INSIGHT

Ransomware: The year in review

By Gavin Smith, Valeska Bloch
Cyber Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief

Ransomware is big business, as cyber criminals increasingly transition from a business model focused on the theft of data to one predicated on extortion. Remarkably, however, the use of malicious software to elicit a financial benefit is not new, with the first recorded outbreak of ransomware occurring in 1989. We take a look at some of the more infamous ransomware attacks from 2017, including WannaCry, Petya/NotPetya and Bad Rabbit.

A brief history of ransomware

The first known ransomware attack took place in 1989, and was initiated by biologist and AIDS researcher Joseph Popp. Known as the 'AIDS Trojan', the malicious software targeted the healthcare industry and was distributed to computers via floppy disk. Dr Popp claimed that the disks contained a program designed to analyse an individual's risk of acquiring the AIDS virus. Interestingly, this also makes the attack one of the earliest examples of cyber-related social engineering – eliciting the trust of researchers to deliver the ransomware. Once the malware had infected a user's computer, it would activate after the machine had been powered on 90 times. When this threshold was reached, the malware displayed a message demanding a payment of $189 to a PO Box in Panama owned by PC Cyborg Corporation.

Since then, ransomware has grown increasingly sophisticated and dangerous. The year 2017 saw several global ransomware attacks that deployed complex levels of encryption, causing damage to companies across multiple industries.

WannaCry

In May 2017, the 'WannaCry' ransomware attack infected more than 230,000 computers in more than 150 countries over the course of 24 hours. Victims ranged from hospitals, universities and government agencies, to international corporations and non-government organisations.

The WannaCry outbreak exploited a software vulnerability known as 'EternalBlue' to take advantage of Microsoft Windows operating systems. While the majority of ransomware tends to spread by tricking users into downloading infected files or visiting malicious websites, WannaCry used 'computer worms' to spread through networks of connected computers. In this way, WannaCry could spread to all computers connected to the same network after infecting just one computer. This meant that WannaCry spread widely and rapidly, taking its victims by surprise.

The existence of 'EternalBlue' was first revealed in leaked files of the United States National Security Agency in April 2017. While Microsoft quickly released a security update to patch the exploit, many organisations either hadn't installed the update or used outdated Windows products that Microsoft no longer supports. For those in the former category, only a month's delay in installing the update proved fatal.

Despite the sophistication and dangers of WannaCry, an error in WannaCry's code revealed a 'kill switch' that allowed researchers to neutralise the ransomware and curtail its impact.

Petya/NotPetya

In June 2017, another major cyber attack took place, with attackers using a variant of 'Petya', a form of encrypting ransomware discovered in 2016, to infect computers in a number of countries. Both the new variant of Petya (also dubbed NotPetya, Petna, EternalPetya or Nyetya) and WannaCry took advantage of the EternalBlue vulnerability, making them able to spread rapidly to maximise damage.

However, NotPetya was considerably more dangerous than WannaCry. Despite being a form of ransomware, cyber security researchers say NotPetya was designed to make it impossible to recover or restore systems. This is because NotPetya is able to overwrite and encrypt a computer's master boot record, making it nearly impossible to restore the system even if a ransom is paid.

Additionally, NotPetya is able to search for and steal user credentials on infected computers, providing attackers with control over network management tools. This means that NotPetya can spread both to computers in the network running outdated software and those with the latest security patches and updates.

While NotPetya is more dangerous (particularly as no kill switch has been identified to shut it down), it spread to fewer countries and computers than WannaCry. More than 2000 computers, mostly in Ukraine, were infected by NotPetya.

Bad Rabbit

In October 2017, a new strain of ransomware known as 'Bad Rabbit' emerged, targeting corporate networks in Germany, Russia, Ukraine and Turkey. According to cyber security firm Kaspersky Lab, Bad Rabbit has similarities to WannaCry and Petya but it is unclear how far it will spread.

Kaspersky Lab believes Bad Rabbit infects computers by tricking users into clicking on a malicious installer disguised as Adobe Flash. The malicious installer reportedly appeared when users visited certain websites that were legitimate – but insecure – and therefore vulnerable to exploitation.

To date, Bad Rabbit has affected Russian media organisations and an airport in Ukraine. But analysts do not believe that Bad Rabbit will spread to the same extent as WannaCry and NotPetya.