-400 USD, or .5 - 1 Bitcoins.

Locky ransomware instructions for how to decrypt files. (Source: PC Pitstop)

As several other variants of ransomware, Locky will try to delete shadow copies of files on the disk to make recovery more difficult. Additionally, some variants of Locky have been seen trying to encrypt files stored on network shares or shared drives, which can allow for the Locky to encrypt many more files than are stored on the local machine. Often times, administrators will store backups or other important files on network shares.

Locky becoming more complex and far reaching. We are seeing an increase in the amount of Locky ransomware attempting to execute on our customers' computers. This version of ransomware is becoming more common this year as they advance the technology and take on new strategies behind distributing it, including:

  • Recently modifying the DGA (Domain Generating Algorithm) so that the Command and Control servers are different each day.
  • Creating a new variant of Locky that attacks network shares and other attached storage, using blank/null credentials or the locally logged in user credentials.
  • While they are sticking to as the server, they are registering multiple domains.
  • Partnering with the Exploit Kit (EK) developers to bundle Locky. With this, we can expect to see a drastic increase in the number of samples being distributed via exploits and spam.

Not Just a Microsoft Problem

The evolution of ransomware travels beyond Windows machines, also targeting Android and Mac devices.

It was only a matter of time until malware authors expanded their targets to include other devices, such as Android phones and tablets. Taking notes from prior successful campaigns, hackers created special versions of ransomware, which, when installed, would lock an Android device. They made the malware look like it was from the FBI, a similar tactic used in Windows ransomware.

Typically, the authors would convince the user to download and install an application, allowing them to watch a movie online. However, much to the dismay of the victim, this actually delivered the ransomware. The device would remain locked until the ransom was paid, or the phone was restored from a known good image.

Mac users are not immune to being victims of ransomware. Most recently, a ransomware called Keranger was discovered by Palo Alto Networks researchers. This piece of malware was bundled into a known good application, called Transmission, by hackers. Transmission is an open source BitTorrent client allowing users to communicate over a peer-to-peer file sharing network.

Keranger was considered the first fully functional ransomware developed for Mac operating systems. The two infected Transmission installers were signed by a Turkish company with the ID: Z7276PX673. This is important to note because the ID of the original developer of Transmission is different.

After Keranger is installed on a computer, it silently waits for 3 days before it begins attacking specific files on the computer. Like many Windows ransomware, Keranger targets files which are typically of value to the victim, such as .doc, .ppt, and .jpg. In addition to these extensions, Keranger targets 300 other extensions.

Once the encryption process is completed, the victim is presented with an option of either having their files encrypted indefinitely, or unlocking their files by paying 1 Bitcoin (BTC), or roughly $400 USD.

According to Palo Alto Networks, the hackers behind Keranger have some more tricks up their sleeves, and are trying to target Time Machine backup files so that the victim cannot restore their files. The solution in this case would be to ensure you have a backup stored offline, and not connected to your computer.

Apple has since revoked the certificate and the infected builds of Transmission were removed. New versions of Transmission were coded to actively look for Keranger, removing it if found.

OS X alerting the user of the infected installer. (Source: Palo Alto Networks)

The End of Ransomware?

Due to the success of prior campaigns, ransomware will not go away any time soon. Hackers and other criminal organizations recognize the value people place on their files, and will continue creating fully undetected variants of ransomware in order to take money from computer users and companies.

Best Practices

There are several ways computer users can protect themselves from ransomware. One way is to ensure regular backups of important files and data. Additionally, these backups should be tested, to make sure they actually work. Computer users and corporations should also consider using an offsite backup location, which stores files outside of their network.

Computer users also need to ensure their operating system, third party applications, and antivirus programs are updated on a regular basis. These layers of defense, while not bulletproof, help in protecting a computer from being attacked.

Educating users about these best practices, as well as what to look out for, will also help in preventing these attacks.


  • The cost to decrypt malware will continue to increase to support the criminal organizations behind the ransomware.
  • Ransomware itself will become more difficult to remove, and will use more exploits and exploit kits to get a foothold into the system.
  • Office macros will continue to be used, since many people are unaware of the ramifications of enabling a malicious macro.
  • Underground networks will provide one-stop shops for building and hosting ransomware, allowing anyone with little to no knowledge of ransomware to "cash in" on the campaign.
  • The Tor network will continue to be used, and Bitcoins will continue to be accepted, to anonymize the transactions as much as possible.

From a legal perspective, the criminals' infrastructure will be taken down. However, very few people, if any, will be directly prosecuted. Once the hackers networks are taken down, they will bring new systems online. This cat-and-mouse game will continue indefinitely.

Related Reading

Deadly Dridex Gang Muscles Into Ransomware Racket

New Ransomware Hidden in Word Docs: Locky Ransomware Is Loaded with Professional Grade Malware

About the Author

Dodi Glenn has over ten years' experience in the cyber security industry, specializing in security risk assessment, programming, firewalls, malware/targeted attacks, antivirus, and more. He is currently vice president of cyber security at PC Pitstop. Dodi has led several initiatives in malware research, software development, software testing, and product management as the Senior Director of Security and Research Labs for ThreatTrack Security, Anti-Virus Lab Manager at Sunbelt Software, and Product Manager at GFI Software. He is on the Board of Directors for the Anti-Malware Testing Standards Organization (AMTSO), a member of AVPD (Anti-Virus Product Developers Consortium), ICSA (International Computer Security Association), VB (Virus Bulletin), and a reporter for

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2016 Auerbach Publications