Birth of Ransomware

Ransomware has evolved over time and has become a significant threat to organizations of all sizes, without sparing any industry, to fulfill its goal of capturing company assets and files. Whenever or wherever there is data, it will provide an opening for criminals to hold such sensitive information to ransom and then demand payment to release it.

That makes it imperative for every organization to come up with a plan for preventing and responding to ransomware attacks. However, to fully understand the best way to be prepared for it, you must also know the evolution of ransomware to get the best results.

The First Ransomware Attack (1989)

Ransomware was first thought to have emerged with the “AIDS Trojan” attack. It was named after the WHO (World Health Organization) AIDS conference in 1989, where Joseph Popp, a biologist handed event participants 20,000 floppy disks that were infected. Once users boot up around 90 times, all the names from the user files become encrypted, and a message like the one below would appear and ask its victims to transfer $189 to Panama in the given PO Box. You could use online decryptor tools to remove the ransomware easily.

The First Generation of Ransomware (2005-2009)

There were no prominent developments in the ransomware field after that first event until 2005, which was the year ransomware reemerged, but this time it used a secure asymmetric encryption. These early ransomware attacks had two notable contenders, the “GPcode” and the “Archiveus” Trojan.

The GPcode would attack windows operating systems with symmetric encryption in the beginning, but then after 2010, it started using RSA-1024 for encrypting documents with file extensions that were specific. The Archiveus Trojan used RSA, making it the first ransomware using it, and would encrypt all files in your folder titled “My Documents”. You could decrypt them with a password of thirty digits that the threat actor would provide after the ransom payment.

Even though these encryption algorithms were effective, there was relatively simple code used in early ransomware, which meant that antivirus companies could analyze and identify them. It was in May 2006, when the password of Archiveus was cracked, as it was found to be in the virus’s source code. It was the same with GPcode until it turned towards RSA, as you could recover files without needing a password, which led cyber-criminals to prefer phishing, hacking, and other threats.

Cryptography Embraced Ransomware (2009-2013)

The “Vundo” virus came into the limelight in 2009, which would encrypt computers and would sell decryptors. The virus would exploit browser plugin vulnerabilities written in Java, and would download itself if a user clicked on email attachments that seemed malicious. After installation, Vundo would suppress or attack antimalware programs like Malwarebytes and Windows Defender.

A short time after that, in 2010, a new Trojan named “WinLock” emerged. The software was used by 10 hackers in Moscow to lock the computers of victims and display porn on it until they received $10 in rubles from the victims. The group didn’t last long as they were arrested that same year in August, although they had managed to accumulate $16 million from the scheme.

The software had been upgraded in 2011 and pretended to be a system of Windows Product Activation. The malware required a reinstallation of the software because of fraudulent usage and would then extort data from the victims.

In 2012, the “Reveton” ransomware emerged as a scareware type displaying messages to victims and claimed that US law enforcement had detected the user watching pornography that was illegal. In some instances, it would turn on the camera of the user, implying that users had been recorded in the act, and would demand that victims pay money if they wished to avoid any prosecution.

This ransomware had another variant for Mac users, which wasn’t cryptographic. It consisted of nearly 150 iframes that were identical and every one of them had to be closed, which made it appear that the browser had been locked.  When more variants of the ransomware started emerging, the recorded number of ransomware attacks also increased around four times than usual from 2011 to 2012.

The Prominence of Ransomware (2013-2016)

Towards the end of 2013, a new ransomware known as “CryptoLocker” came into the picture. CryptoLocker was a leader in numerous ways, as it became the first ransomware that was spreading via botnet, but it also used tactics that were traditional, like phishing. It should also be noted that CryptoLocker would use 2048-bit RSA private and public key encryptions, which rendered it extremely difficult for cracking. CryptoLocker couldn’t be stopped until its botnet associate “Gameover Zeus” had to be abolished in 2014.

Mac’s first major ransomware was discovered in 2014 by the name of “FileCoder”, but later it was found that it had come into existence in 2012. The good news is that the malware was unfinished, and even though it would demand payment after encrypting files, it only managed to encrypt its own files.

The year 2014 also saw several non-cryptographic attacks launched on the infrastructure of Mac, and it was also the year when the “Oleg Pliss” attacks emerged, where threat actors would steal the credentials to your Apple account and then use them to log in and lock the iPhones remotely from the accounts, using the feature “find my phone”. They would then demand a ransom to unlock the phone.

Similar to the way in which Oleg Pliss would target iPhones, the year 2014 was also the one, where mobile devices fell victim to cryptographic attacks with the “Spyeng” that targeted Androids. Spyeng would also send messages to everyone in the contact list of their victim with the ransomware’s download link.

In 2016, the first cryptographic ransomware attack that was successful also occurred, and was called “KeRanger”. It was connected to version 2.90 of the client transmission torrenting, and the ransomware would lock the computer of the victim and demand 1 bitcoin as ransom.

February 2017 saw yet another Mac ransomware called “Patcher” or “Filezip”. It would also infect users through torrent, and would pretend to be a crack file for popular software programs like Adobe Premiere CC 2017 or Office 2016. Patcher had a flawed design and that meant it couldn’t be decrypted whether you paid the ransom or didn’t pay it.

CryptoLocker’s success cleared the way for numerous varieties in ransomware. The successor to CryptoLocker was CryptoWall, which emerged in 2014, although it had been in the industry since November 2013. It was spread mainly by spam phishing emails, and by March 2014, CryptoWall was the leading threat in ransomware. CryptoWall was extremely tenacious, and there are various reports suggesting that it had caused damages worth $325 million by 2018.

The Beginning of RaaS (2016-2018)

Towards 2016, the variants of ransomware had started to become more frequent, and it was when the first variants of ransomware-as-a-service or RaaS started emerging – partnerships where one group would write the code for ransomware and collaborate with cyber-criminals, who will find vulnerabilities in the system. The best known ones are “Ransom32”, “Shark”, and “Stampado”.

The year 2016 was also notorious for the famous ransomware known as “Petya”. In the beginning, the ransomware wasn’t as successful as CryptoWall, but a newer variant came on June 17, 2017, called “notPetya”, which differentiated it from its original versions. The ransomware started in Ukraine and spread throughout the world from the Windows vulnerability “EternalBlue”, which the NSA discovered. The White House estimates that NotPetya caused damages worth $10 billion, and the governments of Australia, the United States, and the United Kingdom have blamed Russia for this malware.

2017 also saw the emergence of a mobile ransomware designed for Android by the name “LeakerLocker”, which didn’t encrypt files unlike standard ransomware. LeakerLocker was embedded on the PlayStore in malicious applications and would request elevated permissions. It would display sample data from the phone of a user and claim that it will send the phone contents of the user to every person in the contact list, if they didn’t pay the ransom.

One of the most well-known crypto-ransomware “WannaCry” also started in 2017, and was spread through the EternalBlue exploit. After it emerged in 2017, it would go on to infect around 230,000 computers in over 150 countries, and caused damages worth $4 billion. Even though Microsoft had released a patch already for the exploit a couple of months before WannaCry emerged, most users hadn’t updated their systems, which aided ransomware in spreading.

The ransomware could have caused more damage if it had not been stopped a couple of days after the attacks started, mainly due to Marcus Hutchins and his efforts. He found out that there was a “kill-switch” built-in the ransomware, which could be activated. Even though Hutchins played an instrumental role in stopping WannaCry globally, he was imprisoned and arrested by the FBI for other charges of hacking. Numerous major governments have blamed North Korea for the WannaCry ransomware.

Ransomware Currently (2020-Present)

Ransomware has continued to threaten businesses worldwide and caused more than $50 million in losses, according to the 2021 Internet Crime Report by the FBI. Apart from the headlines, it’s something organizations of all sizes and in every sector should be wary of. Well-researched and dedicated protocols related to what should be done if there is an attack have become a part of every company’s defense arsenal and security.

The rise in ransomware has been gradual over the past thirty years, and its popularity has been influenced by the technologies that support it, like malware integration and encryption methodologies. The technologies surrounding it, like the Tor network and Bitcoin have enabled it to start growing from a single tool used by a lone group or hacker to one that is run collectively.


Even though ransomware hasn’t replaced other malware forms, it has become the popular choice among threat actors, especially due to the lower barrier of entry. In the past, ransomware attacks used to need years of penetration testing, development, and cryptography before execution and would only result in a moderate profit, but RaaS programs today have begun proliferating on underground and illicit web forums, which enable threat actors to become partners with authors of ransomware cheaply and easily. Apart from that, the RaaS programs are well-developed with technical support, user dashboards, and guides.

In the end, the payoff is also getting bigger, mainly due to tools like Metasploit and Cobalt Strike automating advancing penetration testing and illegal communities like Genesis Market provide unfiltered access for corporate networks, making easier access to corporations, and ransomware demands more profitable and bigger. Integrating data exfiltration with ransomware has also enabled higher ransoms, with the threat of legal action against the victim businesses. All these reasons mean that ransomware will continue growing both in its destructive capacity and influence.