One of the key reasons that organisations of all sizes can’t take their cybersecurity for granted is that nothing stays still for long. The methods that cybercriminals use to breach organisations’ defences and steal or compromise their sensitive data constantly evolve and grow increasingly sophisticated – and this is especially true of malware. To understand how to protect yourself from cyber threats, you need to understand its history – the evolution of malware.
In this post, we’ll explore how malware has evolved over time, looking at how viruses evolve and how has ransomware evolved as well.
How viruses evolved
1971: The Creeper
Advanced Research Projects Agency Network (ARPANET), a predecessor to the internet, was launched in 1967 to connect remote computers. Shortly afterwards in 1971, came the world’s first computer virus: The Creeper. It spread through computers connected to ARPANET, displaying the message, “I’m the creeper, catch me if you can!”
However, it wasn’t created for malicious intent but more of a proof concept to see if the message would spread via ARPANET. The Creeper revealed a key lesson about malware: that it’s implicitly tied to the network on which it propagates. Subsequently, how malware has evolved over time directly correlates with the evolution of computer networks.
Most consider ANIMAL as the first example of a Trojan horse. While it presented itself as a game, similar to twenty questions, it also copied itself onto shared directories. Fortunately, however, it was intended to be a prank.
1982: The First Mac Virus: Elk Cloner
Elk Cloner was written by a 15-year-old programmer and targeted Apple II computers. The virus would spread whenever an infected disk was run and would store itself in memory and wait to jump onto a clean floppy disk. On the fiftieth boot, it would display a poem; fortunately, much like The Creeper and ANIMAL, it wasn’t designed to inflict any harm.
1986: The first PC viruses: Brain and PC-Write
The Brain virus was developed by two brothers from Pakistan as an anti-piracy measure against those stealing their proprietary medical software. Despite the lack of internet, it spread through copied floppy disks and quickly reached North America and Europe. Brain was also the first “stealth” malware (malware that could conceal its existence).
The same year also saw the emergence of PC-Write: a Trojan horse virus disguised as word processing shareware. Upon installation, it would erase all of the user’s files.
1988: The Morris Worm
The Morris worm was the world’s first computer worm and the first to receive considerable media attention. It was a notable example of how malware has evolved over time because it both checked for the presence of an existing infection was present and was programmed for persistence. The Morris Worm went on to take down approximately 10% of the 60,000 computers connected to the internet at the time.
Although it was intended as an academic experiment, to see if a virus could replicate by itself, the worm’s creator Robert Morris was the first person convicted under the US Computer Fraud and Abuse Act.
The first ransomware
1989: The AIDS Trojan
The AIDS Trojan is widely considered the first example of ransomware. It was distributed and spread via infected floppy disks sent to AIDS researchers in the mail. The disk appeared to contain a questionnaire about AIDS but went on to alter and hide the user’s files on the ninetieth reboot. It would then display a ransom demand ($189 for a year or $385 for a lifetime) that victims were to send to a PO Box in Panama.
Who invented malware?
1990: First Use of the Term Malware
Professor and security researcher, Yisrael Radai, coins the term malware for the first time.
How malware has evolved over time
1994 – 95: First phishing attacks
The internet rapidly gained popularity in the 1990s, with America Online (AOL) as the premier internet service provider. Unfortunately, a fledgling generation of cybercriminals used AOL’s chatrooms to create communities to share pirated software and advice on carrying out various scams. Such online communities gave birth to the first phishing attacks.
These initial phishing attacks involved using algorithms and special programs like AOHell to create randomised credit card numbers. Cybercriminals used these random card numbers to open AOL accounts from which scammers would impersonate AOL employees and send messages to users requesting their account credentials. If the user complied, the scammer would steal their account details: selling them for profit or using them to send further spam.
1999 – 2000: First Botnets
The dawn of the millennium saw the introduction of botnets: groups of compromised computers controlled by an operator. The first botnet was the GTbot in 1999, which used a network of infected computers, called zombies, to implement distributed denial-of-service (DDoS) attacks. The EarthLink botnet, launched in 2000, was more significant as it sent out 1.25 billion messages: 25% of all email spam that year.
The emergence of botnets marks an important milestone for how malware has evolved over time, as they enabled cybercriminals to control infected devices remotely. They also allowed a group of machines to cooperate as a single, distributed malware application. Worse still, however, the malware’s logic could now be dynamic instead of fixed. Now, an attacker could continually modify the malware based on their ongoing needs.
2000: The I Love You Virus
One of the most famous examples of malware of all time, the I LOVE YOU virus spread quickly, infecting millions of computers globally within 15 minutes of its release. It was so successful because once it had infected a device, it would scan the user’s Outlook address book and send out emails to their contacts, replicating itself as an attachment. Because someone would receive an email from a trusted contact, they’d also open the attachment and infect their own computer.
2005: CoolWebSearch and BayRob
Spyware became increasingly prevalent at this time, with CoolWebSearch (CWS) being a prime example. Hackers used CWS to hijack search results from Google and replaced them with their own, which contained malicious links. CWS was also so notoriously hard to remove that ethical hackers and coders volunteered their time to develop applications that cleared CWS from devices for free.
A few years later, malware called BayRob did something similar: hijacking a user’s search results from eBay and replacing them with fake listings.
2008: The Conficker Worm
The Conficker worm was notable for two reasons. Firstly, for how quickly and widely it spread: infecting devices in over 190 countries. A Conficker variant propagated to almost 20m machines in January 2009 alone, infecting the UK Ministry of Defence, the French Navy, and other institutions along the way. Secondly, and more importantly, some speculated that it was a state-sponsored experiment to test the capabilities of new, secret malware.
2010 – 12: State-Sponsored Cyberattacks
While it was only theorised that Conficker was state-sponsored malware, the same can’t be said for Stuxnet, which was confirmed to have been developed by the US and Israeli governments. Stuxnet was designed to target Industrial Control Services (ICS) devices that controlled industrial centrifuges (namely nuclear) in Iran, causing them to malfunction and result in a meltdown.
Other state-sponsored malware that appeared around this time includes Reign, Duqu and Flame.
How has ransomware evolved?
2012: The Evolution of Ransomware
Reveton, also referred to as The FBI Virus, started as a password-stealing program before being redesigned as ransomware. It is a potent example of how malware has evolved over time as its look and feel are archetypal of modern ransomware. In particular, its lock screen informed the user that their machine had been hijacked, the ransom amount, and payment instructions.
2013: CryptoLocker – Cryptocurrency as a Payment Option
Staying on the subject of ransomware, CryptoLocker was the first malware to demand payment in cryptocurrency – in this case, Bitcoin. This was an important development for cybercriminals, as they no longer had to rely on conventional payment methods, which made it easier to evade detection and capture.
The problem with this approach was that cryptocurrency was still largely unknown in the mainstream, so victims found it difficult to comply with payment instructions.
2016-17: Shadowbrokers, WannaCry, and Petya/Not Petya
In 2016, a cybercriminal group called The Shadowbrokers breached the US National Security Agency’s (NSA) servers and released secret malware tools it had been developing. The most important of which was called EternalBlue: an exploit that targeted vulnerabilities in several versions of Microsoft Windows.
Once released, EternalBlue was used by other cybercriminals to develop WannaCry, described as the first “ransomworm”, and its variants, Petya and NotPetya. In the UK, for instance, WannaCry devastated the National Health Service (NHS), causing almost 20,000 cancelled appointments, leaving 600 GP surgeries without functioning computers, and making five hospitals divert ambulances elsewhere.
2019: GandCrab – Ransomware as a Service
The cybercriminal organisation GandCrab ushered in a new era of malware: providing ransomware for aspiring hackers – for a fee. This established the model now known as Ransomware-as-a-Service (RaaS) This allowed GandCrab to distance itself from the actual cyberattacks and, more importantly, generate more revenue. Other notable examples of RaaS inspired by GandCrab include BlackCat, Blackmatter, Conti, and Lockbit.