The Ransomware Plague of 2016

Cryptography and ransom have roots deep in human history. However, only in the past few decades has the world seen what can happen when someone combines them. It started in

Cryptography and ransom have roots deep in human history. However, only in the past few decades has the world seen what can happen when someone combines them. It started in 1989, when Dr. Joseph L. Popp kicked off the pandemic we know today as ransomware.



Known as the grandfather of computer-based extortion schemes, Popp distributed his malicious payload at the World Health Organization’s AIDS conference. The disks, labeled “AIDS Information — Introductory Diskettes,” actually came with a warning, printed separately, that the software on them would harm computers.

But who reads documentation, anyway? Some of the 20,000 or so diskettes that Popp has crafted were inserted, causing victims’ computers to lock up and display a ransom demand ($189 sent by snail mail to a post-office box in Panama) that will look familiar to regular readers of this blog.

Today’s ransomware

Little has changed from the original ransomware concept. Perhaps the most notable difference is that rather than collecting payments from a PO box, criminals can now rely on anonymous networks such as TOR and I2P in conjunction with bitcoin to help them evade law enforcement. What is it about this scheme that has made it stand the test of time?

Direct monetization helps. With an average ransom of approximately $300, discussions of million-dollar ransomware campaigns seem far-fetched, but even small increments add up over time — and these extortion schemes have proven both their effectiveness and their staying power.

The average user will eventually face the difficult question of whether to pay ransom or lose their files. Unfortunately, many choose to pay, although we strongly recommend not paying and finding another way if possible, such as finding a decryptor on the No More Ransom site.

The Ransomware Plague of 2016

The number of new ransomware samples detected every day may look daunting, but quantity is actually a smaller problem than quality. A comparatively small number of malware families are coded well enough and gain enough traction to be worrisome, but the few families that are ready for prime time cause serious harm (I’m looking at you, Locky and Cerber). And that is more than enough to keep security researchers busy.

Although even a single actor could launch a ransomware campaign, cybercriminals specialize, and they benefit from teamwork. They take care of technical support, helping their victims navigate the process of buying bitcoins to pay the ransom, all the while improving their malicious code and attempting to fool security researchers and law enforcement agencies. Extortion takes work!

As a business model, ransomware has bloomed in recent years, partly because of new offerings of ransomware-as-a-service turnkey solutions. Although creating most types of malware requires only limited technical skills, crafting well-made ransomware from scratch is a more challenging task. The trick is to get the encryption right (get the encryption wrong and good guys can develop a decryption tool quickly — and we do).

The easiest path for amateurs is a referral business model: dealing with distribution and paying a portion of their loot to the original developers. This sort of deal is unfortunately thriving.

Types of ransomware

The evolution of different types of ransomware — from simple, proof-of-concept brews that relied on third-party tools (such as WinRAR, GPG) to malware implementing code from the Microsoft Developer Network — demonstrates the willingness of cybercriminals to up the ante.

Moreover, nowadays it’s not uncommon to find upscale ransomware capable of deleting shadow copy backups, encrypting external attached or network drives, and even getting to your cloud-synced files. The bar has been raised, and while amateur hour is on, a handful of key players keeps us working late into the night.


Some newer ransomware variants spotted in Brazil shows that ransomware continues to grow, but more by rebranding than with innovation. Why bother creating your own ransomware code? Even kids without any special knowledge can buy ransomware kits with everything they need to start a campaign, and choose a theme for it. If the branding is interesting enough, it gets media attention and coverage, thus bringing them not only money but also infamy.

The Ransomware Plague of 2016

We have seen more than enough low-quality ransomware making headlines because it used the logo of a popular TV show, an image of a movie character, or even jokes about politicians. However, the flip side of the branding coin, is ease of detection. Many criminals now opt out of choosing a name for their creations, leaving victims stranded with only an e-mail for contacting the crooks and a bitcoin address for payment.

As far as payment methods go, the most popular ransomware families still favor bitcoin for demanding and collecting ransom. Even so, it’s not unusual to find the odd sample that requests payment through one of the widely available voucher methods, such as PaySafeCard. Regional and hand-crafted operations more typically go for a local payment option. However, doing so means forgoing some of the obscurity that comes with blending in with the rest of the ransomware noise that is generated every day.

Working hard and looking ahead

We are slowly shifting from a paradigm of ransomware remediation to one of ransomware intelligence, but we still have a long road ahead. Only by gathering hard evidence and concrete statistics on the problem can we gauge our options appropriately. Unfortunately not everyone affected by ransomware reports the incident, and even those who do, report it to different institutions, making it difficult to collect a complete set of data.

Joining the efforts of enforcement agencies and IT security companies to disrupt cybercriminal businesses with ransomware connections has proven effective. For example, the No More Ransom initiative was born out of a desire to help victims of ransomware retrieve their encrypted data without having to pay criminals.

With more parties supporting the project, our chances of providing a much-needed framework for dealing with this type of incident improve every day. Each party has only a partial view of the ransomware ecosystem, and so working together is only path to success.

As for users (aka potential victims), knowledge is power. We’ve put together a guide to avoiding ransomware that we highly recommend for everyone who goes online — in other words, everyone.