We recently asked renowned Ransomware Expert Allan Liska about the history of ransomware, and how we got “here”? See his response in this video, and in case you’ve missed it, here’s the transcript:
Scott Bekker:
Allan, let’s talk about the history of ransomware. IT pros, especially, have been aware of ransomware for a long time, but it’s really exploded in the last couple of years. What was the first case of ransomware at least documented or known?
Allan Liska:
The first documented case was what we call the AIDS Trojan or PC Cyborg. It was ransomware that was distributed via floppy disk in 1989. It was an AIDS conference sponsored by the World Health Organization. And what happened was the actor behind it put a floppy disk in that had some free software on it, but it turns out it wasn’t quite free. You were allowed to run the software for a certain number of times and had a countdown clock built in. And after that countdown clock expired, all of the files on your system were encrypted. These were AIDS researchers, it was relevant data to their research so the files that were encrypted tended to be related to AIDS research. And in fact, there were some scientists who said that this particular Trojan set back AIDS research by a couple of years because it was so impactful and so purposely targeted.
Allan Liska:
The weird thing is for this, again, because it’s 1989, you had to send a check. So that was how payment was made. You had to send the check to a PO box in Brazil in order to get the key and get your files decrypted. And then they mailed you a decryption key back, if you did that.
Scott Bekker:
It started with something awful. I mean, that’s really a terrible place to start.
Allan Liska:
And the awful thing is, ransomware actors are still targeting healthcare providers and researchers, and so on. We saw a spike, and I know it’s not relevant to this conversation, but we saw a spike in targeted attacks against hospitals during COVID, so that, unfortunately, does continue.
Scott Bekker:
So from 1989, walk us up to sort of the current era, which I’ll define as being this cryptocurrency-based explosion, but what are some of the milestones leading up to that?
Allan Liska:
So there weren’t really a lot of other ransomware attacks after that until we get to about 2004, 2005. That’s when we saw the GP Coder and Artemis Trojans come out. And they were, same thing, they encrypted files on the system. You paid with either e-cash or gift cards or something like that in order to decrypt your files. And those were really where we started to see relatively widespread campaigns, campaign attacks. So it wasn’t targeted to specific researchers. It wasn’t kind of a revenge thing. It was, I’m going to send out spam emails to a whole bunch of people and hope some people click on it and encrypt it. So that’s really, again, where we saw the first kind of cases of that. Then you saw crypto wall and really an interesting shift in that period where ransomware went from being locker ransomware to blocker ransomware, where rather than encrypt files, it would just block access to the system so you couldn’t gain access system. And again, you had to pay the ransom in order to gain access to your system.
Allan Liska:
We see that still today with a lot of mobile phones where you download an app, it turns out to be ransomware, but it doesn’t encrypt files on your phone. Instead, it just keeps you from accessing your phone until you send them whatever, $200 in iTunes gift cards. Then we go back because IT and malware operate in a circle, we go back to encryption ransomware again, and that’s where you start to see crypto wall, crypto locker ransomware. And crypto wall is the first that I’m aware of that actually asks for payment in Bitcoin. So it gave you two options, you can pay in e-cash or you could pay in Bitcoin if you wanted to.
Scott Bekker:
I got you. And you were talking about some of those payment methods, obviously the check in 1989, but then in the 2004 to 2012 maybe period, it’s really gift cards and e-cash, that kind of thing. So this step to cryptocurrency really seems significant. What’s been the history of since then?
Allan Liska:
Since then it’s pretty much all cryptocurrency. The only exception is on mobile phones, still sometimes it’ll be gift cards, but those are very low denomination demands. So it’s, again, a couple hundred dollars so you can go in and you can buy gift cards to do that. But what we saw after that was sort of an explosion in ransomware. And it sounds weird to say that because we’re talking about an explosion in ransomware now, but there was an explosion, again, back in say 2015 and 16 with Locky and server, and these were all single machine ransomware, primarily delivered via phishing. So at one point Locky-themed phishing emails accounted for 8% of all phishing emails sent. So we’re talking about literally millions of emails sent out a month with a Locky ransomware, either as an attachment or something else that pulled down Locky and encrypted that single machine. These again were Bitcoin, but they all tended to be low dollar, so somewhere between 500 to maybe $2,000 demanded for ransom payments. And that was 2015, 2016 and a little bit into 2017 is where we saw these really kind of take off and dominate the landscape.
Allan Liska:
From there we go to nation-state activity. So in 2017, we saw two pretty significant ransomware attacks, probably still the most impactful ransomware attacks overall that we’ve seen. So WannaCry, which was an attack carried out by North Korean actors, state-sponsored North Korean actors, and then NotPetya, which was a wiper attack disguised as a ransomware attack. And what I mean by that is when NotPetya encrypted the files, it also encrypted the master boot record of the machine so there was no recovery. You can pay the ransom, you can get the decryption key, you weren’t going to be able to recover. And that was carried out by Russian state actors. So that both of those were state sponsored actors and showing how ransomware kind of moved from just the realm of cyber criminals to being nation state activity.
Scott Bekker:
And that pretty much brings us up to date as far as the history.-
Allan Liska:
Yeah.
Scott Bekker:
Of ransomware.
Allan Liska:
Yeah. I mean, we now have ransomware attacks that basically build on the work that was done before. They’re much more expensive. They tend to take over whole networks and encrypt those entire networks, but the techniques, a lot of them are the same as what we saw in some of these earlier ransomware campaigns.
Scott Bekker:
Yeah. Well, thanks for bringing us up to speed, Allan. Appreciate it.
Allan Liska:
Sure. Thank you.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery