Skip to content

Trending tags

Episode 49| Ransomware 2.0, with Mikko Hypponen

Melissa Michael

19.01.21 26 min. read


We thought locking up data and demanding a ransom to decrypt it was bad. But ransomware criminals have stooped even lower and now, threats of public data exposure on top of multimillion-dollar ransoms are routine. What’s next? Where’s ransomware going in 2021? For episode 49 of Cyber Security Sauna, F-Secure’s chief research officer and CISO MAG’s Cybersecurity Person of the Year 2020, Mikko Hypponen joins us to give his take. Also in this episode: Ransomware’s evolution, why it’s mainly a Windows problem, the impact of remote work, how ransomware’s industrialization affects the threat landscape, and more.

Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!


Janne: Welcome, Mikko. 

Mikko: Well, thank you very much, and thanks for having me.

Absolutely. Now, ransomware has gotten worse over the past year, but the problem is a lot older than people think, isn’t it?

That’s true. It actually is surprisingly old. Because believe it or not, the first documented ransomware case is from the 198os. It’s from 1989. Can you believe that?

No, I can’t. What happened?

Well, this was the AIDS information Trojan, which was distributed before the time of mainstream internet. So this was being mailed on floppies to people’s homes. This was an MS-DOS-based software, which actually was a real useful software diagnosing your likelihood to get infected by this new HIV virus which was spreading around the world at the time.

However, the license terms of this software, which you got in the mail unrequested, actually said that you have to pay for the software once you’ve installed it. And if you didn’t, after, I believe, like 20 or 40 boots of your computer, it would encrypt your hard drive and ask you to pay for the software by sending a money order to Panama.

Mikko Hypponen, Chief Research Officer, F-Secure

So that’s like a different take on the whole shareware thing that was happening during that time.

Right, yeah. It was like forced shareware. But for all practical purposes, this was ransomware. It actually locked up your system, it showed a full screen ransom note, just like the things we see today, but this was in 1989, and this was done by a guy who was caught, a guy called Joseph Popp, who eventually was taken into court and was acquitted because he was declared insane.

Wow…Okay. So what happened next?

Well, then it was really quiet for a really long time. We have to understand that in the 1980s and even in the 1990s, malware wasn’t making money. So this AIDS information Trojan was an outlier in all possible ways. It was the first ransomware Trojan. It was also probably the first Trojan trying to make money.

And moneymaking with malware in general didn’t start until the early 2000’s. And the ransomware problem restarted then with a piece of ransomware we know as GpCode, which was from June 2005.

Why didn’t they make money off the stuff before? Was it the arrival of cryptocurrencies, or what changed the game?

Well, malware in general wasn’t making money, because malware writers didn’t really understand you could do that. Moneymaking really started in the early 2000s when spammers, like email spammers, realized they could use infected computers infected by malware to send the spam for them. And then a couple years later this GpCode came around, and that was fairly quickly then followed by other early ransomware attacks.

And the thing that defined the ransomware that we saw between 2005 and 2010 was that very often, they didn’t tell you that they were ransomware. They had different kinds of cover stories trying to fool you into paying the ransom without even realizing that it is ransomware.

So how does that work?

Well, for example, FileFixer, which we found in 2009. This claimed to be a program which would fix corruptions on your file system. So you would get infected by a ransomware Trojan, it would start corrupting your files, and then it would show you an error message which looks like it’s coming from Windows itself, recommending this great tool called FileFixer, which you can buy for $29.99, which will fix your files. And if you buy it for $29.99 it actually will fix your files.

And it all looks like you had a real file corruption and you downloaded this tool. But actually it is a ransomware Trojan just like the ones we see today. It just doesn’t tell you it’s a ransomware Trojan, it has a cover story.

Huh. So how do we get from those days to today?

The next step was all these police Trojans. So a whole series of Trojans, like the Reveton series and the ICPP Trojans, which claimed to be either the cops or the copyright agencies, and your system is locked because illegal content is on your hard drive, and you have to pay a copyright fee or a fine to get your systems back working.

But all of that is before Bitcoin. And the real shift then happens when we find the first ransomware Trojan which is using Bitcoin.

And that changed the game.

Indeed. And this is Cryptowall. This is 2013, and that totally changed everything. And now we’ve been fighting these modern Bitcoin-enabled Trojans for seven or eight years with hundreds of ransom Trojan gangs making all of their profits with ransomware.

And now in the recent year we’ve seen people not only locking up your data, but also threatening to expose it.

This is right, and this is what I’m now calling ransomware version 2. Ransomware 2.0 means ransomware which first will encrypt your files and demand a Bitcoin payment, but if you don’t pay the ransom, then they will let you know that they also have copies of your files, and they will make them public if you don’t pay.

We saw isolated examples of this happening around 2019. For example, the Johannesburg city case in South Africa, where they stole a lot of data and were demanding payment in order not to leak the data.

But this really started in large scale in January 2020 with Maze, one of these Russian ransom Trojan gangs. Maze introduced a leak site in the public web, not in the Tor hidden service, but in the public web, so it gets indexed by Google and all of that. And the idea in this leak site is that they can make public the names of the victim companies, and if the victim companies don’t pay, then they can start leaking information which they’ve stolen from these companies.

Are there any other gangs other than Maze using this tactic?

Well, this turned out to be such a good tactic that it was pretty much immediately copied by almost ten different gangs. DoppelPaymer does this, Netwalker does this, Conti, Egregor, Ragnar Locker, Klopp, many of these gangs copied the idea.

And this all came about because companies were getting better and better at taking backups of their data. The very same gangs which were locking files and getting paid were no longer getting paid, because companies now finally learned to take good backups of everything, make it frequent enough, store the backups in offline systems so they can’t be corrupted, which means they don’t have to pay a ransom.

Which then led to ransomware version 2, because backups don’t help you at all if the risk is that these gangs are going to leak your confidential information.

So why should companies be worried about their information leaking, if they haven’t been up to shady business?

Oh, that’s a great question. Companies don’t have to have any skeletons in their closet in order not to want their information to leak. No company wants to see their emails posted on the public web full of discussions about their clients or maybe their customers’ problems or issues or personal details, or just the fact that your employees are emailing the corporate health system with health information.

So it’s a GDPR nightmare if your company’s confidential information is leaked on the public web, even if your company hasn’t done anything shady or anything bad. No company wants this to happen, and this is why we see more and more companies paying the ransom. Their backups won’t help, and they can’t have their private information posted on the public web.

So are there any other high profile recent examples of ransomware cases that you want to talk about? 

The year 2020 will stay in history books for ransomware in many ways. Not just for the fact that this ransomware version 2 was innovated and became such a huge deal that in fact, the innovator, Maze, the gang that invented the whole idea, they actually retired in November 2020. That’s how profitable this business is.

Was that a real retirement, or just going away for a minute, changing names and coming back?

That is a good question. We have seen gangs come and go and change their names. And there’s an interesting leak within the underground which might indicate that Maze actually is a side name for another gang we’ve known for a long while, which is Evil Corp.

Evil Corp, yes, another Russian gang run by a guy called “Aqua” in the underground, his real name is Maksim Yakubets, who’s been linked to the Zeus banking Trojan problems before, and Bugat and a series of ransom Trojans, including Locky and WastedLocker.

So yeah, Maze has announced on their official site that they’ve retired and they’re off to the Bahamas; who knows what’s really going to happen. But I think it might be a deeper problem, the fact that the general perception is that you can easily become a millionaire and you can get away with your money if you’re in the business of ransom Trojans.

We don’t like this kind of thing to hit the news. We don’t want crime to pay, and most importantly, we don’t want young potential future online criminals to see this and take it as an advice that you know, this is what you want to do. We want ransom Trojan gangs to be caught, not retire in the Bahamas.

Evil Corp. Isn’t that the gang that was indicted by the FBI?

Yes, same gang. They got indicted at the end of 2019, and the FBI together with Europol and officials from the United Kingdom put out a public indictment complete with photos of Maksim Yakobets and his gang, and their cars and everything else.

So law enforcement is following ransomware gangs very closely, and there’s great research being done both in the public sector and in the private sector. But this is a big problem, and the fact is that most of the gangs are still operating without anybody knowing any more details about who are the actual culprits behind it. It is a big problem, and we need more work being done both by law enforcement and the private sector.

Do you think law enforcement has enough means at their disposal to be able to do anything effectively against this?

I think law enforcement is getting better every year. It really is a question of international cooperation, and international cooperation is pretty good nowadays. We have law enforcement agencies working cross-border, exchanging information and working together.

A problem like ransomware is very easily understood by everybody. Everybody understands how bad it is, and everybody wants to fight it. So there’s really no political games to be played around this problem. I think it’s going to get better also from the point of view of law enforcement.

But some of these gangs are operating from territories where the authorities are not likely to cooperate with anybody. So –

So basically you’re saying that there are also a couple of ransom Trojan gangs which are NOT Russian. Is that what you’re saying, Janne?

Pretty much, pretty much. So was it this ransomware 2.0 that brought about all these big payments in 2020? 

That’s what it seemed to be. 2020 had plenty of big companies, publicly listed well-known brand companies, getting hit by ransomware, and many of them ended up paying the ransom.

When you look at just public reports, we have companies like Garmin, and Campari, and Brown-Forman, which is best known here in Finland for owning Finlandia Vodka, and the Foxconn incident, which had the biggest ransomware payment demand I know of, which was 1,804 Bitcoins, at the time $34 million US dollars. So this is just becoming huge.

So we’re talking about Bitcoin, but is it always about Bitcoin? Are there other cryptocurrencies involved?

There are. Bitcoin is clearly the king of the hill. But like we mentioned, before Bitcoin, they used alternative mechanisms, mostly Paysafe cards and Ucash to move the money around. But clearly the problem there is that it’s fairly easy to follow these virtual credit cards and their movements.

Bitcoin solves that problem, but it doesn’t solve it as well as other cryptocurrencies, most notably Monero and Zcash. And we have seen both Monero and Zcash being used as the payment mechanism. But I think the problem from the point of view of criminals is that it’s so much harder for an average citizen to get their hands on other cryptocurrencies than Bitcoin, that it seems to always come back to Bitcoin.

But it’s also getting easier for people to get into this business, with ransomware gangs launching affiliate programs and ransomware-as-a-service business pipelines, things like that. How is this industrialization affecting the threat landscape?

Where there’s opportunity there are more players coming into the playfield. And if you wanted to be a ransomware player, you needed some kind of a gang or a group of developers and system administrators and spammers.

But, like in any business, if it’s big enough, you can outsource these things. And that’s what we’ve started seeing with gangs like Dharma. Dharma is the original RAAS operator, that’s Ransomware As A Service operator, meaning you don’t need to know how to develop your own ransomware. You don’t need to even understand how to move the Bitcoins around. You can outsource all of this to gangs like Dharma, or Satan, or Darkweb and some others.

So this is a good example of how opportunity creates new business.

We’ve sometimes seen the ransom amounts to be tied into the scale of the company you’ve hit. Is that a part of the advisory these groups provide, or is that something the ransomware actors decide on their own?

It used to be just mathematical. When we started seeing dynamic pricing in ransomware payments for the first time, it was just the ransomware Trojan hitting targets blindly and then scaling the Bitcoin demand based on things like how many file shares it could see from an infected workstation. If it sees like one or two file shares, it’s a home office, or a home user who only has Dropbox mounted with one file share visible. If it sees 28 file shares, it’s an enterprise. So you could just use that to ask for a payment of $1,000 or $10,000.

This is now a thing of the past, because a very big part of the big infections, the enterprise-level infections, are targeted cases from the beginning. It might not be a case where the attackers first pick the victim and then find a way in, but it’s sort of like that they scan millions of IP addresses for known vulnerabilities, but then when they have a list of targets, then they go through that list and try to find organizations that they know would be good targets for demanding payment. Basically, companies which have a lot to lose if their operations stop. So for example, online stores. If your online shop isn’t selling anything, you might be losing millions every day.

Okay. Well, another feature of 2020 was that everybody switched to working from home. Did that impact the ransomware game at all? 

Yes, it did. There’s a couple of things that it changed. The first thing about the pandemic year 2020 was that people were scared. We were all scared. I mean, this deathly thing is spreading around our neighborhoods. And scared people are easier people to fool.

So this is the explanation why we saw so many ransom Trojan spam runs, where they were sending out links or attachments which were claiming to tell you about an outbreak at your workplace or in your neighborhood, please open this Excel sheet to see the name of infected persons at your workplace, things like that. And it’s easy to see why people fall for that. They get an email which speaks something about Covid in the subject line, and the content speaks something about infections, and there’s an attachment and before you even think about it you’re opening the attachment. And that might be enough to get you infected.

The other thing we saw happening because of this remote work revolution of 2020 was that some companies were forced to move some of their servers from their internal networks to the public internet.

So we, for example, right now see more file servers on the internet than before the pandemic, and this is because they had to move all employees to work from home, including the employees who never did this before, who didn’t have a laptop, who had desktop computers with no VPNs and no remote working functionality, and they still needed access to corporate files. And as a stopgap solution you just move the file server to a public network and rely on your authentication and passwords, and we know how strong passwords are.

And there are cases where such file servers have been taken over by outsiders, and the real reason is that these servers were now in the public web and they were easy targets for ransomware operators.

Yeah, absolutely. Never seen so many people RDP-ing into services than during this year. So is that like, weaknesses in things like RDP and malicious email attachments, is that still how ransomware spreads or did we see any new attack vectors in 2020? 

That’s mostly how it works. It’s still either email, or scanning for vulnerable services. And when scanning for things like RDP, remote desktop systems, it’s not just scanning for systems which have weak authentication or weak passwords or known passwords. It’s also the fact that there’s a lot of technical vulnerabilities in RDP servers or VPN servers.

And RDP and VPN servers are targets because they are always in the public web. You can always find them just by scanning the IPv4 address space, which isn’t that large to scan. You can scan it in a couple of hours. And if there’s a new vulnerability for something like this, ransomware operators are scanning for that vulnerability within hours. 

Yeah. 2020 was also a mixed bag in targets. We saw at least one group stop their attack after they found out that their target was a hospital. But then we heard talk about other groups that were specifically going after medical facilities, hospitals and companies doing medical research. What was that all about?

Yeah, around March 2020 we saw multiple gangs publicly announce that during the pandemic they’d try to stay away from hospitals. Netwalker said this, Nefilim said this, a couple of others said it as well, and they did.

The famous case of the Dusseldorf hospital incident in Germany, which involved a loss of life, was one of those gangs which, then when they realized that they had hit a hospital, they gave away the decryption key for free.

But I think it’s a really concerning idea, not just during pandemics, but in general, when hospitals or medical research institutions are getting targeted by ransomware. And gangs that are doing this on purpose, like Ryuk, they realize that organizations that need to continue working the most are critical organizations like this, which makes it more likely that they will pay the ransom. And it just takes an unusually cruel attacker to do this, but if you’re cruel enough I’m sure there’s money in it.

Yeah, I mean, what’s a hospital going to do? They’re not going to stop business for weeks, so they sort of have to pay. So do you think we’re going to be seeing more places like that, critical infrastructure being hit by ransomware?

Well, I think we all hope we won’t see more of this, but I think we will. And if we think back to 2017, when WannaCry was going around the world, that was the first time we saw a massively large ransomware infection inside hospital systems. That was in NHS, the National Health Service in the UK.

And in 2017 we were actually in touch with the statistics center of Great Britain to get the death stats for the WannaCry week, and for the same week a year earlier, because we wanted to see if there was any kind of peak for deaths. And I’m happy to report that we didn’t. There was a slight increase in the number of deaths, but that’s within statistical boundaries.

But I think it’s not going to get better, I think it’s going to get worse.

Yeah, it’s a tough call for hospitals. Like, you know, do I spend all this money on new computers and cyber security measures, or do I spend it on actual care of patients? So it’s a tough nut to crack for them.

It’s a question of budgets. Clearly we need to be able to have the kind of systems which don’t run the risk of getting infected by run-of-the-mill attacks. Legacy systems are easy systems to infect, and the WannaCry incident was a great example of how saving in IT budgets will come back to bite you.

Okay. Well, so far ransomware has been mostly the problem of Windows systems. Do you see that expanding beyond that, like to other operating systems or mobile?

This is something we’ve been thinking about for a long while. We have seen the odd Mac OS Trojan trying to do the same kind of moneymaking mechanisms, but then they’ve never become a big problem.

And that is a bit surprising, because many people would argue that Mac owners would probably have more money to pay for ransoms than PC owners. However, I guess it’s a question that most of these gangs make enough money with their existing attacks, which only focus on Windows, that they don’t need to start branching out to different systems.

And then when we go beyond computers and start to think about mobile phones or PlayStations or smart TVs or smart cars or factories, all that could be targeted, but it’s a pretty big jump for the existing gangs.

And especially, hitting smartphones or smart tablets like iOS and Android systems, it’s actually really hard. On your Windows system, an application can see all the other applications and the data of all the other applications. On iOS and Android, every app is sandboxed. They can only see their own stuff. They can’t do anything to the files you have elsewhere.

You could try to bypass this by, for example, encrypting files on Android memory cards, or accessing files in the cloud and trying to encrypt that, but it’s not likely to happen in the near future. I think we’ll continue seeing the majority of this problem on the Windows platform.

Yeah, and hopefully IoT designers will take this into account, that maybe my dishwasher won’t stop working entirely just because the web server it’s running isn’t accessible anymore.

Right. Pay now if you want to clean your dishes.

Yeah. I would pay that in a heartbeat. So, okay. Traditionally the advice we’ve given companies is to create backups of their data so they don’t have to pay. But now that ransomware actors are not only encrypting that data, but they’re exposing it publicly, backups are no longer the end of the story. So what do we tell companies now? What should they focus on in 2021?

The advice is easy to give and hard to follow, because the advice is: Don’t get infected. That’s really easy to say, really hard to do.

And the reason why it’s so hard to do is that it gets harder the bigger you are. The bigger your network, the bigger your company, the more workstations you have, the more data centers you have, the more problem you have defending everything at the same time. This means that every single enterprise level company in the world must assume that sooner or later they will have at least small fragments of their network hit by ransom Trojans.

So then it becomes a question of being able to detect this quickly enough. If you’re able to detect a breach, you can stop the breach before it gets out of hand. Most ransom Trojan operations don’t happen within an hour or two. Many of them actually stay in the network for days or weeks trying to gain access laterally to everything so they can encrypt all the stuff, including your backups. And that would of course be the dream scenario for ransom gang operators.

That gives some time for defenders to detect and stop the attacks. And when you think about detecting ransomware version 2 in particular, then it becomes a question of detecting anomalies in your network. In this case, the attackers will want to copy, for example, your email archives. That’s gigabytes of data from your networks.

So if you are running sensors in your network, if you have visibility into what’s happening in your endpoints, if you see visibility into what’s normal, then you can start detecting abnormal things. Abnormal things, like a single workstation copying your whole exchange server and sending it out to an IP address in Siberia. That is detectable, if you are looking for it.

Yeah, I mean, there’s even like data loss protection software and solutions out there to help you do that. It seems to me like there are these things you can do at different parts and various stages of a ransomware infection, but clearly they don’t form an effective whole, or we wouldn’t have this problem. Is the problem just that to stop ransomware, you just need to be better at cyber in general?

Yeah. You need to understand what’s the problem. What exactly are you trying to fight? What are you trying to defend? How are you going to detect when there is a breach? And how are you going to react? And it goes back to not just planning, but also testing. Testing your defenses in practice.

And you can now order security companies to do trial runs of ransomware lookalike hits, so you will be able to tell if your sensors would be able to detect a breach, or detect someone copying gigabytes of data and sending it out, or detect sudden changes in file status on your file shares, which would be similar to what happens when ransomware starts encrypting your files.

So we’ve talked about mitigation and detection. What would need to happen for ransomware to go away entirely, like just disappear from the world? 

Well, most likely that would require bad people to go away, and that’s not likely to happen anytime soon, and that’s more of a joke than reality.

If we really want to think about what’s changing around us in the way we compute, I just told you that we don’t really have this problem on our phones or our tablets. And that’s a pretty big deal, actually. Especially when we think about a device like a new iPad Pro. Which actually is a very fast computer for every single purpose you could imagine. I mean, it comes with a keyboard, it has a great screen, it’s faster than almost all computers.

But it’s not really a computer, because it is a restricted device where applications have much fewer rights than on a real computer. And most importantly, the end user can’t program his own device, which really kills a whole category of problems. Same thing if you look at your xBox or PlayStation. That’s a really powerful computer which really doesn’t have a malware problem at all. Much less a ransomware problem.

So it might be that more and more of the devices we use to do computing will not be programmable by the end user. And that will solve many of the problems we have. Not all of them, but many categories of the problems we have might be going away in the long run.

That’s interesting. That’s almost like the discussion from a couple of years ago, when people were talking about how computers are going to go away and be replaced by terminals that run cloud services. That hasn’t happened to any meaningful degree, do you think that the future you just outlined there is likelier to happen?

I think it will be that we will have powerful endpoints, but they won’t be generally programmable. And this is already happening. The most common computing system you most likely use is your smartphone. And the power in your smartphone is basically ten times faster than a computer you had ten years ago.

Do you think cyber insurance will have a role in making the problem go away?

Yeah, it might, although probably in the short run it might increase the problem. This is because when companies, especially large companies, have cyber insurance, it might actually mean that they are just more likely to immediately pay the ransom, and then cover the ransom payment with the insurance. And the more companies and the more individuals pay the ransom, the bigger this problem will become.

There’s this one case from 2019 where a US-based insurance company actually listed a list of reference customers that they’ve issued cyber insurance to, and that sort of became like a hit list for ransomware operators.

So cyber insurance is a good idea, and we recommend companies consider them carefully. But they also have the ugly dark side that it might actually increase the payments for ransom Trojan operators.

Yeah. Wow, if that starts happening on a big scale, then that’s not something that insurance companies are going to be happy about. But maybe the future of cyber insurance is a different episode entirely. 

Whatever you do, if you get cyber insurance, make sure you are not a reference customer.

There you go. Good advice. Thanks for being with us, Mikko.

Thank you very much. Bye-bye.

That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening. 

Melissa Michael

19.01.21 26 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.