Cryptolocker
More than 250,000 systems were infected with cryptolocker between September and December 2013. It is alleged that around $3,000,000 were extorted using the software in that short time – making it one of the most profitable ransomware types of the pre-wannacry era. Cryptolocker was spread through infected attachments shared in emails. After cryptolocker was taken down in an international operation, its makeup was analyzed, and a ransomware protection protocol was developed so that files encrypted by the malicious software could be decrypted without the payment of a ransom.
The success of the cryptolocker model led to the development of more complex extortion software and ultimately to the dissemination of ransomware around the more shadowy areas of computing and international crime.
Cryptowall
Cryptowall was a much more stubborn and dangerous form of ransomware that shared some key features with cryptolocker. Cryptowall was far more effective at hiding in an operating system as it encrypted files. By hiding effectively, cryptowall could avoid countermeasures designed to scan for and eliminate malware threats before they can do any damage.
Most of the time, victims of cryptowall only figured out that their systems were infected when they tried to open a file that had been encrypted. Infected files would still open most of the time, but they would be garbled and altered. Upon closer inspection of file directories, users would be confronted with text documents that detailed how their files had been encrypted and presented a step-by-step guide to paying a ransom if they wanted to get their files back.
Locky
The locky malware encrypted files before instructing victims to download the TOR browser, purchase bitcoin and then transfer between 0.5 and 1 bitcoin over to a criminal organization. This ransom is not insignificant: victims could find themselves being instructed to pay over $9000 to get their sensitive files back due to the extreme fluctuations in bitcoin prices.
One hospital in California ended up paying $17,000 in bitcoin to criminals operating using locky in 2017. According to the Las Angeles Times, hospital administrators decided that the quickest and safest method of returning their highly sensitive files was to simply give the hackers exactly what they wanted. Ransomware criminals regularly target healthcare systems. This is thought to be because of the extreme sensitivity of their information in their data centers.
Wannacry
Wannacry is much more than a criminal operation – it marks the entry of state-sponsored actors into the ransomware game. Wannacry is highly sophisticated and – until recently – extremely widespread. Wannacry infected a number of extremely important computer networks, including those belonging to healthcare providers and law enforcement officials. It was developed and spread by the Lazarus Group. This shadowy hacking organization was not just a criminal group: it had ties to the secretive government of the Democratic People’s Republic of Korea.
But why would the DPRK be involved in cybercrime? The answer is simple: money. North Korea is a cash-strapped nation that suffers under international sanctions and a corrupt government that siphons money to senior figures. In the past, the DPRK has sought to earn extra cash through drug smuggling, under-the-table weapon sales, cash counterfeiting, and human trafficking. Cybercrime offered the hermit state a new revenue stream. Employing the Lazarus group to create wannacry was the perfect way for North Korea to earn much-needed money from a highly networked world.
The wannacry ransomware debacle illustrated a worrying new trend in cybercrime: the worst cybercrimes are often committed by nation-states that see the control of the internet as a tool of power and governance. This means that internet and computer security is of national importance and will be in the future.