Most first encountered ransomware after an outbreak shut down hospital computers and diverted ambulances this year. Is it here to bide?

For thousands of people, the first time they heard of “ransomware” was as they were turned away from hospitals in May 2017.

The WannaCry outbreak had shut down computers in more than 80 NHS organisations in England alone, resulting in almost 20,000 cancelled appointments, 600 GP surgeries having to return to pen and paper, and five hospitals simply diverting ambulances, unable to handle any more emergency cases.

But the outbreak wasn't the birth of ransomware, a type of computer crime which insures computers or data hijacked and a fee demanded to give them back to their owners.

Some of the earliest ransomware claimed to be a advising from the FBI demanding a “fine”, simply tricking users into paying up, or blackmailing them with accusations of trafficking in child abuse imagery.

Their tactics didn't work for long. Bank transfers were easily tracked, cash pays were difficult to pull off, and if any variant got successful, people would trade tips-off on how to defeat it rather than paying off bill.

The modern ransomware attack was bear from two inventions in the early part of this decade: encryption and bitcoin.

The modern ransomware attack was bear from encryption and bitcoin. Photo: Justin Tallis/ AFP/ Getty Images

Ransomware such as Cryptolocker, which first appeared in the wild in 2013, didn't just lock up the screen- it encrypted all the data on the computer. The only route to get it back was to pay the toll in exchange for the unlock key. Even if you managed to uninstall the ransomware itself, the data was still locked up.

Bitcoin suddenly entailed ransomware authors could take pay without involving the trappings of the conventional banking system such as pre-paid credit cards.

For nearly five years, so-called ” cryptoransomware” bubbled below the surface, struggling to spread. Generally it was centrally controlled, assaulting new victims through direct mail campaigns, tricking users into downloading it, or through botnets of computers infected with other malware- going in through the front door, so to speak, rather than use weakness in computer systems to spread.

WannaCry changed that.


May's ransomware outbreak was notable for a number of reasons: the scale of the damage; the unusual style in which it came to an objective, with the discovery of a poorly hidden” kill switch “; and the growing faith that its architects were not cybercriminals, but state-sponsored actors, most likely working for or with the Northern korean government.

But the most important aspect is why it managed to go from unknown to taking out a significant chunk of the NHS in a matter of days. WannaCry was the first “ransomworm” the world had ever seen.

A ” worm”, in calculating parlance, is a piece of malware able to spread itself to be far more damaging than your typical computer virus. They self-replicate, ricochetting from host to host, and obeying all the epidemiological rules that real diseases do, growing exponentially and taking off when they infect well-connected nodes.

As computer security techniques have improved, worldwide worm outbreaks have become rare. It is hard to engineer a piece of malware that will automatically execute on a remote machine without any user participation. Before WannaCry, the last major worm to reach the wild was Conficker. One variant spread to almost 20 m machines in one month in January 2009, infecting the French Navy, the UK Ministry of Defence and Greater Manchester Police. But since Conficker, major worms had been rare other than the Mirai worm and botnet infecting badly-designed Internet of Things devices such as webcams.

WannaCry had a helping hand to break through. In April 2017, a mysterious hacking group called The Shadow Brokers released details of a weakness in Microsoft's Windows operating systems that could be used to automatically run programs on other computers on the same network.

That weakness, it is believed, had been stolen in turn from the NSA, which had detected it an unknown period of time before, code-naming it EternalBlue. EternalBlue was part of the NSA's toolbox of hacking techniques, used to attack the machines of US foes- before one of them turned the tables. The true identity of the Shadow Brokers is still unknown, although every piece of evidence points strongly to them being affiliated with the Russian state.

The Shadow Brokers first constructed themselves known in public in August 2016, auctioning a job-lot of cyber weapons which it said were stolen from the “Equation Group”- code-name for the NSA's hacking operation. Four more leaks followed including EternalBlue in April.

Microsoft fixed the EternalBlue weakness in March, before it was released by the Shadow Brokers, tipped off by the NSA that it was likely to be made public. But two months later, many organisations had yet to install the patch.


A message demanding fund on a computer hacked by a virus known as Petya in June 2017. Photograph: Donat Sorokin/ TASS

Ultimately, WannaCry was too successful for its own good, spreading so fast that safety researchers were tearing it apart within hours of it appearing in the wild. One of them, a young Briton called Marcus Hutchins, discovered that affected computers tried to access a particular web address after infection. Curiously, the address wasn't registered to anyone, so he bought the domain- and just like that, the malware stopped spreading.

It's still unclear why WannaCry included this kill switch. Some researchers think it was because the authors had watched the progression of Conficker, which attracted undue attention. Others speculate the version of WannaCry ” accidentally” escaped the network it was being tested on.

Even with the kill switch active, the outbreak caused enormous injury. A report released in October focusing only on the effects on the NHS concluded that” the WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients “.

It said that WannaCry” was a relatively unsophisticated assault and could have been prevented by the NHS following basic IT security best practise” such as installing the fixings that had been released in March.

” There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future assaults .”

A month later, one of those attacks arrived dubbed NotPetya, due to an initial, erroneous, belief that it was an earlier variant of ransomware called Petyna. The malware was clearly built on the lessons of WannaCry, using the same EternalBlue weakness to spread within corporate networks, but without being able to leap from one network to another.

Instead, NotPetya was seeded to victims through a hacked version of a major accounting program widely used in Ukraine. It still took out companies far and wide, from shipping firm Maersk to pharmaceutical company Merck- multinationals whose internal networks were large enough that the infection could travel quite far from Ukraine.

NotPetya had another oddity: it didn't actually seem established in order to make money. The “ransomware” was coded in such a way that, even if users did pay up, their data could never be recovered.” I'm willing to say with at the least moderate confidence that this was a deliberate, malicious, destructive assault or perhaps a test disguised as ransomware ,” UC Berkley academic Nicholas Weaver told the infosec blog Krebs on Security.

That realisation meant the focus on Ukraine took on a new lighting. The country has long been at the vanguard of cyberwarfare, constantly trading digital blows with its neighbour Russia even while the two countries trade actual blows over the Crimea. If a nation nation were to write malware with the aim of crippling the economy of its target, it might seem a lot like NotPetya.

More to come

With Eternalblue slowly being patched, the age of the ransomworm might be over until a new, equally damaging vulnerability is observed. Instead, it looks like old-school ransomware will start to take back the spotlight- with a spin.

” People have become desensitised to common ransomware, where it merely encrypts your files ,” says Marcin Kleczynski, the chief executive of information security firm Malwarebytes.

Widespread backing up of data entails fewer are willing to pay up. So instead of merely locking data away, attackers are threatening the exact opposite: publish it for all the world to watch. Such attacks, known as “doxware”, have already been seen in the wild, but currently merely at a small scale or carried out manually, as when a Lithuanian plastic surgery clinic saw its files published for ransoms of up to EUR2, 000( PS1762 ).

To stay safe in 2018, though, the advice remains much the same as it always has been. Don't click on unknown attachments, always use strong and unique passwords, and maintain an up-to-date backup. Even if ransomware's no longer cool, it's still around, and it looks like it's here to stay.

Read more: