20 years ago this month, a student in the Philippines unleashed a computer virus that not only brought millions of computers to a halt, but became a catalyst for the multi-billion dollar ransomware crime industry that we know today. On this anniversary, Mark Nutt, EVP EMEA at Veritas, takes a look back at the incident, and the ripples it sent forward in time, creating the minefield that CIOs are navigating in 2020.
“LoveBug”, was a simple piece of malware but 20 years ago, it changed the world of cybersecurity. Originally intended to simply harvest the passwords of a few local internet providers, LoveBug spread around the world, infecting over 45 million devices to become the first piece of malware to really take businesses offline in a significant way.
Whist it was the first malware to have this impact, it would be far from the last. LoveBug proved to be a turning point in malware, paving the way for the emergence of the global ransomware challenge that we’re all fighting today.
Eleven years before anyone had heard of LoveBug, the IT industry witnessed the first real case of ransomware, in the form of AIDS Trojan. AIDS Trojan was spread through infected floppy disks sent to HIV researchers as part of a knowledge-sharing exercise. It worked by encrypting file names and then demanding that victims post a cheque to a PO Box in Panama to regain access to them.
AIDS Trojan was limited though – victims needed to receive and install the file by disk, and they needed to pay by cheque. The hacker, Dr Joseph Popp, was quickly apprehended and no one got rich as a result of the virus. It was not an example that many people wanted to follow. It did, however, birth the anti-ransomware movement. Since AIDS Trojan used synchronous encryption, good actors were able to help restore files without victims needing to pay. This started a giant game of cat and mouse, with the data protection industry always trying to stay one step ahead of the hackers.
What was critical with LoveBug, was the shift of malware from limited exposure to mass destruction. 45 million compromised devices a day, could equal 45 million daily payments. The ‘love child’ of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting businesses around the world. Hackers also harnessed ecommerce sites to find better ways to receive payments.
The protection industry reacted again, with good actors working together to crack the encryption code on which Archievus relied, and sharing it widely to help victims avoid paying any ransoms. Since then the cat-and-mouse game has continued with viruses like CryptoLocker, CryptoDefense and CryptoLocker2.0 building new attack strategies, and the protection industry implementing new defences. By the time that WannaCry launched, it was able to infect 230,000 devices, in over 150 countries, demanding ransoms in 20 different languages and receiving payments in cryptocurrencies.
So, what have we learned?
Ransomware has become more sophisticated and more prevalent. Targets today are less likely to be individuals, since big businesses can pay big sums of money. According to Coveware, an average ransom is now around $110k. Travelex is reported to have paid hackers $2.3m in an attempt to recover from an attack in January. The actual costs of the ransoms are also a small fraction of the impact of the attacks. It’s reported that it cost Norsk Hydro $75m to recover from a ransomware attack in 2019, when you account for downtime, loss of business and lost production.
At the same time, data protection has become more sophisticated too, with four areas that should now be part of every business’s ransomware strategy: protect, detect, respond and recover.
- Protect: Educating end users and deploying anti-malware are key. But, more so is having a backup copy of business data, that is complete, stored offsite, airgapped and immutable.
- Detect: The faster you can respond to a ransomware attack, the faster you can recover from it, so intrusion detection, anti-malware and file-anomaly detection can keep a business safe
- Respond: Once you know that you’re being hit, you need to be able to rapidly shut-down systems to prevent further infection and quickly identify when the infection occurred on each impacted system.
- Recover: Businesses need to be able to recover large numbers of servers quickly and roll-back to a known good point in time.
What can we expect next?
AIDS Trojan targeted the healthcare sector and ransomware will continue to focus on these organisations due to their heavy reliance on mission-critical information for their day-to-day activities. To stay one step ahead, these organisations need to improve their data visibility and further automate their backups.
We’ll also see more diverse threats. Increasingly, hackers are expanding their threats to data exfiltration or public exposure if they feel that leaking data might be more ‘motivational’ for their targets. In order to respond, it’s essential to have backup copies of data, and to understand the nature and value of the information that might have been compromised.
Finally, social engineering and phishing is becoming increasingly central to the success of a ransomware attack. The LoveBug was successful in a scattergun fashion, but still relied on social engineering. Had people been less inclined to open an email with the subject line ‘I love you’, the spread of the malware would have been far more limited. If you know hackers might get past your line of defence, prevention can’t be your only option.
In the ever-evolving game of cat and mouse between hackers and businesses, we’ll continue to see innovation on both sides. What’s clear is, throughout the history of ransomware, it’s never more important to have backup copies of your data that you can rely on.
Mark Nutt, SVP EMEA, Veritas