Home Features The Wild Evolution of Ransomware

The Wild Evolution of Ransomware

Ransomware operators today are using the COVID-19 pandemic to social engineer users to open infected malware through email.

Ransomware attacks, LockBit Ransomware

This past year, I have spent much time researching and writing about ransomware attacks as well as conducting ransomware simulation exercises. I’ve come across many fascinating and even bizarre facts that I wanted to share with the CISO community.

By Tari Schreider, C|CISO, CRISC, MCRP, ITILF, Senior Analyst at Aite Group

Doctor Ransomware, I Presume

It was 32 years ago this past December that the first acknowledged ransomware attack occurred. In 1989, a ransomware operator using the alias of “The PC Cyborg Corporation” mailed 20,000 attendees at the World Health Organization (WHO) AIDS conference a ransomware-laden floppy disk. The computer attack used social engineering by packaging the disk as AIDS education materials. Although the code (Trojan) used in this first ransomware was relatively primitive, the result was the same, pay a ransom to decrypt your data or else. To receive decryption instructions, users had to send $189 to a Panamanian post office box. The brain behind this first ransomware attack was Dr. Joseph L. Popp, a Harvard Ph.D., an Evolutionary Biologist. His master plan was to send two million infected floppy disks using various hijacked mailing lists of medical professionals and institutions. It did not end well for the good doctor. He was arrested at Amsterdam airport in 1990, deported to the U.S., and detained by the FBI. Under a warrant by Scotland Yard, he was extradited to the U.K. to stand trial for blackmail. However, he was found mentally unfit for trial.

Eerily similar to the tactics used by Dr. Popp, ransomware operators today are using the COVID-19 pandemic to social engineer users to open infected malware through email. An email with a tagline referencing pandemic, stimulus, or vaccine proves too alluring for users not to click open. Ransomware operators feel that attacking companies in the vaccine supply chain would lead to quick and unfettered ransom payments. Just as we did not heed the lessons from an earlier pandemic, the Spanish Flu, we equally ignored the first ransomware lesson. As you will read, ransomware is evolving, but unfortunately, we are not. This example is a what was once old is now new again moral.

Jurassic Park

Leave it to science, they say. Just as in Jurassic Park, where scientists genetically created dinosaurs — mad scientists created the architecture for ransomware. Well, not really, but that was fun to say. One could say that ransomware is a Non-GMO (non-genetically modified organism). Ok, that was fun too. But in reality, ransomware was born from scientific curiosity when a former hacker met with an academic cryptographer at Columbia University in 1995. Here the pair pondered if they could accomplish a data kidnapping. They referred to it as cryptoviral extortion, the basis for ransomware today. The following is the attack scenario they presented at the 1996 IEEE Security and Privacy Conference:

“In cryptoviral extortion, the attacker generates a key pair for a public key cryptosystem and places the “public encryption key” in the cryptovirus. The corresponding “private decryption key” is kept private. The cryptovirus spreads and infects many host systems. It attacks the host system by hybrid encrypting the victim’s files: encrypting the files with a locally generated random symmetric key and encrypting that key with the public key. It zeroizes the symmetric key and plain-text and then puts up a ransom note containing the asymmetric ciphertext and a means to contact the attacker. The victim sends the payment and the asymmetric ciphertext to the attacker. The attacker receives the payment, decrypts the asymmetric ciphertext with his private key, and sends the recovered symmetric key to the victim. The victim deciphers his files with the symmetric key.

At no point is the private key revealed to the victims. Only the attacker can decrypt the asymmetric ciphertext. Furthermore, the symmetric key that a victim receives is of no use to other victims since it was randomly generated. (Young & Yung, 2017, p. 24).

Wow, right? Yes, this is essentially the same framework that ransomware operators worldwide use to this very day…To read the full story, subscribe to CISO MAG.

This story first appeared in the February 2021 issue of CISO MAG.

About the Author

Tari SchreiderTari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He is currently a Senior Analyst with Aite Group covering cybersecurity technologies and practices for Aite Group, LLC. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.


Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.