You are on page 1of 18

Evolution of Ransomware

One

1989 The first ever ransomware virus - AIDS Trojan (PC Cyborg).
Created by Harvard-trained evolutionary biologist Joseph L. Popp.
Generation one ransomware malware and relatively easy to overcome.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Two
Archiveus Trojan- Use RSA encryption.
It encrypted everything in the “My Documents”.
Victims need to purchase 30-digit password.
2006 June
GPcode- An encryption Trojan.
Spread via an email attachment purporting to be a job application.
Used 660-bit RSA public key.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Three
WinLock- another type of ransomware.
2007 WinLock did not involve in encryption, but simply locked out users and
displayed pornographic images.
Users need to send a $10 premium-rate SMS to receive the unlocking
code.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Four

2008 GPcode.AK
Used 1024-bit RSA key

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Five
First large scale ransomware outbreak.
2011 Anonymous payment services made it much easier for authors to
collect money from their victims.
30,000 new samples detected in each of the first two quarters
of 2011.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Six January
Citadel- a toolkit for distributing malware and managing botnets.
2012 Citadel makes it simple to produce ransomware and infect systems
wholesale with pay-per-install programs.
Cyber criminals need to pay a minimal fee to install their ransomware
viruses on computers.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Six
March
Reveton worm, an attempt to extort money in the form of a fraudulent
criminal fine.
The threats are "pirated software" or "child pornography".
Locked out the infected computer, displays a notice informing the user
2012 of their "crime".
Pay the appropriate fine to unlock.

April
Urausy Police Ransomware Trojans responsible for Police Ransomware
scams.
November
Another version of Reveton was released in the wild pretending to be
from the FBI’s Internet Crime Complaint Center (IC3).

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Seven
July
A version is released targeting OSX users that
runs in Safari.
Opens a large number of iframes (browser windows) that the user
would have to close.
2013 Demands a $300 fine.
July
Svpeng-mobile Trojan targets Android devices. Discovered by Kaspersky.
Steal payment card information from Russian bank customers.
August
A fake security software known as Live Security Professional begins
infecting systems.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Seven
September
CryptoLocker - the first cryptographic malware.
Spread by downloads from a compromised website or sent to business.
professionals in the form of email attachments.
Capturing online banking information since 2011.
November
2013 The ransom amount changes.
The going ransom was 2 Bitcoins(about $460).
If they missed the deadline, pay 10 Bitcoins ($2300) to use a service
that connected to the command and control servers.
December
CryptoLocker 2.0 has been released.
It would encrypt image, music and video files.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Eight

February
CryptoDefense is released.
It used Tor and Bitcoin for anonymity and 2048-bit encryption.
It used Windows’ built-in encryption APIs, the private key was stored in
2014 plain text on the infected computer.
Despite this flaw, the hackers still managed to earn at least $34,000 in
the first month.
April
Cryptowall - released by cyber criminals behind CryptoDefense.
CryptoWall doesn’t store the encryption key where the user can get to it.
Uses a java vulnerability.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Eight
July
Gameover ZeuS/CryptoLocker.
Users need to install Tor or another layered encryption browser to pay
hackers directly.
Cryptoblocker- a new strain of ransomware.
Doesn’t encrypt files that are larger than 100MB.
Skip anything in the C:\Windows, C:\Program Files and C:\Program Files
(x86) folders.
2014 Uses AES rather than RSA encryption.
August
SynoLocker
Targeted on end-user devices.
Encrypts the files one by one.
Payment - 0.6 Bitcoins.
User has to go to an address on the Tor network to unlock the files.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Eight

Late 2014
TorrentLocker.
2014 Uses components of CryptoLocker and CryptoWall.
Uses the Rijndael algorithm for file encryption rather than RSA-2048.
Payment - purchasing Bitcoins from specific Australian Bitcoin websites.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Nine
April
CrytoLocker - localized for Asian countries.
Attacks in Korea, Malaysia and Japan.
May
2015 Breaking Bad-themed ransomware.
Grabs a wide range of data files, encrypts it using a random AES key
which then is encrypted using a public key.
June
CryptoWall 3.0
Using resumes of young women as a social engineering lure: "resume
ransomware".

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Nine
July
Cyber crime gang has started a TorrentLocker campaign.
Whole websites of energy companies, government organizations and
large enterprises are being scraped.
Rebuilt from scratch to spread ransomware using Google Drive and
Yandex Disk.
September
2015 LockerPin - An aggressive Android ransomware strain is spreading in
America.
Malware that is capable to reset the PIN of your phone.
Permanently lock you out of your own device.
October
LowLevel04 - spreads using remote desktop and terminal services attacks.
RSA-2048 encryption.
Ransom is double - demanding four Bitcoins.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Nine

November
2015 CryptoWall v4.0
Encrypts file names to make it more difficult to determine important files.
It delivered with the Nuclear Exploit Kit which causes drive-by infections.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Ten
January
First Java script-only Ransomware-as-a-Service discovered.
New strain- Ransom32 - fully developed in JavaScript, HTML and CSS.
Potentially allows for multi-platform infections.
7ev3n - encrypts your data and demands 13 bitcoins to decrypt your files.
February
2016 Ransomware criminals infect thousands with a weird WordPress hack.
Locky - New Ransomware Hidden in infected Word files.
This is a professional grade malware.

New strain that does not encrypt files but makes the whole hard disk
inaccessible.
Cyber criminals putting their ransom notes at system start up, even before
the operating system loads.

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline
Ten
February
New strain called CryptoHost was discovered.
Demands a ransom of .33 bitcoins to get your files back
Files are not encrypted but copied into a password protected RAR archive.
April
New strain called Jigsaw.
Starts deleting files if you do not pay the ransom.
2016 June
The Jigsaw strain morphs into new branding.
Asks for a very high $5,000 ransom.

A new strain called BART locks files by archiving them.
Gets spread by email attachments.
The hybrid Satana strain both encrypts files and replaces the Master Boot
Record (MBR).

Reference : https://www.knowbe4.com/ransomware#ransomwaretimeline