Threat Research

Ransomware – From Fins to Wings

By David Maciejak | June 24, 2016

The FBI recently published a report claiming that ransomware victims paid out over US$209 million just in the first quarter of 2016, compared to US$24 million for all of 2015. Ransomware has very quickly become the most fashionable malware on the market, flooding the threat landscape in ways never seen before. We are seeing new strains of ransomware almost every single day.

What is Ransomware?

Ransomware is malware that locks access or functionality on your computer and then demands payment in exchange for restoring normal operations to your PC. Right now, there are two different varieties of ransomware: crypto ransomware that encrypts data so it can’t be accessed, and blocking ransomware that prevents normal PC operations.

A Brief History

Ransomware is not a new threat. Experts often cite the first instance of ransomware dating back to the 1989 “AIDS” Trojan. However, the first example of ransomware leveraging asymmetric encryption didn’t emerge until 2005. Since then, we have seen massive adoption from cybercriminals. Bitcoin became a catalyst in 2013 when the technology became widely available, giving criminals the ability to received cash in an untraceable way. 

Coupled with the ubiquitous use of Tor and other easily accessible decentralized networks, it has become extremely easy for cybercriminals to set up systems for massive infection, such as ransomware-as-a-service (RaaS), to turn quick profits when victims pay up (even when 20% or more is given up to affiliates in RaaS campaigns).

Figure 1: Malware is becoming more and more sophisticated (from IKARUS)

There is a lot more history in the rise and current prevalence of ransomware than we can cover in a single post. So, we encourage you to check out a more comprehensive look here

The goal of this post is not to talk about the history and evolution of ransomware, but to focus instead on what might be in store for the future. 

Evolution, Living the History

As previously mentioned, there are two varieties of ransomware that have been identified in the wild. However, the distinction between them is beginning to blur. For example, recently discovered crypto ransomware prevents an infected computer from accessing certain websites until a payment is made.

This fading distinction can also be seen as ransomware begins to move cross-platform, beyond PCs and onto mobile devices. Even beyond ransomware targeting AndroidOS, we have see variants (such as FLocker) targeting IoT devices like Smart TVs. The FLocker ransomware demanded a $200 iTunes gift card in order to let you watch the Stanley Cup Finals. 

According to Gartner, there will be 6.4 Billion connected “things” in use by the end of 2016, and an estimated 21 Billion by the end of 2020. For attackers, that only means one thing: more potential victims.

Ransomware is like a disease, evolving and constantly finding new vectors of attack. 

In fact, Our FortiGuard counterparts in Europe investigated the degree to which biology has inspired cybercriminals’ malware designs over history. Take a look at the BlackHat Europe paper here, entitled “An Attacker’s Day into Human Virology” 

If you extend the metaphor to include survival of the fittest, we can see an evolutionary trajectory in how malware learns new tricks. 

The problem is that evolution doesn’t stop to take a breather. 

For the SamSam and ZCryptor family samples, for example, we have recently observed ransomware moving laterally within networks. Which means that some strains of ransomware are starting to exhibit worm-like behaviors in order to spread themselves across networks. 

Staying with the Darwin analogy,  watching ransomware expand beyond a single machine is like a watching a primordial arthropod emerge from the sea for the first time. This evolutionary milestone happened in just the last few months. When we first noticed it we had to ask, “How can ransomware be evolving so quickly?”

Firstly, it doesn’t help that victims are generally paying the demanded ransoms. Not all of them are, but enough victims have opened their wallets to make ransomware a lucrative business for criminals. Without getting into the “to pay, or not to pay” debate, it is my personal belief that critical data is sometimes worth the tradeoff. But again, let the buyer beware, because paying a ransom will not ensure that you get your data back. 

As the value of bitcoin is quite volatile, reports now indicate that some companies have begun stockpiling digital currency just to be prepared for a possible ransomware infection. Interestingly, the demand for bitcoin is growing, driving the value to almost double in the last three months (Figure 2), reaching as high as $768 today.

Figure 2: bitcoin price index

We can assume that ransomware authors are managing their business the same as a legitimate business and reinvesting a non-trivial percentage of their ransom dollars into their own R&D. Like a software development company, we imagine they have project managers working on roadmaps, and engineering teams fixing bugs and adding new features to their ransomware.

Evolution Predictions

Ransomware cases have already reached plague level, so you may think “What could be worse?” Let me give you an idea.


There is still one kingdom that has been spared the ransomware scourge: Industrial Control Systems. Found in industrial production facilities like chemical manufacturing plants, nuclear power plants, electric power generators, etc., SCADA systems are ripe for the taking.

At the moment, these systems have not reported (publicly) any ransomware infections. However, we have seen that an air gapped strategy is not as bulletproof as we once thought. See our “SCADA security report 2016”.

These systems are notoriously underprotected and fragile. Currently known variants of ransomware in the wild wouldn’t need to do anything more than just knock on the right door. Which means the risk of having this growing threat spread into Operational Technology environments in the coming months is a very real and probable threat. We have seen how ransomware targets certain types of victims, such as healthcare organizations, which are often asked to pay more on average because of their willingness to just pay a ransom without much protest. So the next logical question is, “How much would a government be willing to pay to prevent issues in a nuclear power plant?”

To help address such challenges, Fortinet has delivered the Internal Segmentation Firewall (ISFW) architecture to hobble attackers from moving laterally within ICS or enterprise networks.


After exerting its dominion over land and sea, what could possibly come next? 

Continuing the evolutionary analogy, it only makes sense for ransomware to take flight. For ransomware to survive, it needs to follow the data. So it should come as no surprise, then, that we predict ransomware to move to the cloud.

To look at one relevant example, Apple just announced that they are upgrading their free iCloud service from 20Gb to 150Gb. This means that in the coming months or years we can expect the storage of highly sensitive personal data in the cloud to become a fully accepted cultural norm. It might be possible by, for example, exploiting an API, for cybercriminals to find a way to encrypt our data stored online. After all, the cloud is really just someone else’s computer.

Figure 3: popular sticker

Let’s just take a moment here to stress how crucially important it is that you regularly back up your data beyond whatever cloud storage you are using. See our recent blog on ways to mitigate ransomware disaster. 

To better help organizations, Fortinet is committed to continually researching ransomware threats and bringing new approaches to combat emerging vectors and variants. We are always improving our ability to detect and respond to these threats, but also in developing advanced countermeasures by working on entirely new prevention models.


Without venturing into the realm of science fiction, the risks associated with IoT make it a very real possibility that ransomware will one day jump the digital divide into our biological systems. 

Figure 4: Tabloid headline about computer virus infecting humans

What if ransomware prevented you from using your prosthetic arm or any of your implanted robotic devices (such as a pacemaker)? We have written about the risks of the Internet of Medial Things before.

Luckily, this threat is still largely speculative, but are we so far from such a reality? Science fiction has inspired many of our modern inventions, and it is not farfetched to consider the risks of convergence. 

Given that evolution is a continual process, we can expect innovative vectors and interesting new infections to continue to emerge. Maybe ransomware will add software governors on your self-driving car, prevent a robotics-assisted surgery from progressing, or even try to steam you out of your smart house. And once infected devices start building and maintaining other devices, is the “rise of machines” really so far-fetched? 

While we are excited to see what the future holds, we are even more excited to help protect it!

-= FortiGuard Lion Team =-