Digital Shakedown: A Brief History Of Ransomware by Cian Heasley

good morning everyone so i am sort of a history buff but sort of a hacking history buff and not necessarily in terms of like throwing out dates and uh rattling off facts in that way but i'm very curious about how things started and how things progressed part of my job is doing threat modelling threat hunting and i think to be able to understand threats you need to understand what's come before and then you can try to extrapolate from that what's coming in the future so this is a half hour of the entire history of ransomware from 1981 through till now this is me i work for a dharma behind me here i have a technical blog at bluetangle

where i post detections and stuff that i'm working on i run real hack history which i have not been working on recently i produced little youtube videos on events in hacking history and uh you also have to have your your other hobbies non-computer hobbies to appear like a normal person at the bottom so i like bowling archery and reading detective novels so i had to give this whole thing as sort of a format otherwise i would just put like entire encyclopedia entries on everything so we have the history of the event itself we have the context of the history and finally how do they do the ransom and how do they get the money and this is

always a very interesting part because you can see this develop and then eventually it's just bitcoin that's it so i said we started in 1981 i'm starting on something that i know nothing about the america's cup uh yacht racing apparently and in 1981 a package of floppy disks was stolen with telemetry from one of the yacht racing teams and this was very important proprietary information that the yacht racing team did not want to get out because i guess it would give you maybe an advantage over their team or gambling or i don't really understand that i did some research i still don't understand it so essentially somebody got a hold of these floppy disks with the telemetry

data on it and they were trying to ransom it on a australian bulletin board and i was able to find this out through looking at risk digest which then had a reprint of a 1981 article so a lot of this older digital history hacking history is kind of lost you have to hope that someone mentioned it on usenet or in this case in the risk mailing list and so this is the ransom part here so computing australia reported that the 17 disks were originally ransomed through a bulletin board called interstate connect which is an australian bulletin board apparently with a hacker group called tech hack which i think was involved in running that bbs trying to

make sure that they weren't blamed for this the stolen disks and uh there was a request for um looking now oh did i not put the money on hmm uh i think it was at seven thousand eight thousand dollars uh the advancement was never paid and the discs i think were returned in the end so it was 1981 this is one of the oldest cases of ransom data that i was able to find that wasn't uh stolen uh physical like hard copy so moving on this is joseph louis pop jr and this is the aids or pc cyborg trojan um so essentially what this guy did he was a world health organization or he wanted to work for the world health

organization he was an evolutionary biologist and he created a floppy disk that he labeled as a sort of a digital questionnaire that someone could fill in and it would try to extrapolate from that how likely they were to get aids i believe so he went on a mailing list for people who are aids researchers at the time and he in 1989 this happened he sent out discs to i think about 2 000 people and anyone who ran the disc infected themselves with the pc cyborg trojan and essentially what it did is it waited for the person who installed it to reboot their computer originally 90 times but he sent out other iterations of this to people

he kept on sending these disks out and it would essentially encrypt parts of your like the actual file table itself um and would bring you up with a message that would basically say um the most serious consequences of your failure to abide by the terms of this license agreement your conscience may haunt you for the rest of your life so you get a flare for the melodramatic he was arrested in the uk and it turned out that he was severely mentally ill so he was kind of like tinfoil hats worried about people doing mind control on him the uk authorities declined to to try and um basically prosecute him and he was sent back to the us

the things that he did using the pc cyborg trojan were actually able to be reversed so luckily because honestly he could have destroyed a lot of aids research in 1989 that could have wiped out a lot of people's computers if it was irreversible um and this is just so he wanted people to send 189 to a post office box in panama after he was arrested he said that he was going to put that money into aids research which was a very strange sort of justification for this whole this whole weird scheme of his and this was all essentially because he was passed over for a job at the world health organization the movie hackers we weren't going to

get through this without the movie hackers so i thought about uh the whole plot of the movie hackers revolves around uh the plague trying to basically get away with electronic fraud in the company that he is the seesaw at so he creates this computer virus which is represented on the screen by this sort of i don't know what digital avatar and what this virus essentially does is if you don't send a payment uh there is uh impedes the function of uh internet connected oil tankers so i mean none of this at the time this was all obviously a movie but this was in my mind a sort of fictional representation of ransomware insofar as if they didn't pay the the um

the ransom the ships were going to capsize and this is actually from the script unless five million dollars are transferred to the following numbered account in seven days i will capsize five tankers in the ellingson fleet so that was the the method of basically getting a hold of the money in that case [Music] 2005 trojan pgp coder so this was the first uh sort of in the wild after uh the pc cyborg trojan this was one of the first in the wild um encryption ransomwares because obviously there's locker ransomwares this is encryption so in this case uh this is the bbc at the time breathlessly a unique new kind of malicious threat which locks up files on

a pc which demands uh money in return and that's uh the date that i'm giving here is the fifth of may so when it actually made the news um so pgp coder looked for 15 common file types this is something you'll see in a lot of ransomware uh text files documents whatever at the time 2005 and then encrypts them um a lot of this was drive by uh sort of internet explorer vulnerabilities and then malicious sites would basically cause a downloader to download this pgp coder uh ransomware and then it would encrypt your system and yeah so this shows you the ransom demands were originally twenty dollars to seventy dollars in rubles payable to a yandex account

uh which is like sort of russian paypal i guess in a way later decrypters would cost 100 to 200. so we're already seeing an increase in ransoms and we're payable through e-gold or liberty reserve which were both shut down by the us government because they were massively involved in fraud like this archivis uh used uh 1024-bit rsa asymmetric encryption so this was an increase in the actual encryption of the ransomware itself earlier versions of ransomware it was quite easy to they used custom encryption schemes or weak encryption schemes so it was easy for people to sort of reverse engineer although in this case they made a mistake they used a single 30 character password for everything and that's it

there which undermined their business model because once that came out nobody was willing to pay and the other fascinating thing for me about this is that the ransom was paid via purchasing drugs from online pharmacies so i'm assuming they got some kind of kickback for that but that's to me the most unique uh method of payment other than maybe mailing checks to panama um this is the strangest one to me i looked for more details of this what pharmacies what drugs i couldn't find anymore but i i did look 2010 winlock arrests in moscow so this was a locker ransomware um and essentially it was tests run in russia by russians and this is before i guess

the the official ruling of like don't do ransomware in russia if you're from russia or i guess don't commit crimes in the country where you are essentially um so these guys were all caught uh they were all put in prison and yeah winlock would uh encrypt would not encrypt a victim's files but would lock the entire computer itself and ask for a fine so 2010 is when they sort of made the news but it was running since 2007 it was just in russia so it didn't really make the western press that much and this is a screenshot of a very very grainy uh russian tv footage of uh you'll if you've ever looked at ransomware sort of arrest footage this

is money and various documents and usb drives and stuff being sorted through uh developers of winlock were said to have earned one billion rubles although the estimates by the russian authorities went up it was like initially something like twenty five thousand dollars and then it went up and up and up um and this demanded a text-to-us premium rate sms number so you can see again like the method of actually getting money from people is changing over time and obviously that would then be traceable back to people if you were trying to to withdraw the money from whatever sort of kickback scheme there uh reviton the police ransom virus so this uh basically was uh sent out uh drive by malware again this

was looking for various uh security flaws in browsers um could be email attachments could be a few different things and it would give you this fake message from uh whatever your local law enforcement were so there was different versions of this release there was a canadian version a us version a uk version i think there was a europol version uh there was probably a russian version as well and it was basically threatening you and saying you know you've been caught doing bad things online you need to send money to this account in in this way so this was also an early ransomware as a service in so far as the people who ran reviton were also farming it out so

i think there was a russian gang there were english people involved who were eventually arrested uh there were people in spain doing this and there were various websites that were basically taking money to put the um the actual downloader onto their website so that then they could infect their own customers essentially but you know have plausible deniability that they weren't involved and reviton took money via money pack so prepaid credit cards so they got around some of the earlier problems with people you know not wanting to call a number or maybe not having their own credit card i think this was also harder to trace as well because it was basically a prepaid credit card sent to an account

so it was more difficult and that was around 100 so we're still quite low in terms of ransoms simple locker the first android encryption ransomware this is just interesting because it was the first one that actually targeted android and it's essentially the same thing it targeted your sd card and it basically tried to encrypt all of your your files on there your pictures whatever documents you had and this is a little uh section from this is once again released in russia targeting russian people probably by russian people so this is a little bit of the ransom they're just basically probably saying you know you need to get your files back uh we've got them encrypted

uh it had a tour onion based c2 so it basically got error reports there so if it failed to encrypt files or there was some sort of basically quality assurance that it sent back data that was it though um and it targeted these file types so once again looking for file types that people would be willing to pay to get back um victims in ukraine were instructed to pay 22.13 pounds via monexi and in case of no payment you will lose all data on your device victims in russia were charged about 30 dollars in rubles so still quite low in terms of ransom samsung this is where we start to see more targeted ransom so instead of just

randomly infecting anyone who goes to a website or opens their email or whatever samsung actually targeted businesses specifically and actually operated within those businesses networks to try and spread the ransomware as far as they possibly could so this was an fbi alert fbi wants us businesses to help as cyber extortion gains urgency and this is basically uh an alert from the fbi saying like you know this is targeting businesses specifically this isn't like a random thing anymore sometimes tcps closely resemble uh what we think of as typical ransomware techniques now so brute forcing rdp looking for privilege escalation looking for lateral movement within a network targeting parts of the network that are seen as important or

more valuable to the people who might then pay a ransom and in 2017 the largest ransom paid to samsung was huge by the measure of the time it was 64 000 via bitcoin um and in 2018 it was uh thought that samsung may have taken in as much as six million dollars at that point so we can see like a massive difference between the 20 ransoms at the beginning and where we are at this point uh san francisco municipal transportation authority so that was interesting because this was one of those that broke through to the media in such a way that like it affected people in the real world in a very clear way it

wasn't a matter of some computers in the data center somewhere are encrypted this was people could not get home via the san francisco like metro or whatever else they in the end they just said free entry and they just basically said you didn't have to buy a ticket but for a while they just completely paralyzed their their entire infrastructure and yeah so they managed to hd decrypter managed in fact 2112 systems belonging to the municipal transportation agency and the message was you hacked all data encrypted which not what you want to see the operators at ransomware demanded 100 bitcoins which at the time was 73 000 and once again you can see that increase in ransoms you can see the targeted

nature of this that they figured these are people who would be willing to pay a ransom wannacry had to include it um it's probably something that we're all aware of we've all heard of um we're all familiar with um so this is a report from the time by friday evening the ransomware spread to the united states and south america through europe and russia though europe and russia remained the hardest hit according to security researchers malware hunter team the russian interior ministry said about 1 000 computers have been affected and this is just a shot of the ransom message you will get up on your screen so wannacry spread to an estimated three hundred thousand computers so this in

the time it took uh before the kill switch was put on basically by uh marcus hutchins registering a domain it managed to infect a massive amount of computers and it used stolen nsa exploit eternal blue which enabled it to spread basically like a worm [Music] uh one of cry demanded a payment of about 300 in bitcoin and this goes back to the earlier payments we saw that were basically predicated on random people being infected so the the ransoms are lower they're not expecting to necessarily get companies it could be just random people or people who wouldn't have the funds to pay otherwise and the message was you have not so enough time there were three hard-coded

bitcoin addresses which were used to receive the payments from victims bitpaymer this is interesting because this is what i see is kind of the big game hunting ransom we're starting so um bit pamer are an uh basically an offshoot of evil corp or part of evil corp and they started uh taking sort of samsung's approach to specifically targeting businesses but in their case they started targeting bigger businesses bigger organizations um and so this is part of their uh their ransom message here it may harm your business reputation and the company's capitalization fell sharply so the implicit threat there and also that they're targeting businesses they're not targeting like random just normal people on the internet

um so bit payment hit actually scottish hospitals uh nhs lannister very badly um and they've been hit with wannacry i think a month before that um and that was the largest sort of health department area catchment area in scotland at the time so that that really affected how they were able to operate and the ransom requested of nhs lannister was 50 bitcoins so that's 168 000 pounds or 20 218 000 so once again we're seeing a massive increase in the ransoms that are demanded uh allied universal breach by maze in november 2019 so this is a message from the maze operators the bleeping computer i uploaded some files from the networks as the data breach proofs if they don't

begin sending requested money until next friday we will begin releasing on public everything that we have downloaded from their network so this is to put some context on that the not necessarily the full origin but one of the origins of the double extortion of ransomware so you're not just encrypting files and not just taking files that you need to prove that you've you've accessed the network you're actually taking files and then you're doing double extortion so you're threatening to release confidential files whether it's credit card details or people's personal bank card details or company secrets and so this is kind of the origin of that through maze maze we're demanding 300 bitcoins from allied universal which is about 2.3

million dollars at the time um and yeah i think they were paid at least some of that if i remember correctly uh treasury sanctions evil corp this is um oh maxim yakovitz here with his weird sort of uh sports car that looks like it's out of fortnite or something looks like a fortnight skin but um treasury sanctioned evil corp in december of 2019 and this is another one of those sort of big events in terms of ransomware because after this it was very difficult for evil corp to continue to do business in the way that it was there um the companies that they would uh interact with to basically negotiate ransoms we're told not to deal with them

anymore once these sanctions came into play uh companies were told by the us government like do not deal with these people do not pay ransoms do not transfer them any money so once these charges against the various members and especially the leader of evil corps went into effect it made their business model a lot more complicated a lot more difficult according to his government indictments evil corp is responsible for stealing about 100 million dollars from companies over the last decade or so so they've had various iterations those dry decks with spit painter which we were just talking about and they're all sort of under that umbrella of evil core dark side in the colonial pipeline is

another one of those events that people talk about or think about this shut down the biggest u.s gas pipeline and was unable to resume operations for i think weeks afterwards and this was nearly half of the fuel consumed across the u.s east coast what's interesting about that is they didn't actually damage any of the software that was running the pipeline itself it was because the payment billing systems were offline so basically colonial pipeline was unwilling to give out gasoline for free but it's interesting at the time it was sold as like they've shut down the actual pipeline itself it was more complicated than that it was business reasons um they exfiltrated 100 gigabytes of data and that was also used

for double extortion and this is where the us government then put up a 10 million dollar reward for darkseid side so dark side ransoms were in the range of 200 000 to 2 million so once again you know this is big game hunting this is larger ransoms in the case of colonial pipeline it was reported that 5 million dollar ransom was paid but then darkseid announced that they was disbanding and this is probably because the the exact same thing that happened to evil corp would happen to them there would be uh some sort of situation where they would be under sanctions so there's obviously a reward for their arrest and it just becomes difficult for them to do

business costa rica declares a national emergency after conti so conti went through an awful lot of issues in the last two years they had various leaks of their internal documentation by one operator who was upset uh then someone else earlier this year leaked a whole bunch more of their their in like internal communications their internal documents and so i think they kind of wanted to go out with a bang so they sort of declared war on costa rica so this was the costa rican president rodrigo chavez had just been sworn in and had to declare a national emergency basically straight away um conti were dumping gigabytes and gigabytes of data from costa rican government agencies

they were asking for a massive ransom and then they upped that we'll get that moment so um costa rica's finance ministry treasury customs ministry for a while they couldn't collect taxes properly they couldn't pay government employees they were having trouble with imports and exports because the systems that handled that were basically gone so they had to switch to pen and paper um to try and get around that and it really made life difficult for them after they were hit with conti they were hit with hive ransomware which hit their national health service so basically people weren't able to get prescriptions they weren't able to go in for medical appointments for a while as well so

costa rica really got it hard and i think they're still recovering now conti initially demanded 10 million and then when um costa rica didn't pay they doubled it's 20 million so to my knowledge none of that was ever paid so if we think about the future of ransomware i think the future ransomware is pure exploration and extortion uh if you've ever installed like a mac os update and found that something's broken on your computer or updated something on your phone and found that something doesn't quite work properly afterwards encrypting one system and expecting to decrypt it is difficult encrypting an entire network of computers and expecting to be able to decrypt them in a time that would actually be useful

to the people whose files those are is kind of crazy it's it's amazing that anyone ever gets any files back to be honest with you there's times when people have paid ransoms and they've been given the decryption keys or the decrypter and they just don't work and they've had to hire third parties to come in and basically take the decrypted that they were given and actually make a version of it that works properly um the irish government the irish health service was hit with ransomware and they spent months trying to get the decryptors that they were given for the ransom well they they claimed not to pay ransom but um they spent months trying to get those to work and they just

couldn't so this is character card is an offshoot of conte and essentially all character does is they go into county victims that maybe it was difficult to encrypt the whole network for whatever reason or it was difficult to to get a ransomware on to a system that they would need to carry kurt go in they target the file servers or wherever you're keeping valuable documents or data and they simply steal that and that's it that's what they do they don't ransom uh your actual files encryption wise they just take these they put them on their league site and they say hey we've got a lot of your sensitive documents sensitive documentation so the way i see this

going is there's going to be a lot more sort of an arms race around exfiltration around ways of getting data off of networks quietly depending on how closely network data is is actually monitored because a lot of people aren't great at doing that we've basically covered this already and uh ransom demands from range from 25 000 to 13 million in bitcoin with payments uh typically set to expire within a week of first contact so carrick or like county um they are not very into negotiating uh gently with people like it is this is very much like an extortion operation if you don't um give them the money then your files are going to start being

released so that's my talk if anyone has any questions we have some time i think we have five minutes [Music]

is

[Music] so i've worked ir on a couple of ransomware cases there was one where we were able to see that they used um some powershell like red team tools to basically get the names of file shares and the names of the files within those file shares and then they presented those to the client and said we have your files but we weren't actually able to find any evidence that they'd taken those files and afterwards no files were actually released it really depends like some of this i think is bluffing on their part there is some really interesting research that rng cyber defense did around the types of data that different ransomware groups release so some go after payment role

payroll data payment data stuff like that others go over after like more industrial secrets you'll see groups on networks looking for say i've seen them looking for sub domains with confidential in them or you know certain host names certain uh file share names that look for that like you know proprietary or secret or like certain keywords that they look for um it's difficult to say really they're the one advantage they have in this case is a lot of people don't watch their network logs very carefully um like you can do dns exfiltration you can do https exfiltration like there's certain data streams that have to be allowed in and out of a company it's just a matter of noticing that you know

there's gigabytes of data being shot at you know some random ip address that has never been seen before any other questions i think we've got time for a couple more yes

so that's another interesting thing i was just reading about darkseid have started using lockbit which is more of like a it's a group but also a brand of ransomware so i think and this is just me thinking about it if there are more brands of the actual ransomware software but less groups that have a specific identity but they're all using similar generic tool sets it's better for them in terms of uh avoiding dark sides fate of of being hit with sanctions or hit with rewards or massive you know 10 million rewards for the person who's running it so i think we could see a move to more like lock but might just become a brand of

ransomware and then different groups use it for their own purposes and make sure the payments go to them but there'll be less of the actual brand name uh you know darkseid uses darkseid ransomware evil corp uses ebook ransomware they may just start pulling resources and just start buying sort of off the shelf tooling because it's better for them it's more sort of plausible than liability the other flip side of that though is that if you're giving these people 10 million dollars you kind of want to know who you're dealing with and you want to know that you can trust them because they're telling you that they're going to delete your data they're relying on that sort of brand recognition and the

fact that you go oh well i've heard of these guys like you know hopefully they'll actually do what they say they're going to do so it's kind of a flip side of uh i think the garage put it really well he said you can be famous or you can be a criminal but you can't be a famous criminal and even in russia where they're like fairly isolated um if they leave russian air space there was a guy who went to an island that had no extradition with the u.s the u.s said to the island nation i can't remember the name off the top of my head we don't want an extradition treaty we just want

this one guy and the island essentially said okay we'll give him we'll give him to you the guy thought he was safe flying there from like the black sea or whatever so there is that real tension for them in so far as they want to be recognized they want people to be afraid of them or to respect them whatever but also it brings a lot of attention i think conti learned that this this year as well a lot of their members have been doxxed i don't know how reliable those doctors are but um because of the data that was leaked uh people have been able to sort of put things together make connections within the organization connect them to trick

bot connect them to other things so that there's a lot of sort of information that can get out there [Music] are we done

[Music] um as far as like with the uh likewise attack the fbi i think was able to essentially pop back and trace different wallets yeah how much of that do you think is

i wonder about that i also wonder about the crypto crash because a lot of these groups are sitting on what was billions of dollars is now probably still a lot of money but more millions of dollars and if there's a the crypto crash continues they may not be able to shift that so liquidity is going to be an issue for them as well i to be honest the whole cryptocurrency angle things change so fast that it's difficult you know you could say this exchange might get seized by the authorities or this money might get seized it might not either so it's it's difficult to say but it's definitely an angle that i'm interested in in my own mind

whether they're going to ask for bigger ransoms or whether they're going to take more risks because they need to replace the money that might have been lost so it's definitely something to think about