The History of Ransomware

The History of Ransomware

Brief overview of ransomware – Ransomware Early 2000s cybercriminal gangs appeared to be reaping vast rewards as internet use expanded globally, leaving security researchers feeling helpless against these criminal networks.

This article will examine why ransomware – malware which locks computers and requires payments in exchange for accessing decryption keys – has proven so lucrative for attackers.

Brief history of ransomware

Joseph L. Popp, an evolutionary biologist trained at Harvard, first launched ransomware attacks in 1989 with 20,000 infected diskettes distributed at an international AIDS conference held by WHO. These infected diskettes contained malicious code which concealed file directories on computers while encrypting file names and demanding payment; victims were instructed to send $189 via postal service mail directly to PC Cyborg Corp’s Panama post office box address in Panama.

Crypto ransomware attacks usually encrypt files, while some types also disable system restore and delete or encrypt backups to increase pressure for payment. Non-encrypting ransomware attacks often lock a device screen or flood it with popup ads requiring payment – usually cryptocurrency or another anonymous form – in order to regain access to its victim’s data.

Ransomware’s surge has been driven by virtual currencies’ increased adoption and RaaS kits that enable attackers to deploy attacks without requiring extensive technical knowledge – evidenced by an increase in double and triple extortion ransomware incidents observed by IBM Security X-Force Incident Response teams since 2022.

How Ransomware Attacks Work?

Attackers gain entry to networks through email phishing campaigns with malicious attachments or social engineering techniques. Once in, malware will encrypt data across the system making it inaccessible, then display an on-screen alert demanding payment in order to unlock devices or regain data access.

Encryption ransomware (commonly referred to as crypto-ransomware) is the most frequently encountered type of ransomware. When this kind of ransomware attacks a computer system, an attacker encrypts files so they cannot be read or used without first entering an encryption key into their computer system. They usually demand payment within a specified deadline or the key will be destroyed/revoked altogether.

Scareware and leakware are two other forms of ransomware. Scareware falsely reports a virus infection on the computer and demands payment to remove it; leakware threatens to publish sensitive data online without payment; while cryptocurrency mining malware allows attackers to gain entry and extract money by secretly using computing power to generate bitcoins.

Brief history of ransomware

1989-2014: The beginning of ransomware

The AIDS Trojan, released shortly after the pandemic began, marked one of the early ransomware attacks. Distributed via floppy disc, victims were instructed to mail $189 in order to gain access to their systems again. While this attack didn’t generate many copies itself, it served as an important blueprint for subsequent ransomware campaigns.

Maze and Egregor were an innovative new evolution of ransomware, combining file encryption with threat communication to persuade victims into paying demanded sums. Their attackers threatened to sell or publicize victim data to add an extra sense of urgency and fear into these attacks.

In 2008, hackers created Bitcoin cryptocurrency and quickly employed it in attacks. One type of ransomware known as CryptoLocker (detected by Trend Micro as TROJ_CRYPTRBIT) quickly gained popularity; it encrypted database, web, office files, images, video and text files and demanded payment in Bitcoin; additionally it deleted backup files leaving victims no recourse other than paying their demanded ransom amount in order to recover encrypted files.

2014-2017: Big attacks on ransomware

Attackers use ransomware attacks against businesses to cause both financial and business loss. Attackers threaten data breach reports unless the victims pay a ransom payment; such attacks disrupt productivity, can damage brand equity and lead to litigation; furthermore they require time-consuming root-cause analysis that decreases productivity; restore backup costs can be steep.

GpCode ransomware first emerged in 2004, targeting Windows XP users and demanding payment in Bitcoin as ransom. This malware would remain dormant until powering on 90 times or more; at that point it would activate and encrypt.doc,.xls,.jpg,.java and CAD files before leaving its host computer unattended for up to one week after that event.

Reveton malware emerged in 2011, offering attackers more flexibility and helping ransomware attacks spread rapidly. DarkSide ransomware gangs like REvil and those behind 2021 Colonial Pipeline took full advantage of this model by prioritizing high-profile targets while using sophisticated obfuscation techniques to avoid detection.

2017-2020: Game changer in ransomware

One of the key advances in ransomware during this period was Ransomware-as-a-Service (RaaS). This allowed attackers to rent out their malware for others to use, increasing attacks. Furthermore, RaaS led to cryptocurrency’s rise as decentralized currencies used for paying ransoms.

Ransomware first emerged in 1989 when Harvard-educated evolutionary biologist Joseph L. Popp sent infected floppy diskettes to attendees of the World Health Organization’s AIDS conference. Dubbed PC Cyborg, this Trojan would hide directories on victim hard drives after 90 reboots and demand users send $189 to PC Cyborg Corp’s post box in Panama in order to regain access. However, reverse encryption could easily be accomplished.

Early ransomware variants included Maze and GPCode, which attacked multiple systems while offering low ransom amounts. By 2004, however, cryptoransomware emerged: an attack that encrypted files instead of locking down systems; such variants as Yair, Petya, and CryptoLocker proved highly effective due to their spread via worms, RDP/VPN connections, or email spam campaigns.

2020-2022: Triple extortion of Ransomware

Mid-2021 saw an unfortunate change to the ransomware game: attackers started using triple extortion techniques to add additional pressure points that go beyond merely paralyzing systems and data of businesses.

First, malware encrypts all available information and demands a ransom payment from its victim. If they refuse, malicious actors typically threaten to expose stolen information online if payment isn’t received in time – often by listing individuals or businesses connected to their victim organization within their threat and initiating DDoS attacks against these targets.

Attackers know the value of sensitive data is far higher than its cash flow. To take advantage of this fact, they exploit organizations’ reliance on online services for employee remote connections, student classes, patient appointments and customer orders – services which they rely heavily on for operations.

As such, they have the capability of inflicting significant harm upon businesses through disruption to operations and brand and reputation damage. Even though victims can eventually restore their data from backups, their daily business remains impaired as services cease operations due to disruptions.

2022: Commodity ransomware attack

Once installed, malware begins encrypting files by adding extensions that prevent access. A message then appears stating that access can be restored by paying a ransom – often in bitcoin form – in return.

Attackers target institutions for various reasons. Sometimes it’s an issue of opportunity; universities often feature smaller security teams and have diverse user populations who share files openly. At other times, it may come down to finances: law firms and medical offices may pay money in order to keep news of a breach quiet, while financial institutions often contain large quantities of sensitive data which could be exploited by criminals.

Security controls have advanced significantly, and ransomware variants have evolved from standalone attacks into components of larger extortion campaigns. Attackers increasingly employ RaaS models – creating their own ransomware and selling it to affiliates who in turn independently distribute it – in 2022 LockBit led the pack with successful ransomware attacks, followed by BlackCat and Hive as well as Conti, DarkSide and Rook being active variants.


Encryption tools are powerful security tools, but when misused they can become destructive. Cybercriminals frequently employ ransomware as a weapon against their victims by seizing data hostage and demanding payment in return for decryption keys to restore access to systems or files that were once secure.

As threats increase, organizations must adopt multilayered defense measures to defend themselves and ward off attacks or contain incidents.

Attackers typically spread ransomware through emails with malicious attachments or links, exploiting software vulnerabilities, or through social engineering techniques. Early identification can reduce both impact and cost associated with recovery; existing organizational detection and prevention systems and logs should be checked for signs of precursor “dropper” malware or variants; behavioral detection can detect unusual activity like large file encryptions and network connections to suspicious domains and provide more accurate depictions of damage than just using malware signatures alone.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.