Ransomware: The Malware Increasingly Likely to Bring Down Your Mobile Device

Dr. Joseph Popp was declared unfit for trial after he began wearing a cardboard box over his head. Apparently, his Harvard education was no match for the pressure of being put on trial for producing the first ransomware, the “AIDS” Trojan a.k.a. PC Cyborg. Popp, it seems, suffered a nervous breakdown after being denied a job at the World Health Organization. Subsequently, Popp, who had done work on AIDS, got revenge by sending diskettes to all attendees of the WHO’s international AIDS conference. The diskette, labeled, “AIDS Information – Introductory Diskettes”, included the first ransomware Trojan. After a certain number of uses, the victims’ computers would have all the file names changed with access to them denied. They would, then, get a message saying that their license had expired and they needed to send $189 to a bank in Panama to get their files restored. To his credit, Popp sent a surprisingly frank licensing agreement to everyone who got the diskette, telling them that “you are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement: your conscience may haunt you for the rest of your life; you will owe compensation and possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.” No fine print here.

Ransomware has come a long way from this first 1989 attack, but it still has the same attack structure. Basically, the victims files are encrypted, the computer is rendered inoperable, or a browser will freeze up. In the end, users are told they must pay some money to get things back to normal. Payment is made through some difficult-to-trace money transfer service.

Though the basic idea is the same, the newer types of ransomware need to be better designed to fool the more sophisticated user. They are often designed to take advantage of a user’s guilt. The malware flashes a message to the user, purportedly from some policing agency, that they were found downloading something illegal or visiting questionable sites and that their device will be locked until they pay some fine. This is an example of how the 2012 Reveton Trojan operates.


Although this warning features a UK law enforcement agency, the Trojan will match such notices to the country in which the victim lives.

This 2012 version of Reveton can easily be seen to be a fake because of the bad English usage and the use of somewhat obscure payment methods. The 2014 version is more sophisticated. It comes with a password stealer program and can emulate the login page for a number of banks. It can also be used to steal data.

For the most part, ransomware has historically been more of a nuisance than a serious threat. This, however, changed with the discovery of Cryptolocker in September of 2013. This accounted for a 500 times increase in ransomware attacks by the end of that year.

ransom increase

Propagated through botnets and email attachments, Cryptolocker was far more dangerous than any ransomware that ever came before. Not only were the files highly encrypted on malware-controlled servers, but payment was, for the first time, demanded in bitcoins, which are very difficult to trace. If the victim did not pay by the appointed time, the price for decryption continued to increase.

The risk of damage from Cryptolocer and its tie-in with the Gameover ZeuS trojan, which is used in bank fraud, led to one of the greatest anti-cybercrime operations in history. Government crime agencies from around the world, private software security firms, research universities, and other cyber experts launched a huge attack on the operators of Gameover ZeuS called, Operation Tovar. On June 14th of this year, the U.S. Department of Justice announced that it had control over part of the Gameover ZeuS network and named the Russian, Evgeniy Bogachev, as the leader behind the attacks.

You might be led to believe that, after this takedown, ransomware attacks would have diminished. Unfortunately, just the opposite occurred. In April of this year, a new ransomware program, unconnected to Cryptolocker, appeared. This one, called Cryptowall, was just as malicious as Cryptolocker and demanded much more money.


Although the decryption keys to Cryptolocker are now available, those to Cryptowall are not. Outside of paying money ($750 in bitcoins) to get your files back (yes, you will get them back), there is not much you can do.

This is why the Counter Threat Unit at Dell SecureWorks called it “the largest and most destructive ransomware threat on the internet”.  As if that’s not bad news enough, attackers now seem to be turning most of their attacks towards Android phones. On August 22nd, Nicole Perlroth reported in the New York Times that 900,000 people had had their phones infected with ransomware in the previous 30 days. This was a remarkable rate of infection which equaled a quarter of all types of malware attacks for the previous year. Shortly after, two more varieties of ransomware appeared targeting these phones. One of them was able to use the camera, answer and cancel calls, and intercept banking transactions. Infections often occur by; you guessed it, downloading apps, though compromised websites are also used. Just as in regular ransomware attacks, the user gets some notice that a crime agency is shutting off their phone and they must pay a fine to get it back.

If you manage to get caught in one of these attacks, you are not completely powerless. PC World gives some suggestions on what you can do to get your files back, but there are no guarantees. And the future doesn’t look good. The 2014 Sophos Security Threats Report says that “it’s hard to predict what form future attacks will take—but we can imagine ransomware taking hostage not just your local documents, but any type of cloud-hosted data. These attacks may not require data encryption and could take the form of blackmail—threats of going public with your confidential data.” Not only that, but Gameover ZeuS may be coming back. Apparently, the malware net was disrupted but not completely taken down. And what happened to Evgeniy Bogachev, the designer of this malware? He’s apparently openly using the millions he extorted from hard-working Americans and Brits. He has a house on the Black Sea where he enjoys sailing his yacht. According to the U.K.’s Telegraph, most Russians consider him a hero for having disrupted banking in the US. As one Russian policeman purportedly said when asked if he would arrest Bogachev, “I’d pin a medal on the guy.” With such attitudes, it is unlikely that he will be arrested any time in the near future.


Ransomware pays. Those behind it have made millions. The more money you paid for your smartphone or tablet, the more likely you will pay the ransom to get it back. Should you pay? Most experts say you shouldn’t because you may simply be targeted again. However, if you need your data and your phone, you may have little choice. It is increasingly likely that you will be a ransomware victim. If you are a victim of Cryptolocker, you can get your files back for free. FireEye, one of the firms responsible for taking down Gameover ZeuS, has a web page where you can get the key to unlock your files. When it comes to the newer ransomware programs, you’re basically on your own. The standard advice still applies. Be careful what apps you download and be sure to check the permissions that go with them. Open any email attachments with caution. As the old adage goes: When it doubt, throw it out.


Don’t let ransomware hold your company hostage. InZero architecture can be used to make your single Android device into two. They do this by creating two separate operating systems at the hardware level so that one part of your device can be exclusively used for personal activities and the other only for work-related use. Any careless user behavior on the personal side of the device cannot crossover to contaminate the work side. Even if the personal side is attacked with ransomware, the work side will continue operating as usual.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s