The History of Ransomware: From Floppies to Droppers, and Beyond

thank you all for joining my name is eliad um I do a talk about the history of ransomware um currently I work at a company called Akamai I am one of the people who lead the publication of security research there um I also produced a podcast called malicious life about the history of cyber security that's where I got my passion for this stuff and that's where you can find a lot more information about this um I'm also from Berlin so I flew in yesterday maybe I'm a little I might be a little jet-lagged I actually had a weird dream that I actually missed the talk and I had all these emails and then I woke up it was 10 p.m yesterday and I was like you idiot like you went to sleep at eight how are you gonna miss a talk at 3 P.M but here we are so the history of ransomware from floppies to droppers this is my beautiful pun that I created today we're going to talk a little bit about some uh some stories from the history of cyber security we're going to talk about how ransomware evolved some of the elements like the encryption the business model the delivery this is a talk I usually give in 35 40 minutes so I've made it a little bit shorter so we're going to run through it but I hope you guys enjoy and and learn something it's a difficult talk to follow the one that was before me because it was really really interesting but uh hope I can do it justice so before we start does anybody know what was the first ransomware when did it happen uh can any does anybody know you wanna anybody want to scream 89 that's right 89 1989 which is weird because some some of the people here in this room uh weren't born before 1989. which is pretty weird when one of the biggest problems that we're dealing with right now is older than some people who are actually here or um or some some people's children but it is a very old problem and the story of the first Transformer is actually a bizarre story and we'll talk about it so this is the first ransomware it was spread by floppy disks it was called the AIDS information software or security people call it the AIDS Trojan and that's a terrible name right with a terrible connotation but already we're getting some connections to how malware works today and the type of social engineering that is being done in the Modern Age this was a a Trojan that was written by a man man called Joseph L Pope in 1989 and he had this brilliant idea where he figured if I'm going to if I can just create this software that encrypts people's computers and I can send them a floppy disk and I can get them to put that in and they they their computer will get encrypted and then I can make some money and and that's what he actually did it was a brilliant idea and so so so bizarre so this man Joseph L Pope decided he's going to send all these floppy disks out by mail individually and when a person puts that into their computer and asks them to turn on their printer it prints out a ransom note and encrypts their their device and what was a brilliant plan to get all the money all this sweet sweet cash I think you can see here this is this is the ransom note it was 378 dollars you send it to a PO Box in Panama which was just the brilliant idea of of taking a vacation as you collect the uh the proceeds so this guy was crazy and brilliant but that's what he did and we can look a little bit at um in more detail at what were some of the elements that brought this this whole thing together and then compare them and maybe talk about the evolution um but it was composed of three different little details you know the delivery which uh you know nowadays we call it the sneakernet the idea that things don't really um you know he had to send it by snail mail we didn't have an internet then it wasn't anything that anybody used at that point um or we maybe we had some precursors to to that but uh in those days you can just send a file over to somebody you had to actually physically get that to them and here I think we have a little bit we talked about this this topic of of the AIDS Trojan the AIDS virus um you know part of why this was successful or part of why this actually ended up working this bizarre idea is two things one this man Joseph L Pope sent this he had the actual physical addresses of AIDS researchers around the world and he sent them a software about the thing that they were researching so that was some incentive to open that and this type of social engineering is something that we see today and I think we saw three years ago four years ago or sorry it's hard to keep track with the with the covid-19 virus we saw a lot of social engineering about this type of um about this type of epidemic this is something that a lot of people were thinking about at the time and in the late 80s this was an important topic to a lot of people not the least of which are people who are researching this so this man they found in his parents house I think ten thousand between ten thousand fifteen thousand floppy disks which was a immense uh Financial investment and he actually did send all of them by mail which was ridiculous um a ridiculous amount of investment of time but that's uh that's how he got it there we'll look at what happened with this uh encryption his encryption was very basic it was symmetric symmetric encryption um it wasn't uh sophisticated wasn't this the encryption that we know of today he actually did a couple of things in there he kind of hid the files he changed the names um but it wasn't anything fancy and actually fewer software engineer you could reverse it pretty easily the problem was that not a lot of people back then understood what was going on inside their computers and that's actually a really sad part of the story some researchers lost a lot of their research because they were just clicking pushing all the buttons trying to fix the problem and they ended up deleting some of the files and it ending ended up losing years and years of research which was pretty sad um sorry about that I don't know what's happening with the screen right now I'm being hacked live maybe this is somebody else's demo so we'll look at the encryption and how that evolved and then the business model the brilliant P.O box and Panama idea which is kind of like something that you'd think a child would kind of come up with you know get the money go on a vacation but that's that's how he figured he'll he'll make the money and eventually that's one of the things that got him arrested because his name was on the PO box and you can't do that you know so the the P.O box his name was there they kind of they figured out who it was you know people losing uh you know years and years of research and and the fact that he was targeting these people in the first place researchers was already something that brought it to uh public attention um and the delivery the tens of thousands of floppy disks was a lot of evidence that they could use um and all of these different components ended up bringing them down so part of our journey will be to discover how do you do all these things without getting caught and um yeah which which is unfortunate but that's that's what that's what enables this technology to work today um he was actually caught in Amsterdam at the airport was kind of walking around aimlessly somebody alerted the authorities um they took them in they realized this is the guy the guy with Panama guy and uh they took him to court the guys showed up with curlers in his beard and all sorts of weird things were happening um and so the judge made the decision that this guy's insane and we're gonna let him go so in 1989 if you wrote rents where you do they think you're crazy and you'd let them go and honestly I mean at the time this probably did look a little crazy well let's talk a little bit about encryption um I want to do a detour this is part like kind of trying to figure out lay a path through the history but I want to do a little detour because encryption wasn't easy you know even in the in the later points where you sort of wrote encryption into software but certainly in the earlier days um and also there was a certain amount of when we talk about Joseph L Pope uh you know the fact that people had lost their data was a factor that that sort of made made his case a lot worse because he's actually causing damage so what did hackers do somewhere in the 2010s what's easier than writing encryption not writing encryption and just letting telling you that you're encrypted or telling you that you're locked and this was a fad back in the day these screen lockers which I find very interesting because somebody sends locks your screen and tells you that the you know DOD and the Department of Homeland Security and the FBI and everybody's just on your case because of all the dangerous materials you have and if you just send us 30 bucks in gift cards good to go um so that was the whole concept and some people fell for it and there was even a case of somebody who turned himself in for having actually illicit materials on their computer because of one of these scams and I think that was yeah the only only person ever that that happened too but I think that's um pretty funny but in terms of encryption I mean I think encryption is not an old thing we talked I mentioned symmetric encryption there's asymmetric encryption I'm not an expert so if you're not an expert that's good we can talk on the same level but you know asymmetric encryption the idea that you have a private key and a public key to sort of encrypt and decrypt things has existed you know the mathematical formula for it or the mathematical idea existed since the um I think the 70s if I remember correctly and I should remember correctly I'm giving this talk these these three gentlemen rivers chamir and Adelman uh RSA actually the the conference that's happening in a couple of days so very timely they created this this algorithm a long long time ago um there were some people who were in The 90s sort of hypothesizing about the possibility that something like ransomware what would happen but it wasn't until 2006 where we actually saw the first RSA encrypted ransomware that was GP code and GP code would arrive at your machine on a on a document like a a job sort of offer or something like that something that would be really really compelling for you to open especially if you're jobless and uh you would talk about praying on the you know on the week that's a very dirty move but you would open it up and it would infect your computer and it would lock your files with this RSA encryption um in the beginning it was very very easy it was very very low bit rate so people were actually working on trying to decrypt it and it worked for a while until the bit rates went up and and the encryption became more and more sophisticated and at some point it just didn't work anymore you couldn't decrypt it no matter how much computing power you had which is uh um you know there's you could still go and find like these pages online people trying to pull together machines just to try and decrypt this one ransomware um and at this point in time I think we all we're all aware I don't it's very very difficult to in you know in unencrypt ransomware um there had been incidents especially since we're for example in some cases you would get source code released or things like that the um the one on the left there is actually from um a an issue of virus bulletin from 1989 this is how if you got infected with the AIDS Trojan you could send them a letter and then by Mail they'll send you the uh code or the the floppy this to actually unencrypt your computer but that's not a very good solution um but that was this sort of the in the history of ransomware I would say 2006 is when we saw encryption come into its own and just quickly outpace our ability to solve the problem so that was encryption that's that's uh um that's one of those those things where I feel like it's at this point we don't we have not not much to do about the encryption um business model so let's talk about the money P.O box and Panama was just kind of a wild dream but there are and have been a lot of different ways where uh people were trying to monetize on these uh scams in the earliest days it was gift cards and prepaid uh debit cards and sometimes text messages and things like that this is still a method that um I don't know works like this is still something that people do in scams it's just not really effective and so we've moved on from that this was these are some of the screen lockers this is like something that was done in the 2010s a little bit earlier a little bit later um there were electronic currencies this is something that people had tried to use there was a problem with that this was kind of a service online you would you would put money in there you would give a code you would get a code and this was an idea of how to try and monetize on cyber crime the problem was is you would get these organizations your name and details and as we mentioned earlier that's not a good idea so people will get caught so this didn't work and the spoiler of the year the Bitcoin so Bitcoin in 2013 is when things sort of clicked into place I don't think anybody's shocked um the first uh ransomware the first uh ransomware I found that uses uh Bitcoin was crypto Locker um back in the day to Bitcoins was around three hundred dollars so that's that's one of the first examples of of ransomware using Bitcoin and and ever since then I think uh the cryptocurrency has become a big big big thing in in writing ransomware this is one of the most effective ways to monetize and remain um and remain relatively unknown and so that was that was a step in the evolution crypto Locker was a very interesting uh a very interesting um ransomware because it was one of the first ones to be distributed through this idea of a banking Trojan combined with a botnet or or some kind of a you know delivered through an inside inside of a botan and we'll get to that a little bit later this was a botnet called his game over Zeus botnet um led by I'll show you in a little bit we'll talk about the delivery but um it was suffice to say it was both delivered very effectively at the time um and was very effective at getting people's money in in the early days people who were it was mostly people's computers who are getting hacked and deliver this it wasn't like what we know today big organizations so a little bit about the delivery so we went we started with these the idea of floppy disks and uh the sneakernet was sort of in the 1980s 1990s this is how people got software over to each other by walking over to their computer and jamming something in there and I think the interesting thing that we'll find where as in with the sort of encryption and the business model there's kind of a linear path with the delivery models you'll find a path throughout history that is a little bit more parallel and I'll show you in a second which is a little frustrating as well in some ways but you know nowadays people don't really use this sneakernet as it were but you can still walk up to somebody's computer and jam something in there so you might as well you could try that to great effect so it's not like it's gone completely but this was the main way people would um would transfer malware it was to the point where when you look at some of the um some magazines from the late 80s early 90s before the introduction of the internet some people didn't even believe that or they believed viruses existed they just never seen one in action and most of the viruses back then were just kind of for fun like they'd make a little Grandpa walk on your screen or all sorts of things of course there were some very interesting viruses that would um totally destroy your whole day um but this talk is not about them my next talk will be about that uh so here's here's a couple of things that were happening ways to deliver malware in in sort of the late 90s 95 was a beautiful era for bugs in software um you know the first thing is you've got the internet sort of coming up you've got spam mail that was uh you know spam mail was not a new thing but spam mail delivered via email was something was you know a bit new but this is something that we still see today um but in the 90s there was something interesting Windows 95 came out office all these softwares are just full of bugs and vulnerabilities and interesting ways to exploit them and one of those interesting ways and I think is is interesting to note there's over here there's a Melissa virus it was uh it was a macro virus in the 90s if you look at virus bulletin all the big ones all of the viruses are macro viruses I was like all the rage what is a macro macro is sort of an automated uh function that you create in a Word document or an Excel document and if that sounds familiar it's because that's basically how phishing is done today as well you have an attachment and you have a macro and all that's different nowadays is you just ask the user to enable macros and back then it was just automatic so um and maybe I'm simplifying a little bit but a from 95 till today you know we're still seeing a lot of abusive macros for example vulnerabilities and windows vulnerabilities and Flash we don't have flash today but there's still vulnerabilities on on online and so in the 90s that was that was all the rage and and how you would sort of exploit and get into people's machines um we're gonna just kind of make this a little short so we have some extra time for questions but uh one of the uh ways that I saw a lot in the early 2000s that were a problem or something that people I read a lot about is downloading things the 2000s were sort of this boom of peer-to-peer downloads and you might download your favorite Britney Spears song and as you play it you've realized this isn't Britney Spears this is uh ransomware and so uh actually no no not a ransom or maybe a banking Trojan um but uh that was something that that's obviously something that's still going on today and um I was one of the things that I've read about a lot so downloading things is something that was a big problem in early 2000s here's another thing and I said I'll uh talk about this when I talked about crypto Locker Trojans and botnets and around the two 2010s or a sort of through the history of ransomware were a great way of delivering ransomware banking Trojans were used to sort of create the sort of infection and then either the machine would join a botnet and then delivered the ransomware or they would use another another payload to then spread through the network and or spread through a corporate Network or spread through whatever Network and then deliver a ransomware so this was really around the time 2013 where ransomware became a really big problem and sort of started growing two prominent example of that from around that time was game over Zeus which was a botnet that was used to deliver crypto locker and emotech which was a there was a famous emotech trickbot ryuk or emoted insert another payload here insert another ransomware here um this these two pipelines were kind of the two big ones at the time and uh you know the way they operated was pretty simple and why they worked this way was pretty simple because kind of layering all these things together from all these vulnerabilities from the 90s when you think about getting getting people infected via phishing email or spam email then using a maybe a document that had a macro on it and some social engineering to get something to run on a machine you get that you use that macro to download a payload let's say emo chat and emotec then establishes persistence or something like that and then downloads another payload and in this case this specific graphic would be trickbot and then trickbot was another type of Trojan would then spread through the network and then you can eventually get yourself a lot of different