Guest blog: TotalAV uncovers the world’s first ransomware

Posted by    on   Sep 12, 2019

In a guest blog post by VB2019 Silver partner TotalAV, Matthew Curd, the software’s Technical Expert, considers the changes in the cybersecurity landscape.

Rediscovered in an old storage box amongst a collection of old magazines, a five-and-a-quarter-inch floppy was brought into the office in late June - dated 1989. The disk, older than some of the staff, contains one of the first trojan horses and pieces of ransomware ever documented. Back in its day, the disk was displayed as a giveaway on the front of a computer magazine, with the design leading the reader to believe the contents related to the AIDS virus, including information on scientific research. In fact, the program on the disk would count the number of times the computer was booted and, once it reached 90, it would hide directories and encrypt files – holding the user to ransom for their release.


Potentially thousands of people received the disk around the world, and witnessed what is believed to be the first ever case of ransomware. Today, the AIDS disk is a sought-after piece of security memorabilia and has been framed for display in our office.

Fifteen years ago, instant messaging platforms burst onto the market and brought with them new cybersecurity challenges. Previously, users could not immediately share files with one another – however, today, with multiple platforms outside of email such as Facebook Messenger, WhatsApp and Instagram, file sharing and potential breaches have amplified incredibly. As well as this large target audience for cybercriminals, there will soon be the addition of financial information included within the platforms, as Facebook pushes forward with the development of its own cryptocurrency.

With web usage on mobile devices overtaking that of desktop and laptop use, cybersecurity threats have started the shift to mobile and tablet. We expect to see 20 billion Internet-connected devices by 2020, a figure that is rapidly on the increase due to the Internet of Things (IoT). The scale of opportunity for hackers here is not yet fully understood, but the shift in cybercriminal activity in the last 5-10 years from data theft to data manipulation is a concern when the level of user reliance on these devices is considered. The fact that the data is often in the hands of many private enterprises, device manufacturers, cloud providers and third parties accessing via an API, creates more target points for cybercriminals.

In the years to come the ongoing debate and cultural changes will likely lead to changes in requirements within the industry. Subjects like the use of personal data by marketing, freedom of speec,h and the experience of net neutrality will bring users to look for digital solutions.

With the landscape changing, and users slowly moving away from Microsoft Windows, threats will inevitably change. The blocking at source of dangerous websites and the spotting of phishing attempts will only become more important in the industry.

At TotalAV we believe that blocking the first point of contact with online threats will continue to be the best way forward. Users are getting used to seeing false positive and unnecessary PUA definitions and the security of their digital life is reduced as users become complacent with real-time and scheduled anti-virus scans. This is why we are developing a dynamic URL blacklist, where we aim to crowd-source data initially, but investigate machine learning to accompany our efficient WebShield blocks.

Through this structure, our goal is to provide education to help keep users secure. The emphasis on real-time blocking and PUAs has created a minefield where all kinds of programs are blocked, AV provider to provider, and user machines are impeded by the huge overheads of real-time protection. Encouraging users to understand the threats out there, and the consequences of accessing things for free (at the cost of security or privacy), is the next logical step in a world where user data becomes larger and increases in value day by day.



Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.