Digital Shakedown: A Brief History Of Ransomware by Cian Heasley

good morning everyone so i am sort of a history buff but sort of a hacking history buff and not necessarily in terms of like throwing out dates and uh rattling off facts in that way but i'm very curious about how things started and how things progressed part of my job is doing threat modelling threat hunting and i think to be able to understand threats you need to understand what's come before and then you can try to extrapolate from that what's coming in the future so this is a half hour of the entire history of ransomware from 1981 through till now this is me i work for a dharma behind me here i have a technical blog at bluetangle where i post detections and stuff that i'm working on i run real hack history which i have not been working on recently i produced little youtube videos on events in hacking history and uh you also have to have your your other hobbies non-computer hobbies to appear like a normal person at the bottom so i like bowling archery and reading detective novels so i had to give this whole thing as sort of a format otherwise i would just put like entire encyclopedia entries on everything so we have the history of the event itself we have the context of the history and finally how do they do the ransom and how do they get the money and this is always a very interesting part because you can see this develop and then eventually it's just bitcoin that's it so i said we started in 1981 i'm starting on something that i know nothing about the america's cup uh yacht racing apparently and in 1981 a package of floppy disks was stolen with telemetry from one of the yacht racing teams and this was very important proprietary information that the yacht racing team did not want to get out because i guess it would give you maybe an advantage over their team or gambling or i don't really understand that i did some research i still don't understand it so essentially somebody got a hold of these floppy disks with the telemetry data on it and they were trying to ransom it on a australian bulletin board and i was able to find this out through looking at risk digest which then had a reprint of a 1981 article so a lot of this older digital history hacking history is kind of lost you have to hope that someone mentioned it on usenet or in this case in the risk mailing list and so this is the ransom part here so computing australia reported that the 17 disks were originally ransomed through a bulletin board called interstate connect which is an australian bulletin board apparently with a hacker group called tech hack which i think was involved in running that bbs trying to make sure that they weren't blamed for this the stolen disks and uh there was a request for um looking now oh did i not put the money on hmm uh i think it was at seven thousand eight thousand dollars uh the advancement was never paid and the discs i think were returned in the end so it was 1981 this is one of the oldest cases of ransom data that i was able to find that wasn't uh stolen uh physical like hard copy so moving on this is joseph louis pop jr and this is the aids or pc cyborg trojan um so essentially what this guy did he was a world health organization or he wanted to work for the world health organization he was an evolutionary biologist and he created a floppy disk that he labeled as a sort of a digital questionnaire that someone could fill in and it would try to extrapolate from that how likely they were to get aids i believe so he went on a mailing list for people who are aids researchers at the time and he in 1989 this happened he sent out discs to i think about 2 000 people and anyone who ran the disc infected themselves with the pc cyborg trojan and essentially what it did is it waited for the person who installed it to reboot their computer originally 90 times but he sent out other iterations of this to people he kept on sending these disks out and it would essentially encrypt parts of your like the actual file table itself um and would bring you up with a message that would basically say um the most serious consequences of your failure to abide by the terms of this license agreement your conscience may haunt you for the rest of your life so you get a flare for the melodramatic he was arrested in the uk and it turned out that he was severely mentally ill so he was kind of like tinfoil hats worried about people doing mind control on him the uk authorities declined to to try and um basically prosecute him and he was sent back to the us the things that he did using the pc cyborg trojan were actually able to be reversed so luckily because honestly he could have destroyed a lot of aids research in 1989 that could have wiped out a lot of people's computers if it was irreversible um and this is just so he wanted people to send 189 to a post office box in panama after he was arrested he said that he was going to put that money into aids research which was a very strange sort of justification for this whole this whole weird scheme of his and this was all essentially because he was passed over for a job at the world health organization the movie hackers we weren't going to get through this without the movie hackers so i thought about uh the whole plot of the movie hackers revolves around uh the plague trying to basically get away with electronic fraud in the company that he is the seesaw at so he creates this computer virus which is represented on the screen by this sort of i don't know what digital avatar and what this virus essentially does is if you don't send a payment uh there is uh impedes the function of uh internet connected oil tankers so i mean none of this at the time this was all obviously a movie but this was in my mind a sort of fictional representation of ransomware insofar as if they didn't pay the the um the ransom the ships were going to capsize and this is actually from the script unless five million dollars are transferred to the following numbered account in seven days i will capsize five tankers in the ellingson fleet so that was the the method of basically getting a hold of the money in that case [Music] 2005 trojan pgp coder so this was the first uh sort of in the wild after uh the pc cyborg trojan this was one of the first in the wild um encryption ransomwares because obviously there's locker ransomwares this is encryption so in this case uh this is the bbc at the time breathlessly a unique new kind of malicious threat which locks up files on a pc which demands uh money in return and that's uh the date that i'm giving here is the fifth of may so when it actually made the news um so pgp coder looked for 15 common file types this is something you'll see in a lot of ransomware uh text files documents whatever at the time 2005 and then encrypts them um a lot of this was drive by uh sort of internet explorer vulnerabilities and then malicious sites would basically cause a downloader to download this pgp coder uh ransomware and then it would encrypt your system and yeah so this shows you the ransom demands were originally twenty dollars to seventy dollars in rubles payable to a yandex account uh which is like sort of russian paypal i guess in a way later decrypters would cost 100 to 200. so we're already seeing an increase in ransoms and we're payable through e-gold or liberty reserve which were both shut down by the us government because they were massively involved in fraud like this archivis uh used uh 1024-bit rsa asymmetric encryption so this was an increase in the actual encryption of the ransomware itself earlier versions of ransomware it was quite easy to they used custom encryption schemes or weak encryption schemes so it was easy for people to sort of reverse engineer although in this case they made a mistake they used a single 30 character password for everything and that's it there which undermined their business model because once that came out nobody was willing to pay and the other fascinating thing for me about this is that the ransom was paid via purchasing drugs from online pharmacies so i'm assuming they got some kind of kickback for that but that's to me the most unique uh method of payment other than maybe mailing checks to panama um this is the strangest one to me i looked for more details of this what pharmacies what drugs i couldn't find anymore but i i did look 2010 winlock arrests in moscow so this was a locker ransomware um and essentially it was tests run in russia by russians and this is before i guess the the official ruling of like don't do ransomware in russia if you're from russia or i guess don't commit crimes in the country where you are essentially um so these guys were all caught uh they were all put in prison and yeah winlock would uh encrypt would not encrypt a victim's files but would lock the entire computer itself and ask for a fine so 2010 is when they sort of made the news but it was running since 2007 it was just in russia so it didn't really make the western press that much and this is a screenshot of a very very grainy uh russian tv footage of uh you'll if you've ever looked at ransomware sort of arrest footage this is money and various documents and usb drives and stuff being sorted through uh developers of winlock were said to have earned one billion rubles although the estimates by the russian authorities went up it was like initially something like twenty five thousand dollars and then it went up and up and up um and this demanded a text-to-us premium rate sms number so you can see again like the method of actually getting money from people is changing over time and obviously that would then be traceable back to people if you were trying to to withdraw the money from whatever sort of kickback scheme there uh reviton the police ransom virus so this uh basically was uh sent out uh drive by malware again this was looking for various uh security flaws in browsers um could be email attachments could be a few different things and it would give you this fake message from uh whatever your local law enforcement were so there was different versions of this release there was a canadian version a us version a uk version i think there was a europol version uh there was probably a russian version as well and it was basically threatening you and saying you know you've been caught doing bad things online you need to send money to this account in in this way so this was also an early ransomware as a service in so far as the people who ran reviton were also farming it out so i think there was a russian gang there were english people involved who were eventually arrested uh there were people in spain doing this and there were various websites that were basically taking money to put the um the actual downloader onto their website so that then they could infect their own customers essentially but you know have plausible deniability that they weren't involved and reviton took money via money pack so prepaid credit cards so they got around some of the earlier problems with people you know not wanting to call a number or maybe not having their own credit card i think this was also harder to trace as well because it was basically a prepaid credit card sent to an account so it was more difficult and that was around 100 so we're still quite low in terms of ransoms simple locker the first android encryption ransomware this is just interesting because it was the first one that actually targeted android and it's essentially the same thing it targeted your sd card and it basically tried to encrypt all of your your files on there your pictures whatever documents you had and this is a little uh section from this is once again released in russia targeting russian people probably by russian people so this is a little bit of the ransom they're just basically probably saying you know you need to get your files back uh we've got them encrypted uh it had a tour onion based c2 so it basically got error reports there so if it failed to encrypt files or there was some sort of basically quality assurance that it sent back data that was it though um and it targeted these file types so once again looking for file types that people would be willing to pay to get back um victims in ukraine were instructed to pay 22.13 pounds via monexi and in case of no payment you will lose all data on your device victims in russia were charged about 30 dollars in rubles so still quite low in terms of ransom samsung this is where we start to see more targeted ransom so instead of just randomly infecting anyone who goes to a website or opens their email or whatever samsung actually targeted businesses specifically and actually operated within those businesses networks to try and spread the ransomware as far as they possibly could so this was an fbi alert fbi wants us businesses to help as cyber extortion gains urgency and this is basically uh an alert from the fbi saying like you know this is targeting businesses specifically this isn't like a random thing anymore sometimes tcps closely resemble uh what we think of as typical ransomware techniques now so brute forcing rdp looking for privilege escalation looking for lateral movement within a network targeting parts of the network that are seen as important or more valuable to the people who might then pay a ransom and in 2017 the largest ransom paid to samsung was huge by the measure of the time it was 64 000 via bitcoin um and in 2018 it was uh thought that samsung may have taken in as much as six million dollars at that point so we can see like a massive difference between the 20 ransoms at the beginning and where we are at this point uh san francisco municipal transportation authority so that was interesting because this was one of those that broke through to the media in such a way that like it affected people in the real world in a very clear way it wasn't a matter of some computers in the data center somewhere are encrypted this was people could not get home via the san francisco like metro or whatever else they in the end they just said free entry and they just basically said you didn't have to buy a ticket but for a while they just completely paralyzed their their entire infrastructure and yeah so they managed to hd decrypter managed in fact 2112 systems belonging to the municipal transportation agency and the message was you hacked all data encrypted which not what you want to see the operators at ransomware demanded 100 bitcoins which at the time was 73 000 and once again you can see that increase in ransoms you can see the targeted nature of this that they figured these are people who would be willing to pay a ransom wannacry had to include it um it's probably something that we're all aware of we've all heard of um we're all familiar with um so this is a report from the time by friday evening the ransomware spread to the united states and south america through europe and russia though europe and russia remained the hardest hit according to security researchers malware hunter team the russian interior ministry said about 1 000 computers have been affected and this is just a shot of the ransom message you will get up on your screen so wannacry spread to an estimated three hundred thousand computers so this in the time it took uh before the kill switch was put on basically by uh marcus hutchins registering a domain it managed to infect a massive amount of computers and it used stolen nsa exploit eternal blue which enabled it to spread basically like a worm [Music] uh one of cry demanded a payment of about 300 in bitcoin and this goes back to the earlier payments we saw that were basically predicated on random people being infected so the the ransoms are lower they're not expecting to necessarily get companies it could be just random people or people who wouldn't have the funds to pay otherwise and the message was you have not so enough time there were three hard-coded bitcoin addresses which were used to receive the payments from victims bitpaymer this is interesting because this is what i see is kind of the big game hunting ransom we're starting so um bit pamer are an uh basically an offshoot of evil corp or part of evil corp and they started uh taking sort of samsung's approach to specifically targeting businesses but in their case they started targeting bigger businesses bigger organizations um and so this is part of their uh their ransom message here it may harm your business reputation and the company's capitalization fell sharply so the implicit threat there and also that they're targeting businesses they're not targeting like random just normal people on the internet um so bit payment hit actually scottish hospitals uh nhs lannister very badly um and they've been hit with wannacry i think a month before that um and that was the largest sort of health department area catchment area in scotland at the time so that that really affected how they were able to operate and the ransom requested of nhs lannister was 50 bitcoins so that's 168 000 pounds or 20 218 000 so once again we're seeing a massive increase in the ransoms that are demanded uh allied universal breach by maze in november 2019 so this is a message from the maze operators the bleeping computer i uploaded some files from the networks as the data breach proofs if they don't begin sending requested money until next friday we will begin releasing on public everything that we have downloaded from their network so this is to put some context on that the not necessarily the full origin but one of the origins of the double extortion of ransomware so you're not just encrypting files and not just taking files that you need to prove that you've you've accessed the network you're actually taking files and then you're doing double extortion so you're threatening to release confidential files whether it's credit card details or people's personal bank card details or company secrets and so this is kind of the origin of that through maze maze we're demanding 300 bitcoins from allied universal which is about 2.3 million dollars at the time um and yeah i think they were paid at least some of that if i remember correctly uh treasury sanctions evil corp this is um oh maxim yakovitz here with his weird sort of uh sports car that looks like it's out of fortnite or something looks like a fortnight skin but um treasury sanctioned evil corp in december of 2019 and this is another one of those sort of big events in terms of ransomware because after this it was very difficult for evil corp to continue to do business in the way that it was there um the companies that they would uh interact with to basically negotiate ransoms we're told not to deal with them anymore once these sanctions came into play uh companies were told by the us government like do not deal with these people do not pay ransoms do not transfer them any money so once these charges against the various members and especially the leader of evil corps went into effect it made their business model a lot more complicated a lot more difficult according to his government indictments evil corp is responsible for stealing about 100 million dollars from companies over the last decade or so so they've had various iterations those dry decks with spit painter which we were just talking about and they're all sort of under that umbrella of evil core dark side in the colonial pipeline is another one of those events that people talk about or think about this shut down the biggest u.s gas pipeline and was unable to resume operations for i think weeks afterwards and this was nearly half of the fuel consumed across the u.s east coast what's interesting about that is they didn't actually damage any of the software that was running the pipeline itself it was because the payment billing systems were offline so basically colonial pipeline was unwilling to give out gasoline for free but it's interesting at the time it was sold as like they've shut down the actual pipeline itself it was more complica