Introduction
Everyone knows what ransomware is and what it does, but only a few are aware of its origins and history. Over the next few blogs, we'll dive deep into the fascinating journey of ransomware, its transformation over the years, and the RAAS (Ransomware as a Service) model.
The Real Definition of Ransomware
Many people still use the term "ransomware" to refer to what we should rather describe as an "encryptor payload." We need people to understand that a ransomware payload is the portable executable (PE), typically a Windows executable (.exe file) or a Dynamically Linked Library (DLL) file, that performs the actual encryption process. But, as we know, a ransomware attack spans an entire attack campaign and has become its own realm of the overall cybercrime ecosystem.
The Evolution of Ransomware Payloads
Ransomware payloads have gone through various format changes over time:
Lockers: Initially, we had "lockers," which essentially locked the machine from being used. Some of them were simple and bypassable, relying merely on Microsoft’s BlockInput API function.
Disk Encryptors: Next came the "disk encryptors," which would encrypt an entire disk, thus preventing the disk from being mounted.
File Encryptors: Eventually, the move was made to file encryptors, often referred to as "cryptor payloads" today. On darknet forums, especially those frequented by Russian-speaking actors, cryptor payloads are still often referred to by the old term "lockers."
The Payment Evolution
The first phase of lockers typically relied on gift cards and vouchers for payment. The purchase of these cards could be anonymous, and the numbers provided with them could be sent to threat actors easily. Eventually, ransomware operators moved to requesting cryptocurrency, which is the norm today.
The First Known Ransomware: The AIDS Trojan
The first known ransomware was the “AIDS Trojan,” also referred to as the “PC Cyborg Trojan.” Authored by Joseph Popp, this ransomware was distributed in 1989 via infected floppy disks labeled “AIDS Information - Introductory Diskettes” handed out to attendees of the World Health Organization’s AIDS conference. Once installed, the software would wait a given number of computer boots before locking down the computer.
Fully Automated Ransomware (FAR)
Following the AIDS Trojan, ransomware families became what we now call fully automated ransomware (FAR). These ransomware families were automated and did not require human intervention to carry out their attacks. "FakeAV" lockers became commonplace. These payloads resembled antivirus solutions, yet when a user interacted with them, they would lock down the computer, demand payment, and require calling a “support” number to fix the issue.
The Rise of Crypto-* Payloads
Eventually, the Crypto-* named payloads became commonplace. CryptoLocker and CryptoWall, which first hit the scene in 2013, were historically spread via email attachments. When users would open the attachments, the payloads would lock down the computer, demanding payment. This phase gave way to the proliferation of gift card payment requests.
Human-Operated Ransomware (HumOR)
In mid-2020, Microsoft coined the term “human-operated ransomware” (HumOR). Unlike automated ransomware, HumOR attacks are driven by humans rather than auto-propagation methods. Human actors with "hands on their keyboards" carry out the attacks, often resembling advanced persistent threat (APT) campaigns. These attacks are more adaptable and can inflict significant damage before deploying the ransomware payload.
Conclusion
Ransomware has evolved significantly from its origins with the AIDS Trojan to the sophisticated human-operated campaigns we see today. Understanding its history and evolution helps us better prepare for and defend against these threats. Stay tuned for our next blog, where we'll explore the RAAS model and its impact on the cybersecurity landscape.
Akash Patel
ความคิดเห็น