You are on page 1of 18

Evolution of Ransomware


1989 The first ever ransomware virus - AIDS Trojan (PC Cyborg).
Created by Harvard-trained evolutionary biologist Joseph L. Popp.
Generation one ransomware malware and relatively easy to overcome.

Reference :
Archiveus Trojan- Use RSA encryption.
It encrypted everything in the “My Documents”.
Victims need to purchase 30-digit password.
2006 June
GPcode- An encryption Trojan.
Spread via an email attachment purporting to be a job application.
Used 660-bit RSA public key.

Reference :
WinLock- another type of ransomware.
2007 WinLock did not involve in encryption, but simply locked out users and
displayed pornographic images.
Users need to send a $10 premium-rate SMS to receive the unlocking

Reference :

2008 GPcode.AK
Used 1024-bit RSA key

Reference :
First large scale ransomware outbreak.
2011 Anonymous payment services made it much easier for authors to
collect money from their victims.
30,000 new samples detected in each of the first two quarters
of 2011.

Reference :
Six January
Citadel- a toolkit for distributing malware and managing botnets.
2012 Citadel makes it simple to produce ransomware and infect systems
wholesale with pay-per-install programs.
Cyber criminals need to pay a minimal fee to install their ransomware
viruses on computers.

Reference :
Reveton worm, an attempt to extort money in the form of a fraudulent
criminal fine.
The threats are "pirated software" or "child pornography".
Locked out the infected computer, displays a notice informing the user
2012 of their "crime".
Pay the appropriate fine to unlock.

Urausy Police Ransomware Trojans responsible for Police Ransomware
Another version of Reveton was released in the wild pretending to be
from the FBI’s Internet Crime Complaint Center (IC3).

Reference :
A version is released targeting OSX users that
runs in Safari.
Opens a large number of iframes (browser windows) that the user
would have to close.
2013 Demands a $300 fine.
Svpeng-mobile Trojan targets Android devices. Discovered by Kaspersky.
Steal payment card information from Russian bank customers.
A fake security software known as Live Security Professional begins
infecting systems.

Reference :
CryptoLocker - the first cryptographic malware.
Spread by downloads from a compromised website or sent to business.
professionals in the form of email attachments.
Capturing online banking information since 2011.
2013 The ransom amount changes.
The going ransom was 2 Bitcoins(about $460).
If they missed the deadline, pay 10 Bitcoins ($2300) to use a service
that connected to the command and control servers.
CryptoLocker 2.0 has been released.
It would encrypt image, music and video files.

Reference :

CryptoDefense is released.
It used Tor and Bitcoin for anonymity and 2048-bit encryption.
It used Windows’ built-in encryption APIs, the private key was stored in
2014 plain text on the infected computer.
Despite this flaw, the hackers still managed to earn at least $34,000 in
the first month.
Cryptowall - released by cyber criminals behind CryptoDefense.
CryptoWall doesn’t store the encryption key where the user can get to it.
Uses a java vulnerability.

Reference :
Gameover ZeuS/CryptoLocker.
Users need to install Tor or another layered encryption browser to pay
hackers directly.
Cryptoblocker- a new strain of ransomware.
Doesn’t encrypt files that are larger than 100MB.
Skip anything in the C:\Windows, C:\Program Files and C:\Program Files
(x86) folders.
2014 Uses AES rather than RSA encryption.
Targeted on end-user devices.
Encrypts the files one by one.
Payment - 0.6 Bitcoins.
User has to go to an address on the Tor network to unlock the files.

Reference :

Late 2014
2014 Uses components of CryptoLocker and CryptoWall.
Uses the Rijndael algorithm for file encryption rather than RSA-2048.
Payment - purchasing Bitcoins from specific Australian Bitcoin websites.

Reference :
CrytoLocker - localized for Asian countries.
Attacks in Korea, Malaysia and Japan.
2015 Breaking Bad-themed ransomware.
Grabs a wide range of data files, encrypts it using a random AES key
which then is encrypted using a public key.
CryptoWall 3.0
Using resumes of young women as a social engineering lure: "resume

Reference :
Cyber crime gang has started a TorrentLocker campaign.
Whole websites of energy companies, government organizations and
large enterprises are being scraped.
Rebuilt from scratch to spread ransomware using Google Drive and
Yandex Disk.
2015 LockerPin - An aggressive Android ransomware strain is spreading in
Malware that is capable to reset the PIN of your phone.
Permanently lock you out of your own device.
LowLevel04 - spreads using remote desktop and terminal services attacks.
RSA-2048 encryption.
Ransom is double - demanding four Bitcoins.

Reference :

2015 CryptoWall v4.0
Encrypts file names to make it more difficult to determine important files.
It delivered with the Nuclear Exploit Kit which causes drive-by infections.

Reference :
First Java script-only Ransomware-as-a-Service discovered.
New strain- Ransom32 - fully developed in JavaScript, HTML and CSS.
Potentially allows for multi-platform infections.
7ev3n - encrypts your data and demands 13 bitcoins to decrypt your files.
2016 Ransomware criminals infect thousands with a weird WordPress hack.
Locky - New Ransomware Hidden in infected Word files.
This is a professional grade malware.

New strain that does not encrypt files but makes the whole hard disk
Cyber criminals putting their ransom notes at system start up, even before
the operating system loads.

Reference :
New strain called CryptoHost was discovered.
Demands a ransom of .33 bitcoins to get your files back
Files are not encrypted but copied into a password protected RAR archive.
New strain called Jigsaw.
Starts deleting files if you do not pay the ransom.
2016 June
The Jigsaw strain morphs into new branding.
Asks for a very high $5,000 ransom.

A new strain called BART locks files by archiving them.
Gets spread by email attachments.
The hybrid Satana strain both encrypts files and replaces the Master Boot
Record (MBR).

Reference :