Cian Heasley on the History of Ransomware

BSides Dundee 2022 - Cian Heasley

❏ Cian Heasley - Threat Hunter by trade
❏ Blogs technical at www.bluetangle.dev
❏ Runs @realhackhistory on YouTube & Twitter
❏ Archery, bowling & detective novels

History of the event itself
Context flare 🔥
Ransom retrieval method

1st December, 1981 - “America's Cup floppies held to ransom”
“A stolen package of floppy disks
holding sensitive telemetry data from
one of the America's Cup syndicates has
been recovered after being held to
ransom through a hacker's bulletin
board.”

board.”
This was one of the first instances of
data being held for ransom that I could
find.
The only source I tracked down for this
story however was a post on Risks
Digest, from 1986, the original 1981
article was from “Computing Australia”.

board.”
This was one of the first instances of
data being held for ransom that I could
find.
The only source I tracked down for this
story however was a post on Risks
Digest, from 1986, the original 1981
article was from “Computing Australia”.
“Computing Australia” reported that the
17 disks were originally ransomed
through a bulletin board called “Inter-
State Connect”, with a hacker group
called “TechHack” involved in
negotiations. In the end the disks were
retrieved with no payment made.

12th February, 1990 - Joseph Louis Popp Jr arrested
AIDS, also known as PC Cyborg Trojan,
was a Trojan horse that replaced
AUTOEXEC.BAT, it would then be used by
AIDS to count the number of times the
computer has booted. Once a certain
boot count was reached, AIDS would hide
directories & encrypt the names of
files, rendering the system unusable.

The “license agreement” displayed to
victims included the line “the most
serious consequences of your failure to
abide by the terms of this license
agreement; your conscience may haunt
you for the rest of your life”.
Joseph Louis Popp Jr was charged in the
UK but declared mentally unfit to stand
trial and returned to the US.

The “license agreement” displayed to
victims included the line “the most
serious consequences of your failure to
abide by the terms of this license
agreement; your conscience may haunt
you for the rest of your life”.
Joseph Louis Popp Jr was charged in the
UK but declared mentally unfit to stand
trial and returned to the US.
When the number of boot times for an
infected system reached 90 the user was
asked to 'renew the license' and
contact ‘PC Cyborg Corporation’ for
payment. The method of license payment
involved sending US $189 to a post
office box in Panama.

15th September, 1995 - Hackers
The 1995 movie “Hackers” includes the
“Da Vinci” virus, a computer virus
created and unleashed by villain “The
Plague” to distract the authorities
from his own electronic fraud.

The “Da Vinci” virus in the movie was
an early form of fictional ransomware
in that it carried a demand for payment
in return for the unimpeded function of
certain computerised systems, in this
case the ballasts of internet guided
oil tankers at sea.

The “Da Vinci” virus in the movie was
an early form of fictional ransomware
in that it carried a demand for payment
in return for the unimpeded function of
certain computerised systems, in this
case the ballasts of internet guided
oil tankers at sea.
VIRUS
Unless five million dollars are
transferred to the following numbered
account in seven days, I will capsize
five tankers in the Ellingson fleet.

25th May, 2005 - Trojan.Pgpcoder
“A unique new kind of malicious threat
which locks up files on a PC then
demands money in return for unlocking
them has been identified.”
“Trojan holds PC files for ransom” (BBC, 2005)

Pgpcoder searched a victim's hard disk
for 15 common file types, including
images & Office files. It then
encrypted the files with a custom,
flawed encryption method, removed the
originals & dropped a ransom note.
Initial infections were via IE
vulnerabilities exploited by malicious
websites.

Pgpcoder searched a victim's hard disk
for 15 common file types, including
images & Office files. It then
encrypted the files with a custom,
flawed encryption method, removed the
originals & dropped a ransom note.
Initial infections were via IE
vulnerabilities exploited by malicious
websites.
Ransom demands were originally between
$20 - $70 (in Rubles), payable to a
Yandex account. Later decryptors would
cost $100 - $200 and were payable via
E-Gold (a favourite payment processor
of online criminals at the time, shut
in 2009) or Liberty Reserve (another
favourite of online criminals, shut
down by the US govt in 2013)

2006 - Archievus
Archievus targeted Windows systems and
encrypted the contents of the victim’s
“My Documents” folder using 1024-bit
Rivest-Shamir-Adleman (RSA) asymmetric
encryption.

2006 - Archievus
encryption.
Archievus used a single 30 character
password for all victims, once this was
discovered by security researchers who
analyzed the malware it kind of
undermined the whole business model.
"mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw"

2006 - Archievus
encryption.
Archievus used a single 30 character
password for all victims, once this was
discovered by security researchers who
analyzed the malware it kind of
undermined the whole business model.
"mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw"
“Victims are only told the password if
they buy drugs from one of three online
pharmacies.”
“Extortion virus code gets cracked” (BBC, 2006)

September 1st, 2010 - Winlock arrests in Moscow
“Police officers carried nearly 20
searches, in which they seized computer
equipment and documents, proving their
crime. All the ten members of the
criminal family, caught, are young; all
of them are Muscovites, computer
operators.”
“Police Catches Hackers Spreading Viruses In
Internet To Earn Money” (SPAMfighter, 2010)

operators.”
WinLock, as the name suggest, did not
encrypt a victim’s files but instead
displayed a message, often with
associated pornographic imagery,
demanding that the victim pay a “fine”
to regain the usage of their computer.
It appears WinLock initially targeted
Russia before going global over the
course of about 3 years.

operators.”
WinLock, as the name suggest, did not
encrypt a victim’s files but instead
displayed a message, often with
associated pornographic imagery,
demanding that the victim pay a “fine”
to regain the usage of their computer.
It appears WinLock initially targeted
Russia before going global over the
course of about 3 years.
The developers of the Winlock malware
allegedly earned one billion rubles in
six months, Winlock displayed a message
on the victim’s device and demanded a
text to a US $10 - $30 premium-rate SMS
number to get an unlock code, often
never actually provided to victims.

2012 - Reveton, the “Police Ransom Virus”
“described as drive-by malware because
unlike many viruses—which activate when
users open a file or attachment—this one
can install itself when users simply
click on a compromised website. Once
infected, the victim’s computer
immediately locks, and the monitor
displays a screen stating there has been
a violation of federal law.”
“New Internet Scam” (FBI, 2012)

Reveton was a rudimentary, early RaaS,
with a referral program set up to
encourage site owners to help spread the
malware to their own visitors.
Reveton relied on insecure browsers,
hitting Flash, Java or Adobe Reader
vulnerabilities to garner victims, then
serving a downloader which grabbed
Reveton itself.

Reveton was a rudimentary, early RaaS,
with a referral program set up to
encourage site owners to help spread the
malware to their own visitors.
Reveton relied on insecure browsers,
hitting Flash, Java or Adobe Reader
vulnerabilities to garner victims, then
serving a downloader which grabbed
Reveton itself.
Reveton demanded payments at first via
MoneyPak pre-paid debit cards and
eventually graduated on to Bitcoin as
Bitcoin’s profile grew. Ransoms
demanded were around US $100 in 2012.

4th June, 2014 - SimpleLocker, First Android Encryption Ransomware
“Eset reports that the Trojan - called
Simplelocker - targets SD cards slotted
into tablets and handsets,
electronically scrambling certain types
of files on them before demanding cash
to decrypt the data.“
“Android Simplelocker ransomware encrypts SD
card files” (BBC, 2014)

Simplelocker had a tor onion based C2
and it AES encrypted the following file
types: jpeg, jpg, png, bmp, gif, pdf,
doc, docx, txt, avi, mkv, 3gp, mp4.
Decrypter apps were created by security
researchers soon after the release of
Simplelocker.

Simplelocker had a tor onion based C2
and it AES encrypted the following file
types: jpeg, jpg, png, bmp, gif, pdf,
doc, docx, txt, avi, mkv, 3gp, mp4.
Decrypter apps were created by security
researchers soon after the release of
Simplelocker.
Victims in Ukraine were instructed to
pay 260 hryvnias ($22, £13) via the
MoneXy cash transfer system or, as the
ransom message stated, “in case of no
PAYMENT YOU WILL LOSE ALL DATA ON your
device”. Victims in Russia were charged
about $30 in Rubles.

January, 2016 - SamSam, targeted ransomware arrives
“Friday’s FBI alert was focused on
ransomware known as MSIL/Samas.A that
the agency said seeks to encrypt data
on entire networks, an alarming change
because typically, ransomware has
sought to encrypt data one computer at
a time.”
“FBI wants U.S. businesses to help as cyber
extortion gains urgency” (Reuters, 2016)

a time.”
SamSam TTPs closely resemble what we
think of as typical ransomware
techniques now. Brute forcing public
facing RDP, privilege escalation, LoTL
and lateral movement before encryption.
SamSam favoured targeted attacks against
victims seen as being able to pay larger
ransoms.

a time.”
SamSam TTPs closely resemble what we
think of as typical ransomware
techniques now. Brute forcing public
facing RDP, privilege escalation, LoTL
and lateral movement before encryption.
SamSam favoured targeted attacks against
victims seen as being able to pay larger
ransoms.
In 2017 the largest ransom paid to
SamSam was huge by the measure of the
time, US $64,000, via Bitcoin. Research
in 2018 pointed to SamSam having taken
in nearly US $6 million up to that
point.

28th November 2016 - San Francisco Municipal Transportation Agency ransomed
“Black Friday was a dark day for San
Francisco's Municipal Transportation
Agency, as an apparent crypto-ransomware
infection spread across the Muni
system's networks, taking down ticketing
for Muni's train stations and systems
used to manage the city's buses.“
“Ransomware locks up San Francisco public
transportation ticket machines” (Ars Technica,
2016)

2016)
HDDCryptor ransomware infected 2,112
systems belonging to the Municipal
Transportation Agency, leaving their
screens displaying the message “You
Hacked, ALL Data Encrypted. Contact For
Key (cryptom27@yandex.com)ID:681,
Enter.”

2016)
HDDCryptor ransomware infected 2,112
systems belonging to the Municipal
Transportation Agency, leaving their
screens displaying the message “You
Hacked, ALL Data Encrypted. Contact For
Key (cryptom27@yandex.com)ID:681,
Enter.”
The operators of the ransomware
demanded 100 Bitcoin (About $73,000 in
November of 2016) in exchange for
restoration of Muni's data, according
to a report from the San Francisco
Examiner at the time.

12th May 2017 - Wannacry
“By Friday evening, the ransomware had
spread to the United States and South
America, though Europe and Russia
remained the hardest hit, according to
security researchers Malware Hunter
Team. The Russian interior ministry says
about 1,000 computers have been
affected.“
“Massive ransomware cyber-attack hits nearly 100
countries around the world” (Guardian, 2017)

affected.“
Wannacry spread to an estimated 300,000+
computers before it was stopped, damage
estimates vary but hover around hundreds
of millions of dollars.
Wannacry was able to spread so
prolifically because of a stolen NSA
exploit, EternalBlue.

affected.“
Wannacry spread to an estimated 300,000+
computers before it was stopped, damage
estimates vary but hover around hundreds
of millions of dollars.
Wannacry was able to spread so
prolifically because of a stolen NSA
exploit, EternalBlue.
Wannacry demanded a payment of around
US $300 in Bitcoin if paid within three
days, or US $600 within seven days,
warning that "you have not so enough
time." Three hardcoded Bitcoin
addresses were used to receive the
payments of victims.

25th August, 2017 - Bitpaymer ransomware targets NHS Lanarkshire
“All files are encrypted. We accept only
bitcoins to share the decryption
software for your network. Also, we have
gathered all your private sensitive
data.So if you decide not to pay anytime
soon, we would share it with media's.
It may harm your business reputation and
the company's capitalization fell
sharply.”
“Bit Paymer Ransomware Hits Scottish Hospitals”
(BleepingComputer, 2017)

sharply.”
This is one of the events pinned as the
origin, and popularization, of the “big
game hunting” ransomware tactic,
targeting of specific organizations with
time taken for maximum lateral movement
and ransomware spread with bigger ransom
demands tailored to the affected org.
Bitpaymer is believed to have been run
by infamous ransomware group EvilCorp.

sharply.”
origin, and popularization, of the “big
game hunting” ransomware tactic,
targeting of specific organizations with
time taken for maximum lateral movement
and ransomware spread with bigger ransom
demands tailored to the affected org.
Bitpaymer is believed to have been run
by infamous ransomware group EvilCorp.
The ransom requested was 50 Bitcoins
(around £168,155 or US $218,000 in
2017), a massive demand at that time.

21st November, 2019 - Allied Universal Breached by Maze, Stolen Data Leaked
“I uploaded some files from their
network as the data breach proofs. If
they dont begin sending requested money
until next Friday we will begin
releasing on public everything that we
have downloaded from their network
before running Maze”
“Allied Universal Breached by Maze Ransomware,
Stolen Data Leaked” (BleepingComputer, 2019)

origin, and later popularization, of the
“double extortion” ransomware tactic,
encrypted data and the threat of leaked
stolen data.

origin, and later popularization, of the
“double extortion” ransomware tactic,
encrypted data and the threat of leaked
stolen data.
Maze were demanding 300 Bitcoins
(approximately US $2.3 million at the
time) for decryption of Allied
Universal’s network and the deletion of
stolen data.

5th December, 2019 - “Treasury Sanctions Evil Corp”
“Treasury is sanctioning EvilCorp as
part of a sweeping action against one of
the world’s most prolific cybercriminal
organizations. This coordinated action
is intended to disrupt the massive
phishing campaigns orchestrated by this
Russian-based hacker group”
“Treasury Sanctions Evil Corp, the Russia-Based
Cybercriminal Group Behind Dridex Malware” (US
Treasury, 2019)

Treasury, 2019)
The Department of Justice charged two of
EvilCorp’s members with criminal
violations, and the Department of State
announced a reward for information up to
$5 million leading to the capture or
conviction of EvilCorp’s leader Maksim
Yakubets.

Treasury, 2019)
The Department of Justice charged two of
EvilCorp’s members with criminal
violations, and the Department of State
announced a reward for information up to
$5 million leading to the capture or
conviction of EvilCorp’s leader Maksim
Yakubets.
According to US government indictments
EvilCorp is responsible for stealing
more than $100 million from companies
across 40 countries, over the last
decade or so.

7th May, 2021 - Darkside and Colonial Pipeline
“The biggest U.S. gasoline pipeline will
not resume full operations for several
more days due to a ransomware cyberattack
blamed on a shadowy criminal network
called DarkSide.
The attack on the Colonial Pipeline,
which carries nearly half the fuel
consumed along the U.S. East Coast, is
one of the most disruptive digital ransom
schemes ever reported.”
“Top U.S. fuel pipeline remains days from
reopening after cyberattack” (Reuters, 2021)

called DarkSide.
DarkSide was able to infiltrate the
network of Colonial Pipeline and
exfiltrate 100 gigabytes of data for
double extortion purposes.
While the pipelines were not physically
affected, fuel flows were cut off
because the company’s customer billing
system was taken offline by the attack.

called DarkSide.
DarkSide was able to infiltrate the
network of Colonial Pipeline and
exfiltrate 100 gigabytes of data for
double extortion purposes.
While the pipelines were not physically
affected, fuel flows were cut off
because the company’s customer billing
system was taken offline by the attack.
Darkside ransoms were generally in a
range of US $200,000 to US $2 million.
In the case of Colonial Pipeline it was
reported that a US $5 million ransom
was paid, then Darkside announced that
it was disbanding.

9th May, 2022 - “Costa Rica declares national emergency after Conti ransomware”
“The Costa Rican President Rodrigo
Chaves has declared a national emergency
following cyber attacks from Conti
ransomware group on multiple government
bodies.
BleepingComputer also observed Conti
published most of the 672 GB dump that
appears to contain data belonging to the
Costa Rican government agencies.”
“Costa Rica declares national emergency after
Conti ransomware” (BleepingComputer, 2022)

bodies.
Before folding their brand name Conti
had a very public conflict with the
President of Costa Rica which escalated
to threats to overthrow the government.
Ransomware wrecked Costa Rica’s Finance,
Treasury and Customs ministries as well
as severely damaging the systems of many
other government departments.

bodies.
Before folding their brand name Conti
had a very public conflict with the
President of Costa Rica which escalated
to threats to overthrow the government.
Ransomware wrecked Costa Rica’s Finance,
Treasury and Customs ministries as well
as severely damaging the systems of many
other government departments.
Conti initially demanded US $10 million
before going on to double the demand to
US $20 million, in Bitcoin.

The Future? - Pure Exfiltration & Extortion Ransomware
“Karakurt victims have not reported
encryption of compromised machines
or files; rather, Karakurt actors have
claimed to steal data and threatened to
auction it off or release it
to the public unless they receive
payment of the demanded ransom”
“Karakurt Data Extortion Group” (FBI, CISA,
2022)

2022)
Groups like Karakurt are believed to be
offshoots of larger ransomware gangs who
farm out access to victims that might
have been difficult to hit with
ransomware encryption but are
susceptible to exfiltration.

2022)
Groups like Karakurt are believed to be
offshoots of larger ransomware gangs who
farm out access to victims that might
have been difficult to hit with
ransomware encryption but are
susceptible to exfiltration.
“Known ransom demands have ranged from
$25,000 to $13,000,000 in Bitcoin, with
payment deadlines typically set to
expire within a week of first contact
with the victim”
2022)

Cian Heasley on the History of Ransomware

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Cian Heasley on the History of Ransomware

Semelhante a Cian Heasley on the History of Ransomware (20)

Último

Último (20)

Cian Heasley on the History of Ransomware

Notas do Editor