The first recorded example of ransomware was in 1989, when evolutionary biologist Dr. Joseph Popp sent floppy discs containing the PC Cyborg Trojan to hundreds of recipients under the heading "AIDS Information Introductory Diskette". The Trojan encrypted file names on the C drive before displaying a message demanding money was sent to a P.O. Box in Panama for "license renewal".
The concept of demanding a ransom for data kidnapping expanded during the 1990s, as did the anonymous methods for collecting ransoms. Until the development of Bitcoin, ransom payments were demanded via prepaid cash services, Western Union wire transfers, and Amazon or iTunes gift cards. One ransomware attack demanded texts were sent to a premium-rate SMS messaging service.
The nature of ransomware also evolved. Whereas the majority of recent ransomware examples below focus on the encryption of data and servers' web directories, there are many examples of non-encrypting ransomware that lock users' systems or that threaten to publish stolen data from victims' systems - rather than deny victims access to the data - if a ransom is not paid.
As technology has evolved, the sophistication of ransomware attacks has kept pace. Device-blocking ransomware loaded into applications made available in the Google Store has infected devices on the Android platform, while attackers have exploited iCloud accounts and vulnerabilities on the Find My iPhone system to lock access to devices on the Apple platform.
Although it is believed developments in machine learning and artificial intelligence in the cloud will be able to detect and correct vulnerabilities and suspicious behaviors in the future, some security experts have warned attackers will also use these technologies to learn from defensive responses and disrupt detection models in order to exploit newly discovered vulnerabilities before defenders patch them up.
Concerns have also been raised that machine learning technology will be better at generating convincing phishing emails, and be able to do it at scale. Therefore, it is essential businesses implement measures to counter the threat from ransomware - and not just technological measures. In order to be better defended against ransomware, end users must understand the psychology behind ransomware attacks.
When the first phishing emails harboring ransomware circulated, they were very simplistic. "Click on the image to see the cute cat" or "Look what tricks my doggy can do" were typical hooks used to prey on a victim's curiosity and get them to open an attachment or click on a link. As awareness of ransomware increased, so did the sophistication of ransomware attacks and the psychology behind them.
Phishing emails evolved to trigger other emotions - for example, urgency, sympathy, fear and greed. Victims now received phishing emails appearing to be from technical support departments, charitable organizations and law enforcement agencies demanding action, or from bogus lottery companies with "click to win" offers.
Social engineering became the next development in ransomware psychology. Cybercriminals used freely available personal information to make emails look like they came from a legitimate source. In these ransomware examples, victims believed they were replying to an email from their bank or medical provider. Or, in a business environment, somebody from their own company.
Ransomware distributors know how to use psychology in their ransom demands as well. In many successful ransomware attacks, there are examples of urgency ("Pay within 72 hours or the ransom doubles") and fear ("Pay within 72 hours or the recovery key will be destroyed and your data will remain encrypted forever"). Other ransomware examples of psychological manipulation include fake FBI warnings and fake accusations that the target has been viewing pornography.
Ransomware examples even extend to sympathy - or purport to. One variant of the CtyptoWall4 ransomware distributed in 2016 promised to forward ransoms to a children's charity. Just in case victims debated whether the promise was genuine, they were only given twenty-four hours to make their "donation" before the five Bitcoin ransom was doubled.
The charitable angle has been around for more than twenty years. Indeed, when Dr. Joseph Popp was detained following the PC Cyborg Trojan scam in 1989, he claimed in his defense the purpose of his scam was to support AIDS research. Authorities were not so charitable and charged him with eleven counts of blackmail. He was subsequently declared mentally unfit to stand trial.
Ransomware emails can camouflage themselves as legitimate emails better than many expect. You might see an email that appears to come from your organization's CEO with a hyperlink that claims to be for a gift card purchase, a training course, or even a meeting invitation, but the link is actually malware.
Among the most obvious signs of ransomware are
- Suspicious or unrecognized sender email
- Obvious grammar or spelling errors
- Abrupt and/or unusual requests to purchase gift cards
- Inconsistent company logo or email signature
A phishing scam tricks victims into clicking on malicious links and/or revealing confidential information, such as a password. Phishing emails typically disguise themselves as coming from someone within the victim's organization.
Ryuk is a type of ransomware that is usually deployed in phishing scams. Once cyberattackers gain access to the target organization's network, they encrypt important files, demanding a ransom to decrypt the files.
Learn more about Ryuk.
Maze was one of the first RaaS (Ransomware as a Service) models which even had its own "customer service" page that helped victims of its ransomware attacks figure out how to pay ransom and regain access to their files.
Maze was commonly deployed via phishing attacks, but there were also many instances where Maze preyed on weak passwords and successfully infiltrated organizations using brute-force attacks.
Learn more about Maze.
Though ransomware variants like Maze and Ryuk are relatively well-understood, and Maze allegedly shut down in 2020, there are plenty of emerging threats that have been emerging suddenly to extort all kinds of organizations. New ransomware threats are often based on previous ransomware models, and sometimes operated by the same cyber criminal affiliates鈥攐ften under different names.
No, it is generally advisable to never pay ransom, as this will not guarantee access to your files and could encourage cyberattackers to extort your organization again.
Instead, it's better to partner with law enforcement and cybersecurity experts to help recover your data and bring cybercriminals to justice.
In many cases, reporting ransomware emails to law enforcement is required by law. Gather as much information as you can and submit your report to the FBI (Federal Bureau of Investigation) if you are a victim of cybersecurity attack be sure to contact your local FBI field office, or submit a tip online.
1. It's a strange request. If you've received a request you're not expecting, seems out of the ordinary, or isn't relevant to you directly, chances are it's a typical phishing email, even if it looks like the sender is from within your organisation. If in doubt, call the "sender" to confirm its legitimacy. Delete!
2. Friend, you've not been addressed personally. If a generic salutation has been used, chances are the sender doesn't know who you are. At best, it's just a marketing email, but at worst you're a target of a cyber criminal. Delete!
3. Bad gramar and speling. Most peopl take a sense of pride in there work. bad gramar, typos and speling is a dead cert that their is something phishy. Delete!
4. It's got an attachment. Ransomware payloads are commonly executed by opening an email attachment, or enabling a macro script on a document. Always be cautious of opening an attachment, especially if you're not expecting it or don't know the sender. Delete!
5. Dodgy URL links. The display URL isn't necessarily the destination web page. Hover over links before clicking to see if they direct you where you expect them to. Looks legit? Double check to look for individual characters or minor discrepancies. Still in doubt? Delete!
6. Great news! You've won $500! That's strange - you didn't even enter a competition. This sounds so obvious, yet people still regularly fall for it, or the cyber criminals wouldn't do it. If it's too good to be true, its a scam. Please don't click on the link to the prize page. Delete!
7. The from: address doesn't add up. It's easy for wannabe attackers to create fake email addresses that are near-identical to the real deal. Customerhelp@amaz0n.com could easily be misread as a legitimate email address. Delete! Note: savvier cyber criminals can spoof email addresses so that they look like they DO actually come from a legitimate source. Don't rely on this sign without cross referencing.
8. Scaremongering tactics. A common approach used by cyber criminals is to claim something like "your account has been breached!". This creates a sense of urgency and vulnerability, and can prevent people from thinking clearly. If the claims in the email were true, would the sender really tell you in this way? Always check through a different means of communication. Then delete!
9. It's an uncharacteristic request from somebody you know. Maybe you've received an email from somebody you trust (e.g. your CEO, the finance department), but the language used is different from normal. Maybe it's too formal or informal. Maybe the email signature isn't the normal one used. You're probably used to the way these individuals talk to you, so if it's not normal, something weird might be going on. Delete!
10. A big red box has appeared on the screen telling you that your files are encrypted and you have 72 hours to pay 10 bitcoin. If you've got to this stage, there's no doubt that you've received a Ransomware email. Unfortunately, it also means you've actioned something within the email and subsequently been infected. It's too late to delete!
https://www.ic3.gov/Home/Ransomware
https://github.com/chartingshow/crypto-firewall/blob/master/docs/pdf/Ransomware_Fact_Sheet.pdf
https://github.com/chartingshow/crypto-firewall/blob/master/docs/pdf/ofac_ransomware_advisory.pdf