Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150828-266-S
yma
ntec-Evolution of Ransomware
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 28 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report provides a high-level overview of the history of ransomware. There is little
technical content in this report other than to note that the APIs used depend on the platform
targeted (Windows, OSX, Linux, or mobile). No other details on how the ransomware malware
is installed and implemented. The report provides a high-level discussion on the encryption
algorithms used in the various types of ransomware and the payment systems used by the bad
actors to monetize their attacks.
(S//NF) The report makes the distinction between two families of ransomware:
Locker ransomware where the malware denies access to the computer
Crypto ransomware where selected files and directories are encrypted
(S//NF) Locker ransomware is generally designed to deny access to the computer interface,
largely leaving the underlying files and system untouched.
(S//NF) Crypto ransomware is designed to locate and encrypt important and valuable data and
file on the system.
(S//NF) The report provides an overview of how ransomware has evolved over the years, noting
that the first ransomware malware dates back to around 1989 with the AIDS malware, which was
distributed via 5-1/4 floppy disks. The modern era of ransomware dates to 2005 with
Trojan.GPCoder, which was a crypto variant of ransomware. Some of the early ransomware
samples in the modern era tended to be delivered via misleading applications such as
performance optimization utilities. The delivery mechanism shifted in 2008/2009 to fake anti-
virus utilities. In about 2011/2012 ransomware transitioned from crypto ransomware to locker
ransomware such a Trojan.Randsom.C, which spoofed a Windows Security Center message. In
2013 the ransomware market shifted back to cypto ransomware where most ransomware variants
today reflect this type of malware.
(S//NF) The report briefly discusses ransomware distribution strategies, focusing on the recent
trend toward pay-per-install frameworks, which allows the malware authors to concentrate on the
malware itself and leave the platform exploitation and penetration steps to others.
(S//NF) While this report is very interesting and provides a comprehensive high-level overview
of ransomware and its evolution over the years, there is insufficient technical detail on how the
ransomware is installed, hidden/obfuscated, or executed. Therefore, no PoCs are recommended
from this report.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.
3.0 (U) Identification of Affected Applications
(U) Windows, OSX, and mobile systems.