The Evolution of Ransomware and Why It Matters

Jayden Lyons, B.S.

CYBERSECURITY SUPPORT DESK

Introduction 

Once upon a time, when a cybercriminal wanted to make a quick bundle of cash, they may have used ransomware to infect a computer and encrypt data on the user’s hard drive. The malware would send an alert, informing the user they must pay a ransom or lose all their files permanently.  Security professionals only wish it were that simple today.  Ransomware is a particularly unsavory type of malware that threatens to block access, leak, or delete a user’s data unless a monetary ransom is paid. 

 

Over the past 15 years, ransomware has evolved from a digital crime of opportunity to an elaborate and organized criminal enterprise with ad hoc cybercriminal syndicates utilizing sophisticated malware to target and terrorize businesses and vital industries worldwide to the tune of billions of dollars every year.  But how did ransomware become such a formidable cybersecurity threat?  And why does it matter?  Despite advancements in endpoint security technology, the trajectory of ransomware attacks continues to be a disruptive force and requires a thorough analysis of its evolution to mitigate this most dangerous cyberthreat.

Advancements in Encryption Technology

Historically, there are two types of ransomware, locking ransomware and encrypting ransomware.  The result is the same, however, where users are unable to access their important files and data.  Locking ransomware prevents a user from accessing files by locking the operating system and is usually accompanied by a threat to delete all files if they fail to pay the ransom.  Locking ransomware variants often rely on malware designed to infect the Master Boot Record of an endpoint, preventing the computer’s operating system from loading.

 

Modern encrypting ransomware, or crypto-ransomware, utilizes advanced encryption algorithms to encrypt user data before demanding payment in exchange for the decryption key.  In late 2013, the rise of crypto-ransomware was ushered in with malware including CryptoLocker, which not only encrypted files with an RSA 2048-bit key, but also began deleting files if victims refused to pay.  With the success of CryptoLocker and the viability of bitcoin as an untraceable digital currency, crypto-ransomware surged in popularity and has become the dominant type of ransomware used to target organizations. 

A crypto-ransomware attack is only as good as the encryption it relies upon to make the victim’s data undecipherable.  Early encryption algorithms used in ransomware often utilized weak ciphers and symmetric encryption making them vulnerable to known-plaintext attacks, and thus making decryption possible with due diligence.  In fact, there are free ransomware decryption tools available that can help decrypt files encrypted by specific ransomware variants, including Apocalypse, BadBlock, Crypt888, CryptoMix, Globe, Hidden Tear, Jigsaw, LambdaLocker, Legion, Stampado, and TeslaCrypt among others. 

In 1996, a pair of scientists, Adam Young and Moti Yung first theorized about using public key cryptography for “data kidnapping” attacks.  They proposed that with public key cryptography, the virus would contain the encryption key while the attacker held the corresponding private key.  A decade later, around 2006, ransomware operators indeed began taking advantage of asymmetric RSA encryption in the execution of ransomware attacks.  For example, in 2006, GPcode ransomware used a 660-bit RSA key for encryption.  Years later, Gpcode.AK increased the key size to 1024-bit and targeted more than 35 different file extensions.  

 

A decade later, in 2016, Cerber ransomware was utilizing polymorphic encryption algorithms and an RSA-2048 master key, capable of targeting 294 different file extensions for encryption.  In 2018, modern variants specifically Ryuk utilizes a combination of symmetric AES encryption and asymmetric RSA encryption to encrypt files and is virtually uncrackable without the private key.

Glass Buildings
Methods of Delivery

Despite the rapid evolution of malware and ransomware, the primary mechanism of delivery of malware for initial access in an endpoint has remained largely unchanged.  Phishing emails are still the primary method of delivery of malware.  However, a variety of other delivery methods including specially crafted malicious websites or web pages, watering holes, drive by downloads, and exploit kits, most notably Angler and Neutrino are reliable attack vectors as well.  Ransomware operators will also take advantage of known vulnerabilities discovered in networks and zero-day attacks to gain a foothold in a target network. 

Email remains the most successful method of transmission because it is cost-efficient and capitalizes on the weakest link, the human opening suspicious email attachments.  Targeted spearphishing has also proved an invaluable technique for initial infection.  Phishing and spearphishing emails continue to use pretexting such as unpaid bills or parking tickets, package delivery, or special deals and offers to compel users to click on links and other sites riddled with malware.  

 

What has changed, however, is the scale of targeted spam and phishing campaigns with the evolution of botnets and other tools to mass produce and deliver phishing lures to potential victims.  Currently, large-scale malware campaigns use phishing emails with attachments containing malicious macros, VBScript or JavaScript files.  Nonetheless, the range of attack vectors has expanded since the mid 2000’s when malicious Microsoft Office attachments were the primary method of delivery.  In 2021, malware is often injected into trusted programs, documents, computer memory, websites, and browsers with carefully obfuscated malicious code. 

Evolution of Ransomware Variants

In 1989, the first documented ransomware attack was perpetrated by a biologist named Joseph Popp, who infected disks with a trojan and distributed them.  Interesting, this first ransomware sample featured a delay in detonation as a ransom demand for $189 appeared after 90 reboots of an infected user’s computer.  Aside from this fledging implementation of ransomware in 1989, by most accounts ransomware as we know it today first emerged in the mid 2000’s in Russia. 

 

The first reported cases of ransomware infection were in Russia between 2005 and 2006 with a variant that compressed and then password-protected certain files in a user’s computer.  It also left a ransom note requesting $300 in exchange for his files.  During this time between 2005 and 2006, ransomware samples were only capable of locking specific files, but they targeted the most common and potentially valuable file types, including .JPG, .PDF, .ZIP and .DOC.  This is indicative of early ransomware operators seeking a high value return on investment for their efforts.

In 2011, the tactics changed as ransomware operators thus far isolated in Russia adopted a more global approach and began utilizing electronic payment methods and including multiple languages in ransom notes, which changed based on the user's IP location.  By 2012, ransomware had spread from Russia across Europe and then spread across the Atlantic to the United States and Canada.

In 2017, WannaCry exploited the Windows vulnerability EternalBlue, and subsequently attacked businesses, health care providers, utility companies and other organizations across the globe.  WannaCry is noteworthy largely because of its extensive reach and laundry list of high-profile victims.  WannaCry spread via worm across networks in numerous countries.  Typically, worms are not necessarily destructive, but the combination of ransomware and worm-like propagation in search of vulnerable machines made WannaCry one of the most devastating ransomware threats to date.

The latest wave of sophisticated ransomware variants emerged in 2018, including Ryuk, REvil, Dharma, Maze, and a host of others.   Since 2018, ransomware operators have ruthlessly targeted everything from cities, government agencies, hospitals, police departments, schools, universities, and businesses large and small.

The U.S. public sector was hit again by a barrage of ransomware attacks in 2019 at an estimated cost over $7.5 billion.  Multinational manufacturers and U.S. city and county governments spent more $176 million in response to ransomware attacks in 2019.

The rise of ransomware-as-a-service in recent years puts dangerous ransomware in the hands of more cybercriminals seeking to turn a profit in the now lucrative ransomware industry.

Encrypting ransomware rose to prominence in 2013 with the success of CryptoLocker, which also leveraged Bitcoin as the preferred payment method.  In previous years, a variety of payment methods were experimented with, including wire transfers, phone cards, Amazon gift cards, pre-paid vouchers, and paysafecards.  However, Bitcoin has remained the primary method of payment since 2013.

The year 2015 was a pivotal point in the evolution of ransomware and represented a clear change in focus when ransomware operators began targeting businesses instead of individuals.  They realized their tactics were working and targeting larger businesses would lead to larger ransom payouts.  They were correct, and the healthcare industry quickly became an easy target for skilled ransomware operators in recent years.

While 2015 signaled an escalation in ransomware attacks, 2016 saw an explosion in ransomware attacks and ransomware families capable of encrypting numerous file types on computers, mobile devices, servers, and other endpoints.  In total, 247 ransomware variants were identified in 2016, including Petya, Jigsaw, Cerber, and Locky.

Glass Buildings
Evasion Methods

The primary challenge facing ransomware operators is evasion of potentially several layers of defensive security mechanisms protecting network data.  This is perhaps an area where the most creativity and ingenuity are required of ransomware operators.  Due to the rise of ransomware and other malware, the security technology industry has focused on enhancing antivirus analysis and integrating antivirus sandboxing techniques to determine if an unknown executable is safe or malicious.  Due to the evolution of antivirus analysis and sandboxing technology, ransomware operators have devised at least two methods in recent years for evading static and dynamic antivirus analysis of unknown binaries. 

One evasion method is to detect whether the payload is running in a virtual machine or antivirus sandbox for static and/or dynamic analysis.  Ransomware operators know that organizations are increasingly relying on dynamic behavioral analysis of application and process behavior at the endpoint level and so they must ensure that malicious behavior is masked and only detonates in the target location.  Thus, sophisticated ransomware is now designed to check the environment it is in and to display only benign behavior if there are indicators of sandboxing and testing environments.   

The second method is environmental keying, where a malware sample will try to determine when it is running in the target environment before revealing its malicious nature.  For example, in 2016, a Cerber ransomware sample was discovered to be running checks to make sure it was not trapped in a virtual machine or sandbox prior to any initiation of file encryption or other malicious behavior.  There was also a built-in payload delay mechanism likely implemented to further avoid detection within sandbox environments.  Modern ransomware variants can typically search for specific modules, filenames and paths, serial numbers, host activity and other indicators to identify virtual machine or host environments countering advances in antivirus and endpoint security technology.

Ransomware and malware authors utilize a variety of other evasion techniques, including a combination of packers, wrappers, and code obfuscation to defeat signature-based antivirus and other technology.  Ransomware operators can easily make use of trusted programs to run their payload, including MS Office macros, PowerShell, LOLbins, and DLL sideloading.  In fact in 2016, PowerShell was found to be involved in nearly 40% of endpoint security incidents. In addition, fileless ransomware that writes to memory and injects malware directly in RAM rather than system files is becoming more prevalent as an attack technique that can effectively evade network defenses scrutinizing unknown files.  

 

The evolution of ransomware variants has proven security implementations based on signature analysis alone are ineffective because minor changes in code and modifying indicators will likely not get flagged and therefore bypass security.

Ransom Notes

Ransom notes, or splash screens, are also important indicators of the sophistication level of ransomware operators.  Early ransom notes were somewhat rudimentary and have evolved in appearance, effectiveness, and variety of psychological tactics designed to elicit payment.  All forms of intimidation have been used over the years, including timers counting down to file deletion, increasing ransom amounts as time elapses, cryptic messages, pretending to be law enforcement etcetera.  Ransom notes may also include elements of customer service, instructions, humor, pop culture and current events references.  

 

Not surprisingly, there has been an escalation in social engineering and psychological tactics used to influence victims into prompt payment.  Now with ransomware-as-a-service, cybercriminals can purchase pre-built and ready to deploy ransomware code and customize the ransom notes to suit their needs. 

 

In general, ransom notes have become more threatening, time sensitive, and demanding larger payouts.  In 2012, Reveton was notable for the introduction of the law enforcement ruse to frighten victims into payment.  Reveton ransom notes displayed a warning from a law enforcement agency claiming that the computer has been used for illegal activities.  These notes appeared legitimate enough for some ransomware victims to turn themselves in to law enforcement. 

 

Fast forward to 2016 and multiple social engineering tactics were being employed in combination.  Cerber ransomware attempts to incentivize the victim into paying quickly by providing a discount if the ransom is paid within a certain timeframe after utilizing scare tactics.  In 2017, Doxware was one of the first ransomware to threaten victims with data exposure if they do not pay the ransom.  Since then, ransomware operators have backed up threats of data exposure by creating leak sites where stolen data is marketed.  There are several ransomware-based leaks site on the dark web including those of Conti, Dopplepaymer, Ranzy, Clop, Avaddon, Cuba, Darkside, Maze, Nemty, and Netwalker operators.  Ransomware operators may even specifically target organizations in possession of protected information to elicit higher ransom payments by threatening to leak data that would violate HIPAA and other federal regulations. 

Though the psychological ploys have escalated, the function of the ransom note to effectively communicate the cybercriminal’s demands remains the same. 

Glass Buildings
Technical Analysis
2016 Cerber Sample vs 2020 Ryuk Sample

2016 Cerber Sample

First, it is highly likely that the perpetrators were based in Russia or the surrounding region due to the evidence of selective targeting once the network was infected as this Cerber sample first checked the public IP addresses and country code of host machines to ensure that they were not located in Russia or the surrounding area.

Here are the chain of events in a Cerber attack based on a FireEye investigative report:

  1. Target receives and opens a Word document.

  2. Macro in document is invoked to run PowerShell in hidden mode.

  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.

  4. On successful connection, the ransomware is written to the disk of the victim.  malware creates a copy of itself in the victim's %APPDATA% folder

  5. PowerShell executes the ransomware.

  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.

  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies with these commands:  Vssadmin.exe "delete shadows /all /quiet"     WMIC.exe "shadowcopy delete"    Bcdedit.exe "/set {default} recoveryenabled no"   Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

  8. Files are encrypted and messages are presented to the user requesting payment.

 

(Source:  FireEye)

2020 Ryuk Sample

First appearing in August 2018, Ryuk is a modified version of Hermes ransomware, with a few upgrades specifically designed to target large organizations.  Ryuk creates a unique key for each executable and ensures the target system will not be able to access unencrypted RSA key pair parameters without paying the ransom.​  Ryuk ransomware has been so successful targeting large organizations in the last couple years that it is the most pervasive ransomware variant in the wild currently.  Ryuk can also be customized by each operator to the unique configurations of the targeted organization.  There are known groups and several uncategorized threats utilizing Ryuk, including UNC1878 who have thus far used Ryuk in 100% of attacks attributed to them. 

Here are the chain of events in a Ryuk attack based on a Fortinet investigative report:

  1. Injection into legitimate processes (local encryption only)

  2. Process and service termination - Attempts to terminate processes and services that may interfere with its operation

  3. Delete shadow copies and modify system configuration

  4. Establish persistency on the machine

  5. Wake-up network devices (Network encryption only)

  6. File encryption (Mapped drives are not encrypted by the network encryption instance)

(Source:  Fortinet)

According to Fortinet, the Ryuk sample utilizes API manipulation for injection into legitimate processes including executing the payload using a CreateRemoteThread API.  Ryuk extensively uses native Windows APIs, including ShellExecuteW to run executables, GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, CreateRemoteThread for process injection, GetAdaptersAddresses API for host discovery, and GetIpNetTable API to extract hosts from the ARP table according to MITRE Matrix. 

 

Not surprisingly, API abuse is gaining popularity as an injection technique into trusted applications.  

Ryuk will typically stop any services related to antivirus at this stage and use a kill.bat script for disabling services and killing processes.  Notice, one step featured in both Cerber and Ryuk samples is deleting shadow copies with the vssadmin.exe Delete Shadows /all /quiet command, which of course deletes all backups and/or snapshots of computer files.

Also, both samples utilize the Windows command line to create Registry keys to establish persistence although this is a common persistence technique that continues to work well.

Perhaps the biggest difference between Ryuk and Cerber is that Ryuk makes far more of a concerted effort to encrypt everything of potential value, including both local and network drives and “waking up” any dormant network machines before initiating the encryption process.  Ryuk will enumerate drives from A to Z and then encrypt drives based on their types retrieved from the GetDriveTypeA API.  The Ryuk sample was also noted to constantly scan the network in search of new hosts to encrypt.  This step is executed continuously as the sample simply waits for new potential victims to appear on the network.

Although there were many different techniques exhibited in these ransomware samples from 2016 and 2020, five techniques were present in both, manipulation of email, Powershell, registry keys, vssadmin, and execution of an asymmetric encryption payload.  The current trend is heavy use of native Windows APIs, scripts, and command line tools to execute steps in the kill chain.

Why It Matters

The predominant pattern in the evolution of ransomware is rapidly changing artifacts and TTPs, speed of advancement, escalation in extortion tactics and payment demands, and a growing range of targets.  History demonstrates that as attacker techniques are discovered by security defenders, these techniques become indicators of compromise to alert on with all the latest endpoint security products.  This adaptation of security technologies inevitably forces ransomware operators to find new evasion techniques and obfuscation methods to avoid detection and successfully act on objectives.  Defenders adjust to offensive tactics, which compels cybercriminals to change tactics and find new techniques.  This cycle is inherently dangerous and inevitably leads to an escalation in malicious behavior and malware, and this makes world less safe.

Another disturbing trend observed throughout the evolution of ransomware is an increasingly destructive nature of the attacks.  Turning a profit is not enough for ransomware operators, who are often looking to inflict maximum damage to targeted organizations.  Although in a majority of ransomware attacks the cybercriminals do provide the decryption key upon payment, this is not a guarantee.  Nor is it guaranteed that all files can be fully restored with the key.  The evolution of ransomware suggests that ransomware operators will continue employing tactics, techniques, and procedures that work and will continue to target poorly secured networks.   

Glass Buildings

Therefore, security defenders must be more reactive when responding to threats as well as more proactive to detect new threats as early in the kill chain as possible.  Technology corporations are investing heavily in the development and integration of behavioral-based machine learning, automation, and artificial intelligence as a proactive solution.  However, only time will tell whether AI-enhanced security technology is indeed a gamechanger for security defenders or if it evolves into another attack vector, or worse, an effective tool for cybercriminals.

Another concerning trend developing in the evolution of ransomware is the ever-widening range of potential targets.  Ransomware operators have demonstrated a brazenness in their target selection, progressing from individuals to businesses to large corporations and city governments.  It seems reasonable then that ransomware may evolve into malware capable of disabling entire infrastructures, critical not only to a business’s operation, but also a city or an entire nation until a ransom is paid.  Cybercriminals may soon target industrial control systems and other critical infrastructure to paralyze not only networks, but ecosystems. Payment systems and public kiosks may also become a bigger target for ransomware, and ransomware is growing rapidly in the IoT space as well.

Despite the focus on government, schools, and healthcare, ransomware began as a crime of opportunity and in essence, remains an opportunistic attack targeting insecure businesses.  Therefore, small and medium-size businesses are not immune to ransomware attacks either.  Ransomware attacks are a serious cyberthreat for any organization, large or small, public or private. 

The evolution of ransomware has led to the emergence of ransomware-as-a-service within underground marketplaces.  Malware authors sell custom-built ransomware to cybercriminals in exchange for a percentage of the profit.  Or they can sell the source code for ransomware outright and the buyer can customize it themselves.  The buyer of the service oftentimes has already compromised a target network, however, lacks the ransomware or delivery methods. This division of labor is leading to increasingly targeted malware, innovation in delivery methods and ultimately a higher frequency of ransomware attacks.  Cybercriminals are networking underground, sharing and selling their unique skillsets, and collaborating to carry out organized cyberattacks by pooling resources, tools, and targets.  This is the definition of organized crime, and perhaps an evolving underground digital mafia spawned by anonymity in the dark web.

These patterns in the evolution of ransomware make it vital for organizations to invest in securing endpoints, hardening networks, and training employees on how to spot phishing emails.  Even the most sophisticated of ransomware attacks begin with an email.  Therefore, it is imperative for organizations to help employees recognize malicious emails.   Cyber awareness training is crucial to preventing malware from infecting endpoints in the first place.

 

   

Ransomware operators are becoming more malicious, aggressive, destructive, and efficient in their attacks.  Ransomware attacks are here to stay because they work, are highly lucrative, and people are still taking the bait in phishing emails.  Therefore, mitigating ransomware threats must be a high priority for every organization especially as signature-based security technologies have proven insufficient.  A proactive threat hunting approach should be integrated in addition to behavioral analysis and prioritization of employee training on security awareness and social engineering tactics to protect businesses, cities, and nations at large from the threat of ransomware.