Ransomware Evolution

all right we are almost there um just one quick reminder please pick up after yourself as you leave the room to the janitors um the other thing is if you still haven't registered for tonight the happy hour please do so um happy hour as fre food what else can I say um up next we're going to be talking about the ransomware evolution Stephanie currently serves as a lead CTI Analyst at buron w she has been part of the intelligence Community since 2009 and previously worked with the Air Force nuclear weapons supporting this b61 life extension program I don't know what that is it sounds really cool and she's been rning part for the past 2 days so please

welcome

s so thanks for that introduction uh so good afternoon everyone um I hope you're all hanging in there on this last stretch conference really appreciate everybody who stayed and um attended all these workshops and even made badges um I promise to keep this talk light so we can all wrap up and head to the muched after party s So today we're going to be taking a journey through the world of ransomware from its humble beginnings to its current impact on sorry I for connect it

y okay here we go okay so today we're going to be taking a journey through the world of ransomware uh from its humble beginnings to its current impact on cyber security um I know as fellow cyber Security Professionals we we've all had our fair share of counters of FR andwere um consider this a laidback exploration of how this are evolved and where we find ourselves today uh we won't be diving into the weeds instead we'll be focusing on a high level overview of the ransomware landscape this is our agenda for today I'll start with a brief introduction about myself and role in the cyber security field next we'll Define ransomware uh we all have encountered it

in some form but it's always good to start with a definition um just to get on same page we'll then move on to the mechanics of ransomware we'll go through the typical life cycle of intrusion um to put things into perspective we'll take a step back and look at the origins of ransomware we'll C we'll cover some of the earliest known attacks and how they paved the way for where we are today um and then we'll spend some time going through Trends from 2010 to present uh finally we'll look to the Future all right let's dive in uh but before we get into the nitty-gritty of ransomware let me take a moment to introduce myself and give you a bit of

my background I'm sorry CHR gave me a laser point but I okay so my name is Stephanie Roberts and I'm currently a lead CTI Analyst at Kon young um so it's a big for accounting firm um we provide manage services to different clients um so that's my current role uh prior to working at E I spent some time at a small startup company in Colorado Springs um it's called route 9B it was actually purchased by Deo and so I still have some friends that work for deoy so there's that bit of competitive rivalry between the big four accounting firms I'm pretty sure de's number one and E three but you know that's okay um and before I got into

CTI I worked at the Air Force nuclear weapons Center supporting the b61 life extension program on curland Air Force Base um it's some really interesting stuff uh I I really missed my time there it was a good job um I proudly am representing Albuquerque New Mexico I'm born and raised I graduated from Sandia high school and briefly attended the University of New Mexico uh before taking a detour into to the Army uh it's a fun fact about me um I once serated Albuquerque with my violin when I was in the Albuquerque Symphony program uh for those of you who don't know it's just a Orchestra program for um high school middle school and Elementary School

students uh and when I'm not reading up on the Cyber threat landscape I'm ranging my son who you can see there um and our four dogs and our four cats but now that you know a bit about my New Mexico rots and my squat at home let's dive into ransomware so what exactly is ransomware so ransomware is a type of malicious software so think about it as a digital kidnapper but instead of taking your dog it takes your files hostage and locks you out of your house once it infiltrates a device it doesn't just stop there it spreads its reach not only looking for files on the initial device but also checking and seeing um if there's any additional

connected uh devices that can access the goal of ransomware is to render your system unusable by encrypting your files you can't access your data and the only way you can get it back is to pay a ransom it's like waking up to find out that your car has been booted and you need to pay a find to get it removed ransomware isn't the work of just one type of criminal it's deployed by a range of threat actors with different motives and levels of expertise from highly skilled cyber criminals to less sophisticated script kitties the spectrum is pretty [Music] broad some of the main culprits behind ransomware intrusions are cyber criminals looking for a financial gain

or nation states aiming for strategic advantages we also hear about activists insiders and script but that's kind of like comparing the mafia to the occasional shoplifter so now that we've defined what ransomware is and its role in cyber threat in cyber threat landscape let's take a closer look at how it actually works and this is just a this is just a general um intrusion cycle it will differ um but generally speaking ransomware attacks typically start with an intrusion so this is like the burglar picking the locks on your front door or perhaps you've left that door unlocked uh the attacker gains unauthorized access to your uhry the attacker gains unauthorized access to your system through various

means so these are going to be those fishing emails malicious attachments or exploiting software vulnerabilities so imagine receiving an email that looks completely legit from your friend but once you click on the link um you can willingly invite the burer into your house house once inside the ransomware gets to work encrypting your files it's like the burglar's not just stealing your valuables but also changing all the locks in your house so you can't get back in the Mal scans your system and encrypts important and sensitive files making them inaccessible to you it's basically locking you out of your own digital house sorry we're on Ransom demand um after locking up your files the attackers present their Ransom demand

this is the part where the burglar leaves a note saying pay up or or you'll never see your stuff again they typically demand payment in cryptocurrencies like Bitcoin to maintain their anonymity um and they don't take credit cards or checks only cold hard digital cash so moving to decryption if you choose to pay the ransomware the attackers May provide you with the decryption key or you may not ever get a decryption key um there's no guarantee that paying the ransom will actually get your files back so it's like trusting that same burglar who broke into your house and changed the locks to leave the new keys under the door M you hope for the best but you're never quite sure

what's going to happen and now we're on post Ransom activities so even after a ransom is paid and files are decrypted the nightmare isn't necessarily open over attackers might Le back doors in your system for future exploitation um or sell your compromised data on the dark web uh it's like finally getting back into your house only to realize that they left a window open for future visits so now that we've explored how ransomware operates let's take a step back and look at where it all began um I firmly believe and understanding the origins of these types of things just because it gra it helps you plan better in the future okay so this is the AIDS

troan so let's take a trick back to 1989 uh this is when Joseph pop who was an evolutionary biologist decided to channel his frustration creativ um after being denied a position at the World Health Organization um he didn't Grumble about it he created the aosion because the next logical step when your job application gets rejected is to to create ransomware to spread this creation pop Meed 20,000 floppy discs to attendees at the who AIDS conference so for those of for those who remember floppy discs were the Vintage storage devices of the pre USB era these discs were distributed with a leaflet that warned recipients about potential harm from the discs code the recipients didn't have anything

to worry about though because they could pay the PC cyber Corporation to fix the issue caused by inserting the floppy disc once the disc was inserted the system would become encrypted or locked and to regain access victims had to send $189 to a PO Box in Panama yes Panama because nothing says trustworthy like mailing a ransom payment to an anonymous address in a foreign country so now that we've just now that we've covered the origin of ransomware with the aid troan let's dive a little deeper into the specifics of what made this early form of ransomware tick and where it fell short so the first feature anonymity um so this was intended to be a key a key feature with payments sent

to PO Box in Panama to hide pops identity um this didn't last long though and we'll get into that when we discuss the limitations um next up we have delivery VIA mail pop used the US Postal Service to distribute the to distribute the floppy discs um so using a US Postal Service for this might have been a crime called mail fraud so that was another limitation but also feature and next up we have encryption and so while this was a feature of of the a there were also limitations into this as well because the same key was used as the encryption and decryption key as previously stated pop required the money to be sent to a panaman

account um and this is to maintain anonymity but also to obscure the money Trail um there is no record though of a significant payout and this isn't really considered to be a successful from a financial perspective um exploits and next up we have the ransom notes uh this would be the leaflet that came with the discs it outlined the steps the victim needed to take to regain access to their files um it's like saying pay up or you'll never see your awkward prom photos again and this last feature we'll discuss is social engineering um this is actually relied heavily upon because pop exploited the trust of the uh conference materials and um recipients willingness to insert

the insert the discs into their computers okay so now we'll move to limitations so first off one of the significant limitations of the AIDS troan was its use of symmetrical encryption the same key was used for both encrypting and encrypting the data so this means that once investigators had the key they could easily unlock the encrypted files Additionally the operation wasn't cheap pop spent around $100,000 on propy discs alone uh not to mention the international postage fees so if you adjust for inflation that's about $260,000 in today's money um I don't know about you I don't have $260 laying around to um take out a grievance on a company that rejected a job application next

despite his efforts to maintain anonymity po was quickly identified and arrested within a year um so those 20,000 floppy discs that he sent out um he left his return address on those and so they were able to you know take that back to him as evidence and hey this is you there are other assets of the of the investigation as well so having explored the features limitations of the early age troan let's fast forward and take a look at how ransomware evolved in 1990 2000 so we're just going to start with these um pink boxes and then we'll go back to these yellow ones so in 1996 there are these two researchers Adam Young and mod young

they're still differently that I have it on the slide uh they introduced the concept of applying asymmetric cryptography to noware this was initially as a warning um and it was a bit of a self-fulfilling prophecy because they gave they gave that tool to new to cyber criminals developing ransomware uh but this marked a significant step forward because asymmetric cryptography uses two different Keys one for encryption and one for decryption making it harder for victims to unlock their files without the private key and so we'll move to 1999 so this is the Melissa virus uh this was a macro virus that targeted Microsoft Word and Outlook based systems and spread through fishing emails the virus receiv social engineering techniques

tripping recipients into opening a document that claimed to be a list of passwords to adult websites once opened the virus would email itself to the first 50 contacts in the victim's address book it was one of the first instances where social engineering was effectively used to distribute malware on a large scale and now we'll move to 200000 so in 2000 24-year-old alel dezman decided to create a virus that stole credentials for internet access thezman lacked the funds to pay for for Access for himself and decided to take it from others um it was believed that he had intern access to the internet through shared resources or uh public access points and this allowed him to uh initially launch the um the

virus so as attack was prominent for several reasons but notably because he used fishing emails for delivery the email played on the universal fascination with romantic love with the subject line I love you and an attached VBS file named love letter for you it promised happiness and thrill that were hard to say no to the I love you virus spread rapidly originating from the Philippines which shout out to my people um for those of you who don't know I'm half Filipino and it reached the US just within just 5 hours so it eventually impacted 45 million users on its way across the world it hit notable institutions like the British Parliament Pentagon and Ford Motor

Company uh the global damages were estimated to be 8.7 billion with another 15 billion spent for remediation efforts um email transmitted malware wasn't new we discussed the Melissa virus previously uh but none had reached the the success rate of I love you and now we're going to go back a bit to 1983 um this was when the development of digital cach or eash began enabling user anonymity this is crucial for for ransomware as Anonymous transactions made it harder for a law enforcement to trace money back to the attackers so it's a cyber equivalent of using an unmarked Briefcase full of cash so think of it like a zoom of digital currency way ahead of its time and Paving the way

for future Innovations and for those of you who might have forgotten Zoom was Microsoft digital media player a competitor to the iPod with some Advanced features that never quite took off I really like and then in 1998 digit an early digital Cash Company went out of business um however the concept of eash didn't die with it it laid the groundwork for the emergence of Bitcoin in 2018 uh which later become the preferred cryptocurrency for raning our payments um due to its anonymity so it's like how zoom walk so Spotify can run jigit crash's early ideas set the stage for Bitcoin sucess so now that we've seen how rans began to take shape in the '90s let's move to the

next decade and see how Global digitization and increased connectivity facilitated the rapid spread of ransomware from 200 to 2010 and so this is just a graph of um number of Internet users you can see that it's grown um and it's still grown it's just T off in 2010 uh so with the turn of the Millennium the world was getting more connected than uh Global digitization and increased internet connectivity meant that ransomware could spread faster and farther um it was like watching the internet go from dial up to hypers speed uh so some of the key highlights during this era is that Ransom demands were surprisingly low um some thread actors asked for $20 for code decryptors

um it's like the thread actors are just testing the waters and seeing if you can make a seeing if they could make a quick Buck without scaring off T victim um additionally cyber criminals during this time favored a quantity over quality approach um instead of meticulously crafting a few high quality attacks they sent out as many as possible hoping some would stick so it's like throwing darts in the dark plenty of Misses that every so often they hit a bullseye um and then in 2006 Ransom took a significant leap forward with the addition of AES and RSA encryption this was like upgrading from the that dollar store lock to a high-tech biometric system cyber criminals are getting more sophisticated

and their attacks are becoming hard of the crack uh one particularly interesting method of payment during this time was asking victims to purchase goods from an online pharmacy to get your decryption Keys imagine having to buy cost to unlock your files so having navigated through the early days and evolution of Rand up to 201 10 let's move to the present era uh the last decade has seen ransomware for us becoming more sophisticated and widespread uh driven by new technology and Global events um I do want to cave out that there are some major events that are not listed up here um I'm just trying to highlight some of the ones that I found more notable You can disagree with this

um and you know everyone has their perspective on things but I'll go ahead and jump into this uh so in 2013 crypto Locker introduced us to the joy of paying rantom payments um in Bitcoin so it's like the Cyber criminal said why not just use the currency of the future Bitcoin provided a secure untraceable way to receive money making it the perfect match for ransomware payments um and then in 2015 ransomware went corporate with the emergence of ransomware as a service model um and so on that note some of these ransomware operations and some of these threat actors that you see um they might come from the same family um wizard spider is one um that

Cony used to belong to and they were used they used to be divided up into different teams um they have their own customer support system and operate like legitimate business except they're not um but talks that started offering free kits toping cyber criminals so it was like a DIY hel Improvement kit want to start your own ransomware Empire here's everything you need no experience required okay and then in 2019 ma threat actors decided that just locking up your data wasn't enough they began pioneering the double extortion method where they extracted Data before encrypting systems the purpose of extrating dingo was to pressure victims into paying the ransom otherwise they would publish it on their league

sites then we're moving to the Dark Ages during the covid-19 pandemic in 2020 ransomware attacks surged particularly targeting Healthcare organizations cyber criminals exploited healthcare's critical role during the crisis um I should note that there are few threat actors out there with a code of conduct who targeting say Children's Hospitals but unfortunately not everyone operates at the same or any principles then moving along to 2021 KY ransomware took things up a notch with triple extortion tactics um they not only encrypted data and threatened to release it but they began targeting um victims clients and partners uh in other instances threat actors threaten to conduct distributed denial of service attacks against victims who did not pay the ransom

demands by 2023 ransomware attacks have become so relentless that some victims were hit by dual intrusions within a short time frame um I remember the FBI released a notification I think in September um about the increase in these and then I began seeing them as I collecting data for some my Bri to some of my clients um so thanks to brainware as Service Groups and the ability to purchase these with little to no technical expertise um individuals could purchase these subscriptions across multiple variants and then conduct repeated intrusions on the same victim um so this would be like getting mugged twice on the same street um just when you think you've recovered another attack would comes

along so now that we've explored notable Trends up to the present day let's look ahead and discuss what the future holds for ransomware so there are six different items on the slide we won't cover all of them but I'll copy out that there that most of these are already happening to some degree I know that AI is a Hot Topic right now and it's something that thread actors will continue to use to enhance their campaigns um during one of the panel discussions it was mentioned that fishing emails are becoming more convincing the language is improving um um they're looking much less obvious but they're looking much less like those SCS from the past um it's no longer about

spotting de glaring errors it's like they've hired a professional copywriter uh the recommendation in the past would have been to look for those grammatical errors uh but now it might be to look for emails or to you know scrutinize emails a little more that seem a little too proper and again on the AI points um we had a speaker earlier talk about using chat GPT to conduct research onto their victims um you know that is another thing that that is another thing that is you know just going to happen um another point that I'll cover is the expansion of ransomers as a service um it enables less technical th actors to to conduct these attacks um so you know it's possible

during some of my research I saw this on on a lesser extent I'm not really sure if it was um I'm not sure if it was coordinated but maybe ransomware as a service expands to not dual intrusions but you know maybe triple intrusions um and then lastly we'll focus on government and Regulatory responses um new laws and regulations will aim to enhance cyber security standards um and impose scriptor penalties on Cyber criminals um in February there was a joint effort that disrupted block bit um I know that that doesn't really seem to be going too well because Lo is still very much active um but this is really a partnership throughout um the world just because

these groups are these groups are pretty bad and what what they're able to do could really bring down a lot of companies um but with that that is my presentation thank you

I don't know if anybody has any

questions thank you for the talk um my impression is that the grand someware started off kind of small and that it kind of hit smaller like less less well defended organization but that over the years it's getting bigger as they get more money they can invest in new technology and that it's actually like you know hitting larger and better known companies um do you see that continuing do you have any ideas right so what I've kind of seen from Ransom intrusions and what threat actors are doing um so with ransomware as a service you know you have your Affiliates you have your Affiliates Distributing the ransomware they're getting creative with what they do they're kind of throwing things at the

wall seeing that seeing if they'll stick and then and once something sticks then a bunch of other groups start adopting that same type of tactic um I can't think of any of those right now um but I know that you know ransomware Affiliates and threat actors they're also watching what they're doing because they want they want that same success and you know if they're able to adopt it then they'll adopt it that answer it um I was wondering if you know of or if you think of um any specific uh preventative measure specifically for ROM not so much about you know generally prev Mal to begin with but specifically thank you so I mean a lot

of so a lot of the mitigations are going to all overlap with you know General malware mitigations so you know keeping your systems up to dat um having multiactor authentication enabled um user education um Network segmentation um a lot of the best practices that um that are pushed in the industry that's not going to cover you from just one type of threat that's going to that's going to be beneficial for a bunch of different types of

threats and if there's no more questions I'll pass this back to thank you Stephanie