“My name is Mikko and I hunt hackers,” said Mikko Hyppönen as he opened his InfoSec 2016 keynote in characteristic fashion.
He's the chief research officer at F-secure, a Finland based cyber-security company, and he's worked there for 25 years, or as he put it, “a quarter of a goddamn century”.
Recently, he started volunteering at the international internet archive, a nonprofit devoted to cataloguing the history of the internet. With that quarter century of experience, he was given the task of being the curator of the malware museum.
But looking over those decades of malware shows up something interestingly singular. Simply, “that everything old is new again”. Things that we thought were long-solved so often come back to bite us.
On that note, Hyppönen produced one such artefact: The Aids information trojan. Back in 1989 when AIDS was perhaps a bigger threat than it is today, an AIDS information disk was released.
You could enter your information, answer a number of questions and the program would tell you your potential risk of contracting HIV.
However, the program required payment. If you didn't pay up within one week, the disk would encrypt the files on your computer and stop it from booting. In fact, all you would see on your computer was a message detailing the above and demanding that you pay the fee before you got your computer back.
This was the first known case of ransomware. Then, Hyppönen produced an example of a ransomware message from just a couple of days ago. The message was almost identical, apart from its references to Bitcoin and TOR. That said, Hyppönen is “27 years of difference”.
Macros are another problem that has hounded security professionals for decades now. Back in the 1990s, the problem of malware within macros was solved with a simple update to Microsoft Office.
Microsoft simply turned macros off by default and for the most part, the problem was fixed. That certainly wasn't the case when the BlackEnergy APT group turned off the power to hundreds of thousands in Ukraine late last year. The group infected a power company with malware embedded in the macros of a word document.
When prompted to ‘turn on macros', the unfortunate recipient of that email clicked the button. It's no longer that much of a problem for cyber-criminals now that people will quite happily turn on macros without a second thought.
We see recurrences not just in the malware but in the behaviours of those who deploy it. There are, said Hyppönen, over 110 different ransomware families, each one tied to a different gang.
“They are kind of like businessmen,” said Hyppönen. They compete, they invest in product development and they look for gaps in the market.
Which might explain KeRanger, the first piece of ransomware for the Apple Mac - a successful malware if only because it is the sole piece of ransomware for Mac.
Some even have dedicated customer service. They run support forums with ticketing systems, helping their victims to pay the ransom and even cutting the price when they say they can't pay.
Make no mistake, these gangs might look legitimate if not for the fact that of their ultimate illegality. They rake in hundreds of millions, “whether you're speaking about dollars or euros or pounds”.
And in business terminology, they might be called a “cyber-crime unicorn”.