Updated: Dec 28, 2022
Welcome back, my aspiring cyberwarriors!
Recent events have once again emphasized the importance of SCADA security! On May 7, 2021, Colonial Pipeline was attacked with ransomware and was forced the close down a pipeline carrying 45% of the gasoline to major US East Coast cities (NYC, Philadelphia, Washington DC, etc.). This set up gasoline shortages and hoarding in some metropolitan area as consumers panicked. Eventually, Colonial Pipeline paid the attackers $5 million for access to their data.
Imagine what would happen if an adversary were able to do the same to the electrical grid or power plants! To learn more about the most important SCADA hacks in history, click here.
Although ransomware is presently running rampant across our digital landscape, it is far from new. In this post, we will examine the most important ransomware attacks in history to better understand the development of this increasingly important digital attack mode. There is every indication that this method of attacking systems and getting paid ransom will only increase into the future.
How Ransomware Works
The first step is for the malware to gain access to the network/system. This can be various means such as;
1. Email attachments
2. Messages on Social Media
4. Well-known Vulnerabilities (EternalBlue)
The ransomware then must encrypt the data. Early ransomware attacks wrote their own encryption algorithms making them rather easy to decrypt (cryptanalysis can easily break most homegrown encryption). Modern ransomware use off-the-shelf encryption libraries for encryption such AES, making it nearly impossible to decrypt without the password.
The latest development is ransomware as a service (RAAS). Such ransomware attacks as Cryptowall, Locky and Tesla Crypt were ransomware as a service.
First Ransomware (1989)
The first known ransomware attack occurred in 1989. This ransomware was distributed by disk to people in the AIDS research industry.
Cryptolocker appeared in 2013 and became one of the most profitable ransomware of its era. It infected 250,000 systems worldwide and usually infected the host through email attachments. Over it's lifetime, it earned over $3 million. Eventually, it was taken down by an international law enforcement effort. We now have a tool for decrypting the Cryptolocker encryption, in effect, defusing the threat of this malware.
Cryptowall appeared in 2014 and targeted hundreds of thousands of systems. It used malicious ads on common domains to direct people to CryptoWall infected sites where the malware would be downloaded to their systems. It exploited a Java vulnerability.
Over its life, it infected over 600,000 systems and garnered over $18 million in ransoms.
CryptoWall is facilitated via emails with ZIP attachments where the virus is hidden as PDF files. The PDF files often disguise themselves as bills, purchase orders, invoices, and etc.
When victims open the malicious PDF files, they infect the computer with the CryptoWall virus and install malware files either in the %AppData% or %Temp% folders.
If there are any drive letters present on your computer CryptoWall will scan it for data files.
Part of what made CryptoWall different is it is coded to run on both 32-bit and 64-bit systems, increasing the chances of the virus running on whatever computer it happens to infect.
CryptoWall 2.0 (January 2015)
Cryptowall 2.0 appeared in 2015 and was delivered via email attachments, PDF files and various exploit kits. Cryptowall 2.0 had some more advanced techniques than Cryptowall 1.0 especially in the area of obfuscation and anti-emulation. It used ToR to obfuscate Command and Control (C&C) channel and also included anti-virtual machine (to frustrate attempts to disassemble or study it) and anti-emulation. In addition, as need required, it could switch between 32 bit and 64 bit mode.
Hollywood Presbyterian (2016)
The Hollywood Presbyterian Medical Center was hit by ransomware in 2016.
The administration paid $17,000 for return of files
San Francisco MTA (2016)
On November 25, 2016, the San Francisco MTA fell victim to ransomware
It disrupted ticketing and bus management systems for 2 days before administration paid 100 bitcoin ($5 million at current rates of exchange)
The WannaCry ransomware first appeared in May 2017 and infected over 300,000 computers in over 150 countries. Unlike most of the earlier malware, WannaCry did not require any user interaction. Instead, it used the just released EternalBlue exploit to infect unpatched Windows 7 systems (EternalBlue released by the Shadowbrokers in March 2017). Investigators and malware analysts suspect the North Korean state-sponsored hacker group, Lazarus.
Once Wannacry infects the host, the ransom begins at $300 if you pay within 6 hours and doubles to $600, if you delay. Wannacry threatens to permanently delete your files if the ransom is not paid in 7 days.
MalwareTech (Marcus Hutchins) found the kill switch by identifying the command and control URL within the code and registering the domain (apparently in their haste, they failed to register the domain name). Unfortunately, when Marcus Hutchins traveled the US he was arrested. His quick defusing of this ticking time-bomb made him a suspect as the developer of Wannacry. Instead, the FBI found that years earlier, Hutchins had developed some modules that may have been used in other hacks. Eventually, he plead guilt and was given no sentence. He now works in the US for a major information security firm.
You can read more about WannaCry and our disassembly of it here.
Petya first appeared in 2016 and was considered advanced ransomware. It encrypted the MFT (master file table, it is used to control and manages all files in a NTFS file system). By encrypting the MFT, all of the files in the file system were unavailable. Petya then replaced the MFT with a ransom note. It was among the very first widely distributed Ransom As A Service (RAAS) exploits.
NotPetya first appeared in 2017 and also used the EternalBlue exploit to access the unpatched Windows 7 systems. NotPetya was designed to be mistaken for Petya, hence it's name, NotPetya.
NotPetya encrypted the Master Boot Record and other files, so that the system could not boot up. It then sends a message to user to reboot after which the system is unusable.
NotPetya may be the most destructive cyber attack in history and was likely developed by Russian intelligence and state-sponsored hacking groups to target Unkraine. It cost Ukraine over $10 billion but like nearly all malware could not be limited to just the Ukraine. It spread around the world and damaged such companies as;
Maersk (the word's largest shipping company)
Rosneft (Russian petrochemical company)
Unlike other ransomware, NotPetya did not have the capability to decrypt the files it affected.
BadRabbit first appeared in 2017 in Russia, Ukraine and the US. It was new and improved version of NotPetya. It first appeared on Russian websites pretending to an Adobe Flash Installer (see image below).
It probably was developed by Sandworm, the same Russian state-sponsored hacking group responsible for BlackEnergy3.
It shared much of its code with NotPetya implying the same authors but it could have been an opportunistic code that recycled code. It first encrypted the files and then encrypted the Master Boot Record with two different keys. Unlike NotPetya, it did unencrypt the files if the ransom was paid.
BadRabbit demanded payment of .05 BTC (about $2500 at current exchange rates) and gave the users 40 hours to pay.
GandCrab first appeared in January 2018 and quickly became the most successful ransomware of 2018. Begun as a ransomware as a service (RAAS), it went through multiple iterations to keep it up to date.
GandCrab was the first ransomware to demand payment in DASH cryptocurrency. In addition, it utilized a .bit TLD that is not sanctioned by ICANN. This made it additionally difficult to trace the C&C server.
GandcCab was distributed to the victims via multiple methods. The most popular was spam emails where users were tricked into opening a ZIP archive that included a script that downloads GandCrab.
Phobos first appeared early 2019 and is still active. This ransomware tends to attack smaller organizations with weak RDP security.
Sodinoki April 2019
Sodinoki first appeared April 2019 and is still active. It is very hard to detect and re-installs even after the company pays ransom.
Snake ransomware first appeared in January 2020 and is still active. It is the first ransomware explicitly developed to attack SCADA/ICS sites.
Unlike other ransomware, Snake specifically Chooses targets rather than shotgun approach common in most ransomware (this is largely a result of the wide variety of systems and protocols available in the SCADA/ICS sector)
Snake was successfully attacked and ransomed;
Largest private hospital in Europe, Fresnius
the Italian energy company, ENEL
the Japanese auto manufacturer, Honda
and several other major companies who do not want their names published.
For learn more about this unique ransomware, read here.
Ransomware is probably the leading malware threat in our digital landscape. It infects systems and then encrypts key files until the victim pays a ransomware. Over time, this ransoms have increased dramatically--usually in the neighborhood of $200-300--and now reaching as much as $50 million dollars. By understanding the mechanisms and evolution of this malware, we can better protect our systems and anticipate the next wave of ransomware.