The History of Ransomware

Share :

While often considered a newer threat, and rightly so given its fast-rising dominance among the cybercrime landscape, ransomware is not a recent innovation in the ongoing cyber war. It stretches back decades to the early days of the internet, email, and even floppy discs.

And while those early attacks may not have made the same impact as their contemporary counterparts, their shockwaves helped cybercriminals refine and evolve the tactic to where it is today — a global scourge that accounts for almost half of all incidents and costs organisations millions.

To better understand how ransomware continues to dominate the conversation, it’s important to look at its origins and how it evolved to where it is today.

Take a deep dive into the world of ransomware.

The History of Ransomware

1989-2010: The Development Years

The early days of ransomware were sparse and primitive.

Pre-2010: Ransomware has existed since the 1980’s, with the first recorded attack occurring in 1989. This inaugural attack was known as the AIDS Trojan virus and was released via floppy disk at the World Health Organisation’s AIDS Conference, also making it one of the first instances of major hacktivism. Once the user popped in the disc, they were greeted with a lock screen. If the user tried to re-boot their computer, the disk would count that reboot and once 90 reboots occurred, the malware would encrypt files, demanding payment for the key.

While this attack was notable, it was also an isolated incident. Ransomware in the 1980’s and 1990’s lacked widespread execution or success for several reasons, including lack of interconnected technology in business and an inability for threat actors to easily extract payment.

2006: The first strain to use advanced RSA encryption — Archievus — appears. It was delivered through malware on websites and through spam email, allowing for mass distribution. Additionally, it used asymmetric encryption, which is more difficult to break, meaning users needed an RSA key to unlock their data. The group behind the attack made a mistake causing the strain to have a short lifespan — every user was given a decryption code with the same exact password.

2010 – 2016: Ransomware Enters the Mainstream

Two innovations spurred on ransomware: email and cryptocurrency.

2010: Bitcoin, along with other cryptocurrencies, gain popularity, giving threat actors an avenue for collecting often untraceable digital payments. Because cryptocurrency is distributed and decentralized, threat actors can obfuscate the payments and make them difficult to track while helping them evade law enforcement. Additionally, cryptocurrency, which is almost always Bitcoin in the case of ransomware, can be transferred almost instantly, no matter the amount.

2012: The first instance of ransomware-as-a-service (RaaS) occurs with Reveton ransomware. This malware would impersonate local law enforcement, threatening victims with arrest or criminal charges if they did not pay a ransom. The Reveton operators would sell the malware to third parties as a service, not only innovating the RaaS model seen frequently today, but allowing the ransomware to spread exponentially.

2013: CryptoLocker, the first ransomware to be spread by botnet and social engineering, shows both threat actors and the cybersecurity world how easily ransomware could spread and take over a system. The virus propagated through email attachments that were then spread via the botnet, allowing it to rapidly spread across the internet. In December 2013, it was reported that the group behind CryptoLocker had made over $20 million USD in bitcoin.

2013 –2016: Ransomware explodes in popularity as variants multiply and new targets — such as Mac and Linux systems, as well as mobile devices — appear.

2016 – 2023: Ransomware Grows Sophisticated

The rise of the dark web, cybercriminal networks, and the digitisation of organisations around the globe ushered in a new age where ransomware rose exponentially.

2016: Petya becomes the first variant to overwrite the master boot record and encrypt the master file table within a system, locking victims out of the entire hard drive, faster.

2017: A variant of Petya, NotPetya, made headlines as it was used to target Ukraine, as well as Ukraine-allied countries France, the United Kingdom, and the U.S., during an ongoing conflict between Russia and Ukraine. The NotPetya attacks have been blamed on Russia by experts.

2017: The WannaCry ransomware attack hits hundreds of thousands of devices across more than 150 countries, making it one of the biggest ransomware attacks in history. While the original infection occurred in Asia and happened via phishing, it only took hours for the attack to spread around the globe. This attack is also notable as it exploited a Microsoft vulnerability, called EternalBlue. This is one of the first times threat actors would use vulnerability exploits, an avenue of attack that is now commonplace.

2018: Ransomware starts to utilise data exfiltration, first executed with the GrandCrab RaaS strain, which was integrated with a file-stealing malware to exfiltrate data. The malware was capable of detecting and stealing credentials, files, screenshots, and more.

2019: Leak sites begin to pop up on the dark web, exposing victims to further financial and reputation losses, as well as allowing for stolen credentials and personally identifying identifiable information (PII) to be used in future attacks. While leak sites expose stolen data to others, perpetuating further attacks, they also allow cybersecurity researchers to see which ransomware groups are active and which organisations they are targeting. This threat intelligence has become crucial for developing new defences.

Learn more about different kinds of ransomware and RaaS groups.

2020: Big Game Hunting starts to appear, where cybercriminals specifically target high-earning organisations, such as the tech sector. This trend has become a go-to for threat actors, who now strategically target organisations that have little tolerance for downtime — such as manufacturing — or have been more likely to pay a ransom in the past, like healthcare.

2020: Triple extortion expands as a tactic. This involves ransomware actors, after holding data hostage and exfiltrating it (with the promise to leak it if the ransom isn’t paid), reaching out to an individual’s whose data has been exfiltrated, or threatening the ransomed organisation with a second attack, such as a distributed denial of service (DDoS) attack.

2021-2022: Initial access brokers appear more frequently and start to play a crucial role in the ransomware ecosystem by selling access to networks. Initial access brokers (IAB), who gain access to corporate networks and then sell that access to cybercriminals, help RaaS initiatives expand, as well as help more amateur cybercriminals gain access. For ransomware threat actors looking for access, using an IAB can be more efficient in terms of cost and time.

2023 – Future: Ransomware Operators Continue to Shift Strategies

As cybersecurity evolves alongside the increased involvement of international law enforcement in stopping cybercrime, ransomware operators have had to out-maneuver tools and people, as well as change their tried-and-true tactics.

2023: Several notable instances occurred highlighting how ransomware tactics continue to evolve, particularly in the face of energized law enforcement and new, advanced cybersecurity measures.

Those instances include:

  • In August 2023, the Snatch group claimed they will release details of their attacks against organisations that refused to pay the ransom to demonstrate that the victim’s insurer should not cover the associated costs.
  • In October 2023, LockBit’s leaders overhauled their negotiation model in response to dwindling payments and inconsistent ransom demands among their affiliates.
  • In October and November 2023, Arctic Wolf Labs investigated several cases in which victims of Royal and Akira ransomware were contacted after the original compromise for additional extortion attempts.
  • In November 2023, AlphV representatives claimed to have filed a complaint with the SEC outing a victim that hadn’t filed a disclosure in response to becoming one of the group’s latest victims.
  • In December 2023, AlphV announced plans to “go direct” to the clients of firms it successfully victimises — a tactic that will both increase pressure on the original victim and allow the group to extort additional organisations whose data was indirectly accessed.

2024 hasn’t slowed down the evolution of ransomware. In the beginning of the year, Arctic Wolf predicted that not only will ransomware and RaaS continue to thrive, but data exfiltration will become the norm.

“Based on the success of CL0P, the ransomware group behind the exploit of a zero-day SQL injection vulnerability within MOVEit Transfer, a widely used Managed File Transfer (MFT) application, we will likely see additional threat actors attempt to exploit Managed File Transfer systems and file servers.” – Arctic Wolf Labs 2024 Predictions

We’ve already seen the tactic take sinister turns this year. Scattered Spider, a ransomware group adept at compromising identities to launch massive attacks — as they did during the MGM breach of 2023 — has already targeted dozens of finance and insurance companies this year, even as the FBI works overtime to stop them.

Additionally, previously off-limit sectors like healthcare are now fair game for threat actors. Ascension Healthcare was targeted by ransomware in May of 2024, disrupting operations for the healthcare organisation and their business partners, leaving patients, doctors, and more in a lurch.

Explore ransomware, and other threats, in-depth with the Arctic Wolf Labs 2024 Threat Report.
See how Arctic Wolf can help stop a ransomware threat before it becomes a breach.

Picture of Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents