Although ransomware had been around since about 1989, most attacks were small and targeted. CryptoLocker signaled a change in tactics when it was released to the world in late 2013. This ransomware attack infected over 250,000 Microsoft Windows computers. The attackers were paid an estimated $3 million by victims before an international effort took down the botnet and servers. CryptoLocker used a combination of operating system filename obfuscation and social engineering to take over a victim’s computer. Here is how the CryptoLocker attack unfolded:

• The victim received a legitimate-looking email message with an attached ZIP file that contained the disguised executable file payload.

• Since Windows hides file extensions by default, the malicious executable file appeared to be a PDF file, and many users opened the file, executing the payload.

• The payload added a key to the Windows Registry that caused it to run at boot time and then attempted to connect to the ransomware server.

• Once a connection was established with the server, the ransomware created a public and private key pair and sent the private key to the ransomware server.

• Then, CryptoLocker found all files with common extensions and encrypted them with the generated public key.

• Finally, CryptoLocker displayed a message to the victim and demanded a payment in bitcoin within a short window of time, generally 72 hours.

CryptoLocker’s success depended on authorized users executing the malicious payload. The ransomware only had to convince victims to click on the attachment and the encryption process began. As soon as victim reports surfaced, anti-malware software signature databases were updated to better detect CryptoLocker’s attachments before users ever saw them. But by that time, many victims had already been successfully attacked.

Locky was another form of ransomware that was released in 2016. The Locky attack, like CryptoLocker, was delivered as an email attachment. In Locky’s case, the attached file was a Microsoft Word document that contained the ransomware code as a macro. When the victim opened the Microsoft Word document, the attacker had to trick the user into launching the macro. The contents of the document appeared to be meaningless garbage. A pop-up message appeared that instructed the victim to enable macros if the data encoding is incorrect. Many users simply enabled macros without considering the impact of that action. Once macros were enabled, the attack sequence started.

The Locky macro actually downloaded and executed the real ransomware. Like CryptoLocker, Locky generates different encryption and decryption keys for each computer it attacks. After creating the encryption/decryption key pair, it sends the decryption (private) key back to the attacker. The private key is required to decrypt your files. After saving the private key back on the attacker’s ransomware server, Locky encrypts the victim’s files using the public key. The rest of the attack is similar to its predecessor.

WannaCry is the most recent of the three ransomware attacks presented in this section. This ransomware attack was launched in May 2017 in a global attack on computers running the Microsoft Windows operating system. Deployed as a worm, WannaCry was able to replicate itself and not rely on unsuspecting victims to launch the payload. Worms are standalone malicious software programs that actively transmit themselves without relying on an unsuspecting victim’s actions, generally over networks, to infect other computers.

WannaCry attacked a known exploit in the Windows operating system called EternalBlue, which is an exploit on the Windows implementation of the Server Message Block (SMB) protocol. EternalBlue was originally developed by the National Security Agency (NSA) and was kept a secret until it was leaked in April 2017. The SMB protocol defines how resources, such as printers and disk drives, are accessed by other computers on a network. WannaCry exploited a weakness in SMB and automatically infected other computers on the same network that did not have the updated security patches installed. Microsoft released emergency patches that directly addressed the WanaCry ransomware and stopped it from replicating. However, WannaCry still was able to infect over 200,000 computers worldwide. In spite of the quick response, WannaCry demonstrated that even current operating systems can be vulnerable to sophisticated ransomware attacks.