The CryptoLocker Virus and the Birth of Modern Ransomware

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we go back to ransomware school persona.

My co-author Dr. Mike Saylor, and I break down what the CryptoLocker virus

was, why it mattered, and how it changed the ransomware game for everybody.

Good guys and bad guys.

Mike breaks down how encryption actually works, why the bad guys switch to

public private key encryption, and how the crypto likeer CryptoLocker

virus taught criminals what not to do when building a ransomware business.

Well, we also cover botnets, operation Tovar, Bitcoin, and

today's double extortion attacks.

There's a lot of info in this episode, so buckle up.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup.

I've been passionate about backup and recovery for over 30 years, ever since.

I had to tell my boss that there were no backups.

Of the production database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me the guy

that was completely not helpful for this morning's events Prasanna Malaiyandi.

How's it going?

You were, you weren't there for me.

Uh, uh.

In fairness, I did not know what happened this morning until about 35

seconds ago, actually 36 seconds ago.

So

think that is.

Yeah, whatever.

I was going through some hard stuff, man.

And you weren't there for me.

I'm just saying.

But anyway, so persona, welcome of course to the podcast and we of course have once

again with us, Dr. Mike Saylor, all the way from the Great Republic of Texas.

How's going?

Mike,

well guys.

Thanks for having me again

is that, have I never noticed this?

You've got some kind of game thing be behind you.

Yeah.

have a couple of those mini arcades with the, you know, five to 500

different types of games on them.

Really?

I, uh, a hundred years ago, I, I remember, I, I was never, I, I didn't

last, the last like, arcade game.

I remember playing.

Like, like that was actually, um, what was the one with the, with the knight?

You remember the, the first one that had like Yeah.

Joust.

Yeah.

I remember doing, and I remember being horribly awful at joust.

That the bet the only game.

time ago, I had this game.

That's the first thing that came to mind.

Yeah.

Yeah.

Um, I had joust and then, but the only, the last game I remember being

any good at was, um, like Miss Pacman.

Right.

Like Asteroids and Miss Pacman and that, that era, which is

Mm-hmm.

Gallaga.

Yeah.

Yeah.

Um, yeah.

So we're old is all I'm really saying.

This one has gallica on it.

Yeah.

All right.

Well, at some point I gotta come over there.

Oh, centipede.

Yeah, I remember Centipede.

Um, but, uh, all the people listening, they're like, whatever, man.

Like these old farts.

Uh, just tell me about ransomware.

So we're talking about history though, in this episode.

We're going back, you know, back in the day, you know, as I like to do.

Uh, you know, when, when Mike, when I wrote, when, you know, when

you, when you and I wrote the book.

Like they, they, they sort of like poo-pooed on the history part.

They were like, we don't wanna spend a lot of time on the history.

Right.

You remember that?

stuff.

But I, I think there definitely is value in like, going back a little bit in time

to understand how we got here, right?

That there was a time when, uh, ransomware wasn't what it is.

What there's like three sort of generations of ransomware there.

There's the first one, which, which a lot of it was like either.

Like the, the claim that, you know, when you got the message, it was almost

like, it was like a fake message that you, you wanted them to believe that

the, or the, the, the hacker wanted you to believe that you were actually

attacked by ransomware when in reality nothing had actually happened to you.

Um, and, and this is, we still see this today, at least I still see it

today with messages on like my phone.

Right.

You go to the wrong website and you'll get this thing of

like, your phone has been taken.

Yeah, your phone has been taken over.

We, we know all your things and give us all your money, or we're

gonna, you know, do the thing.

And all you have to do is like close the browser.

Right.

For,

Um, I,

time.

Those were, those were categorized as scareware.

yeah.

Scareware, right?

Yeah.

Yeah.

Um, but I mean, that, that was, so there was that and there was also.

You, you mentioned, you know, in our pre-call you mentioned that there

were, there was some stuff that was kind of easy to like decrypt.

Would that be right?

Yeah, it wasn't, it wasn't, um, you know, asymmetric encryption

that we think of today.

It was more of a, uh, more of a decoder ring type of encryption

Hmm, hmm.

You want, you want to,

was quickest and easiest to implement, I'm guessing.

yeah.

So you th.

overhead, high speed, low drag.

So you, you threw out a couple of terms there.

Let's start with the, the cipher concept.

What are we talking about there?

Well, cipher would be similar to like your de deco, your decoder ring.

Uh, you know, the number one equals the letter A.

Right,

a cipher, you know, it's a

right.

match.

Uh, and that's how a decoder ring works.

You, you, you know, you, you turn your decoder ring until this lines

up with that, and there's your, there's your letter or your number.

I.

Uh, and that's how, uh, initial type, uh, initial ransom type, uh,

encryption happened or, and it wasn't even ransom and just encryption in

general from malware perspective was

Right.

driven.

Right.

And then you, there was the, the second thing that you talked about, well,

actually it was the first thing, but I'm gonna put it as the second thing, which is

you said it wasn't asymmetric encryption, which this gives us an opportunity,

I think, to discuss the difference between symmetric and asymmetric.

Uh, encryption,

So symmetric means that the keys are the same.

Um, so if, if I encrypt something and send it to you.

You already have the, you know, it's, it's your encryption key.

Well, we all share the same key.

It's public

right.

Um, so everybody has the same key.

The only, the only way to maintain integrity and confidentiality is to

make sure nobody else that has that, uh, nobody has the key that shouldn't.

and

Right.

us left the group, uh, and uh, we wanna make confidentiality and integrity, we've

gotta regenerate a key for us to share.

Right.

It's kinda like

And, and.

your, it's kinda like changing the key to your house.

You know, when, when you

Right.

you don't, you, you, you wanna change all the locks.

Right.

you don't know who kept the key, uh, from the, the prior group.

, So if you, when you change the key with symmetric encryption, do you

then have to like re-encrypt the data?

yep.

Okay.

Yeah.

So, um, and the, the real problem, I think with symmetric encryption.

Uh, would be basically communicate like if you want to commu, if I wanna

send you something over email Right.

And, uh, I want to encrypt it, well, how do I get you the key?

Right.

That's, that's a real problem there.

don't send it

email it.

it with the email.

No.

Yeah.

Yeah.

Well, I'll, I'll send it via SMS 'cause that's more secure.

Well, and, and well, it would be better.

Uh, so

Yeah.

that an out-of-band communication.

So you would use a different account or a,

Right,

method, like SMS or

right.

meet in person, or, you know, I would stick it to the bottom of a park

bench or, you know, things like that.

Yeah.

Like I've seen in the spy movies.

Right.

yeah.

Uh, persona, you got anything to jump in there?

I was going to ask about.

Uh, Curtis, I think you kind of touched on it, so symmetric encryption, when

you rotate the key or change the key.

Everything moving forward would be encrypted using the new key, which

means that that previous person, in your example, Mike, who left the group, would

no longer be able to decode the new data because they don't have access to the key.

if they wanted to ensure that the person who left the group also doesn't

have access to the old data, then they would also have to re-encrypt

or decrypt the data first, and then re-encrypt using the new key.

Correct.

Correct.

Yeah.

is, that is a, even though it's, it's a difficult math problem,

it's, it's a lot less difficult than asymmetric encryption math problems.

Gotcha.

Gotcha.

It's because it's a matter of like, you just need to know the key.

Right.

It's easier

and obvi.

one key than it is the combination of two keys.

Oh, right.

Yeah.

Good.

So, all right, so let's talk about what's next.

Uh, the, the asymmetric encryption.

So asymmetric means the, the two different halves are different, right?

So, uh, you know, you've, you've got a, you've got a square on one side and a

circle on the other that's asymmetric.

And, essentially it, so the other, the other term for that

is public private key encryption.

I encrypt something with your public key and, and or your.

Public key and my private key,

Mm-hmm.

you get it, you decrypt it with your, with my public key and your private key.

Right.

long as our private keys are, kept safe, that communication, uh,

uh, can be relied upon as far as integrity and, and confidentiality.

But if I can, if I can steal your private key, I can decrypt

everything that Mike sends to Curtis.

If your private key is compromised, uh, I can decrypt that.

Well, with regards to ransomware, the victim is the public key.

So I've deployed ransomware in your environment.

I put the public key in that environment, or I use, I created a public key and then

the private key is held on the command and control server by the bad guys.

And this goes back to, um, you know, early days of ransomware and why.

Why you had to pay the ransom within a certain period of time that that private

key lived on a server that was being rented a botnet for that period of time.

So after 72 hours is up, the botnet goes away, and so does that private key that

would be needed to decrypt your stuff.

And if you never, or if you lost access to the private key, you

could never decrypt that data.

Right?

That's sort of the strength of.

Asymmetric encryption, correct.

I wouldn't say never, but yeah, it's, it's very difficult to, to crack.

'cause for the most part, being human, uh, we're gonna create, and

it, and it does depend on the, the, the tool you use to create your keys.

A lot of times these days it's, you know, all random stuff.

Like, move your mouse around and do this, that and the

other until light turns green.

And then we've created your key.

But some people create their keys based on.

Uh, kind of their approach to passwords, so birthdays and peoples

and dogs and, uh, college football teams and that kind of thing.

Uh, and so, when, when we go about trying to crack encryption, uh, there

are kind of brute force methods, uh, along with like true math.

Um.

Uh, math hacking approaches to cracking passwords or, or keys.

But

Right.

there's, there's a couple of different things to think about

and, and a lot of those are unknown.

So if you created your key and I don't know what you used to create it,

then yeah, it's a lot more difficult for me as, as far as determining my

approach to cracking your encryption.

But if I did know what you used, uh, then I could focus on

those, those type of tactics.

Right.

Uh, interesting.

'cause I, I, I'll just say for the record, even though I understand

everything you just said, and I, and I probably could have given the exact same

Okay.

or definition that you just gave, I have no idea how that works.

Like, just like that's, uh, in terms of like underneath right.

The, the actual coding part.

Right.

Um, so the, so the, with the why.

Did switching to private public key help make ransomware more, uh, prevalent

Resilient.

or, or resilient?

Yeah.

Oh, is it be, is it be, I, maybe you already answered this, that basically

the, the difficulty of guessing two keys is harder than guessing One.

Well, it's the, it's the value of, of the ransom, right?

So if I'm gonna hold you ransom, there's a high likelihood that you're

not gonna be able to recover from it, then I'm more likely to get paid.

So if

Hmm.

that encryption, uh, foolproof or at

Mm-hmm.

for you to figure out within the period of time that I think it, you

know, before it starts to hurt you as a business or a person, you're

more likely to pay the ransom.

So, by increasing my encryption strength by moving to asymmetric, encryption,

the likelihood of you being able to recover without paying me goes down.

Gotcha.

And even with the asymmetric encryption, I think I had read articles where

some of the ransomware actors might have used the same private key

over multiple different victims.

And so like the FBI or any of these other organizations were able to help

other victims, uh, even though by just, uh, gaining access to that private key.

Is that right?

and, and there's a yes, and, and there's a, there's an enhancement to that in

that there are some bad guys or even some, some good guys that put the effort

into decrypting things on their own.

Uh, and so whether the FBI was able to get the key from a, a prior

victim to help future victims, or it was these bad actors or, um.

You know, uh, good actors, white hats or gray hats, uh, that cracked the

password on their own and then shared it.

Because one of the things that we saw early on in the ransomware game was that,

there was competition, uh, for ransomware.

And so you might have, uh, one ransomware actor.

Uh, you know, attacking the, the victims that another ransomware actor wanted

to attack or feeling like they're intruding on their, their business.

And so one ransomware threat actor may crack the, the keys or, or provide a

decryptor for the other ransomware.

And then, and then, and this actually happened, there was, there was a website

put up that said if you're, if you're encrypted by, you know, X gang, um.

Put your files here and we'll

That's, that's interesting.

That's right.

I, I, I had no idea that basically the, the, the com, the competitors,

uh, trying to hurt their competitors, uh, that's crazy actually,

um, that they would do that.

Um, now,

This is my corner.

yeah, it's my corner.

I get it.

So what, um, what about, um.

So as we move forward in time, what was CryptoLocker, when I

say was it's still around, right?

Uh, but how, in terms of the story, what role did Crypto Locker pay?

Uh, well, I think it was one of those, um.

Uh, somebody had to be first,

mm-hmm.

at trying to formalize the ransomware business.

Uh, so there was a lot that, uh, both victims and bad guys

learned from Crypto Locker.

Mm-hmm.

so Crypto Locker reinforced the need to be more diligent with, uh,

So the Crypto Locker taught us a lot from a victim perspective because it made us

more diligent with the emails that we get.

Uh, a lot of Crypto Locker came in fake FedEx emails

about a package, or a delivery.

so that really started, that really kicked off the start of, uh, fishing training.

Mm-hmm.

and making sure that we're clicking on stuff that we expected and, and

reporting things that looked suspicious.

And then on the threat actor side, it, it really taught the bad guys how

not to build a criminal business, uh,

Hmm.

these guys were not very well organized.

They didn't, they didn't cover their tracks.

Uh, they weren't doing the, you know, three and four layers of

anonymity that, that we see today.

simply just rented a botnet.

Uh, they developed some ransomware that did, even though it had

asymmetric encryption, uh, they did not protect their keys very well,

which is, uh, and, and what I mean by that is, uh, eventually when.

Law enforcement, uh, started going after these guys.

The, the capture of their keys was, was fairly quick.

They didn't, they didn't hide them, you know, they weren't, they

weren't, uh, on a USB, you know, underneath a floorboard or anything.

Hmm.

and so, uh, that their organization fell apart within like a year or so.

Do you know if there were arrests made?

there were a lot of arrests made.

Um, I'm trying to remember the name of the.

The, uh, law enforcement campaign.

I think, you know, Curtis, I think you put it in the notes earlier, but it's

like Tovar or something like that.

Operation Tovar.

Uh, so yeah, they, they, there was an international, uh, task

force that went after these guys.

Uh, and it was, uh, about a year later that, um.

Crypto Locker as an organization went down that the ransomware, uh, became

a kind of a starting point for a lot of, uh, other ransomware campaigns.

You know, bad guys are lazy if I can take what you've built and just modify it as a

Right?

Um, and so that's pretty common.

There's a, there's a couple of good graphics out there that show you the,

how ransomware over time branched off into these different variants.

Mm-hmm.

Crypto Locker was one of those first that branched off into, into several.

So

this,

given

ahead.

given that it was sort of one of the first right, that changed

ransomware and the business,

Much money.

Like what was sort of the amount of ransom that they were able

to steal from their victims,

There's

I'm sure back then it was like a very different magnitude than it is today,

just given how prevalent ransomware is so.

Well, and, and they could have done more, but similar to.

Normal approaches to business, you've gotta look at, you know, the

feasibility, who's your customer?

What's the likelihood of, of payment or success, right?

so funny when you talk about like a criminal organization.

So they had to think about this.

So if, if they, if they ransom your stuff and they ask for a million

dollars, what's the likelihood that they're gonna get paid?

Uh, especially, uh, you know, back in the day a lot of the, uh,

infections were on individual devices.

It wasn't like a whole And so the, the value of an individual device versus

crippling a whole company, right?

So, um, crypto lockers ransom was relatively small.

Uh, a couple hundred bucks maybe, maybe I think up to 500.

Uh, and that correlated well with the value of Bitcoin at the time.

And so one of the

Right.

did think about as far as anonymity goes is how do we get paid without

people knowing who they're paying?

And so that's when, you know, the advent of, of cryptocurrencies

kind of kicked some of this off.

But, um, Bitcoin back in the day, you know, was a couple hundred bucks, uh,

a Bitcoin, uh, maybe close to 300.

And, uh, and, and so a ransom for three or 500 bucks, anybody

could go get one Bitcoin.

or it would be relatively easy to get.

And that's interesting too because over time, as the ransom started to go up,

people had to ask for help because I don't know if you know this, but as

individuals you can only get two Bitcoin like maybe every couple of weeks.

So if you get ran, well now Bitcoin's a lot more valuable today.

But let's say back in the day if, if someone asked you for four Bitcoin.

Regardless of the cost just for Bitcoin, you and I could

not do that within 72 hours.

Hmm.

Hmm.

Like I could go get two and then I'd have to call a friend and say, Hey,

I need, I need you to go get two.

then, all right, where, where do we go?

Well, it's usually not a good part of town.

know, it's a bar somewhere that has a Bitcoin machine on the

counter next to the bathroom.

how they do drug transactions these days.

Uh, but yeah, it, there's, there's a whole logistics behind and, and marketing

and sales strategy behind ransomware.

Fascinating.

Um, so if, if Crypto Locker was, like you said, it was the first, but then

they shut down the, the organization, it sounds like, uh, the main role that it's

played here in, in the history is that.

We, we can look, you know, or the bad guys were able to look at that and

said, okay, there's what not to do.

Let's do, let's do something slightly different than that.

Let's take what we can do.

Let, let's take the, the crypto, you know, part of it, right?

So that we can get paid anonymously, semi, semi anonymously.

And let's do that.

The, the, the asymmetrical asymmetric encryption.

Um, and.

But don't but be better at hiding our secrets as we're part of it.

Does that sound about right?

It is.

And, and then just add to that the, um.

Um, the integration of the botnet.

So the, again, bad guys learn some things here too.

Mm-hmm.

utilizing the botnet, you know, it's, that is a layer in your anonymity and,

and, and definitely a component for your,

the, the management or the command and control of your ransomware.

Uh, but there was some lessons learned there about how best to do

that and who to work with, like Zeus.

Uh, the Zeus botnet is who?

Locker used.

Uh, and they became pretty widely used after this, that they were,

Hmm.

were, they were common, uh, but they kind of made them a name for themselves as

a, as a platform from which you can, you can start to these ransomware attacks.

Uh, and they started to improve their service and their support, uh, for

those types of attacks after this one.

Feature requests.

So, uh, again, for, for those that are, you know, this is

definitely a foundational episode.

Do you want to discuss what a botnet is and you know how that, you know?

Well, there you go.

Sure.

Uh, so, so a botnet is a, is a network of bots and a bot is short for robot.

Uh, and a robot is a computer that you and I use, or, or maybe it's a company

or, uh, an entire school district.

It's somebody else's computer.

That bad guys have compromised added it to their network of

other compromised computers.

It's, it's essentially a peer-to-peer network of if you will, uh, that come

to life whenever, um, uh, bad guys, uh, rent them out, uh, to other threat

Mm-hmm.

And so, you know, I may have

puppet.

uhhuh, I may, I may have, I may have a million compromised

computers around the world.

And Curtis calls and says, Hey, I need, I need 10,000 computers for this thing.

It could be, uh, uh, distributed computing to crack passwords.

Uh, and, and by the way, when I, when I, um.

When I have this bot, uh, botnet developed, I, I inventory all of my

bots so I know the, the type of computer memory processor, all those things.

And so I can actually, um, segment or, or virtualize parts of that botnet

based on my client's requirements.

So if I need, if I need 10,000 machines with, you know, eight cores or more.

As far as processing goes and, and how much memory total across all this, uh,

distributed network, then I can, I can build that and rent it by the hour,

uh, by the day, week, month, um, uh, to whoever needs it for whatever reason.

And so, uh, for a while, especially early on, the term for that

would be a a, a botnet herder.

So I'm a bot herder.

Uh, so kind of a shepherd of, of bots, uh, that's kind of a, and, and people in the

industry do the same thing you just did.

It's kind of, they laugh at it and like nobody says that.

Uh, but the textbooks did, uh, they called them bot herders.

Um, and there's a, there's a fascinating, um, paper and I'm, I'm

trying, it's called The Dark Visitor.

it's out on the internet.

It, it was a, it's a declassified military report on the

Chinese hunk, red Hunker Army.

Um, and that was the kind of the first nation state, uh, white paper written,

uh, written by the military on the, on the Chinese, uh, uh, capabilities for

cyber espionage and that kind of stuff.

And in that paper they, they, they call bots, um, meat

chickens or meatier chickens.

So a compromise.

So that's how it,

Me.

it translates in, in, in

because it was written in Chinese.

Right.

Okay.

how it translate.

It translates into a meteor chicken.

So a compromised computer that's part of a bot is a meteor chicken.

That's pretty funny.

So at the beginning of this episode, I mentioned that there

were sort of three phases.

We've discussed the evolution from that very beginning of sort of like scareware.

Up to asymmetric encryption with, uh, CryptoLocker and other lots of copycats.

Um, you know that, that, uh, since then and we had this giant

proliferation of what I'm gonna now call traditional ransomware.

But what has happened is in the last several years is that as people like

me have helped random people, you know, have better backups and be able

to recover from a, from a ransomware attack via a restore, they're like,

well, we gotta do something else.

And they added this concept of, um.

Exfiltration, right?

And then, uh, double extortion.

So they're stealing your data.

And then they're like, well, if you don't, you know, well, you may be able

to restore your data, but if you don't give us this money, then uh, we're

gonna reveal your secrets, which may be intellectual property, or it may be

information that you don't want out there.

Does that sound about right?

It does.

And, and there's even, alternative extortion.

Uh, so, um.

Even more recently, uh, bad guys are going after the people

whose data they took from you.

that could be a client.

It could be a student, and they're saying, Hey, the, the, the company you,

you did business with or your kid goes to school with isn't paying us, but if

you pay me or maybe you need to tell them to pay us, then we won't release

your, your information to the public.

Oof.

So persona, this is a little reminiscent of what happened with LastPass.

Do you remember what happened there?

Yeah.

So the bad actors broke into LastPass, stole the encrypted vaults, and

then they were starting to crack the vaults because they realized people

Okay.

their cryptocurrency key.

Their passphrase in their vaults.

And so they were then going after them in order to drain people's wallets.

Yeah, it's kind of like that different, different, but kind of, you know,

the, the idea of going after.

after the victim.

Yeah.

Going after the victim.

Yeah.

Um, uh, I, I do want to have a moment of silence for the guy that lost his

hard drive with the crypto key in the dump that he's now officially given up.

I dunno if you saw that in the last week or so.

Uh, that guy has officially given up his search for the hard drive

with his crypto key, you know.

For the lack of, for the want of a backup.

Yeah.

It was a lot of money.

Uh, worst throwaway ever.

He threw it away, right?

Yep.

He

Yeah.

So here's a question.

Since those are now gone and not recoverable, does that mean those

bitcoins just sort of linger forever?

I was

Yeah.

Yeah,

He would have to, he would have to, uh, he would've to relinquish them.

And if I was him, I, I would not.

'cause you

yeah,

Yeah.

yeah.

It's a bit like having gold stored in Mount Doom Right

From, from Lord of the Rinks.

Um.

Yeah, like, like you, you know it's there, but nobody's gonna ever be able to get it.

have you guys ever watched, uh, honest Trailers?

Oh, yes.

I love the honest trailers.

Yeah.

Yeah.

did one, uh, this last week on Lord of the Rings.

Oh, did he?

That's good.

Hmm.

I, I, another series I like is how it should have ended.

I dunno if you've saw, if you've seen that series.

So it's, it's a, it's a whole series where they take the ending of movies

and then they're like, well this is how this should have ended.

Um, and the only one I remember and it was, it was a Star Trek.

It was one of the newer Star Trek movies, and they get sucked into like

a black hole in the, in the movie.

And, and I don't remember how they get out of the black hole, but in

the, how it should have ended this, the first of the New Star Treks,

so the, so they were, they picked on this movie a lot, that there were all

these lens flares everywhere on the ship.

And so the, the way that how it should have ended is instead of getting sucked

into the black hole, somebody said, I know, shut off the lens flare generator.

And they did that and then they were able to escape the black hole.

But, uh, yeah, I've seen the honest trailers.

I like that.

I like that.

Uh.

A bit.

A lot.

All right.

I think we've covered, um, you know, some basics of ransomware

don't do ransomware, kids.

Uh, I dunno what, I dunno what to tell you there.

All right.

Uh, thanks everybody for joining.

Persona.

Thanks for joining.

It was, it was good to understand the history, so,

Yeah, thanks.

the history from old people, so.

Yeah, thanks Mike for being another old people.

Sure.

All right.

That is a wrap.