The history and evolution of ransomware

1989: The beginning of ransomware

Believe it or not, ransomware has been making its mark for more than 30 years.

Following the World Health Organization's AIDS conference in 1989, Joseph L. Popp, a Harvard-educated biologist, mailed 20,000 floppy disks to event attendees. The packaging suggested the disk contained a questionnaire that could be used to determine the likelihood of someone contracting HIV.

At the time, there was little reason to believe the disks were sent in bad faith. After all, the package came from an accredited researcher. And who had ever heard of ransomware before?

After making its way onto victims' systems, the malware, dubbed the AIDS Trojan, used a simple symmetric encryptor to block users from accessing their files. A message appeared on users' screens demanding they mail $189 to a P.O. box in Panama in exchange for access to their files. Due to the simplicity of the virus, IT specialists quickly discovered a decryption key, which enabled victims to regain access without paying the ransom.

Popp probably made little money -- just consider the cost of shipping 20,000 disks across the globe, along with the hassle of mailing payment to Panama. But his idea would eventually develop into a trillion-dollar industry and cause him to be named the "father of ransomware."

Ransomware returns as the internet booms

Ransomware took a nearly 15-year hiatus after Popp's AIDS Trojan. It reemerged in the early 2000s, as the internet became a household commodity and email became a way of life.

Two of the most notable ransomware attacks at the start of the internet era were GPCode and Archievus. Unlike much of today's ransomware, threat actors then focused on quantity over quality, attacking multiple targets and requesting low ransom fees.

2004's GPCode infected systems via malicious website links and phishing emails. It used a custom encryption algorithm to encrypt files on Windows' systems. The attackers requested as little as $20 for a decryption key. Fortunately for victims, the custom encryption key was fairly straightforward to crack.

By 2006's Archievus, ransomware authors understood the importance of strong encryption. It was the first strain to use an advanced 1,024-bit Rivest-Shamir-Adleman (RSA) encryption code. The ransomware authors failed to use different passwords to unlock systems, however. Victims discovered the blunder, and Archievus fell out of favor.

While GPCode and Archievus were revolutionary for their time, they were rudimentary by today's standards.

Ransomware goes mainstream

The early 2010s saw the emergence of locker ransomware, stronger encryption algorithms and the newly created concept of cryptocurrencies. This period in the evolution of ransomware was shaped by several variants, including Trojan WinLock, Reveton and CryptoLocker.

In 2011, WinLock emerged as the first locker ransomware, a variant that completely locks victims out of their devices. The nonencrypting malware infected users through malicious websites.

2012's Reveton was the first ransomware as a service (RaaS) -- a rental service that gave cybercriminals with limited technical skills the ability to purchase ransomware on the dark web. Starting with Reveton, the ability to infect victims with ransomware was brought to the masses. Reveton displayed fraudulent law enforcement messages that accused victims of committing a crime. The attackers threatened victims with jail time if they didn't pay the ransom.

Reveton is also noted as one of the first ransomware attacks to demand payment in bitcoin. Cryptocurrencies, which began in 2009, transformed the ransomware game, enabling threat actors and victims to transfer ransom payments easily and anonymously.

In 2013, a ransomware strain using an advanced 2,048-bit RSA key was discovered. The most sophisticated ransomware example yet, CryptoLocker was both a locker and crypto variant. It propagated as attachments to seemingly innocuous emails. Also one of the biggest moneymaking variants of its day, the cybercriminals behind CrytoLocker pocketed $27 million in payments within its first two months -- clearly a different league from GPCode's $20 ransom demands.

Ransomware targets grow

Until the mid-2010s, ransomware predominantly targeted PCs due to Microsoft's popularity and large user base. This changed as threat actors began to set their sights on mobile, Mac and Linux devices.

In 2014, SimpleLocker became the first ransomware to encrypt files on Android devices. The strain encrypted images, documents and videos on devices' SD cards. This marked a massive shift in the evolution of ransomware because it opened the doors to a new set of victims and attacks.

In 2015, LockerPin, which also targeted Android devices, was released. But, rather than encrypt files, LockerPin completely locked users out by changing the device's PIN. Months later, threat actors released Linux.Encoder.1, the first ransomware to target Linux devices.

This evolutionary shift culminated in a new variant capable of attacking Windows, Linux and Mac devices without separate code for each. Ransom32, a RaaS that appeared in 2016, was the first variant based entirely on JavaScript. This enabled threat actors to cast a wider net due to the code's ability to function across all OSes.

Ransomware goes global as techniques evolve

The next phase of ransomware saw continued sophistication in attack techniques, as well as ransomware attacks expanding to a global level.

In 2016, Petya was the first variant to not encrypt individual files, but rather overwrite the master boot record and encrypt the master file table. This locked victims out of their entire hard drive more quickly than other ransomware techniques.

Three months later, the world was exposed to Zcryptor, which combined features of ransomware with worms, creating a threat called cryptoworm or ransomworm. This combination is especially damaging due to its ability to discretely duplicate itself across an entire system and any networked devices.

The infamous 2017 WannaCry ransomware attack hit hundreds of thousands of machines across more than 150 countries in industries ranging from banks to healthcare institutions to law enforcement agencies. It is often referred to as the biggest ransomware attack in history. WannaCry -- also a ransomworm strain -- spread via the EternalBlue vulnerability, an exploit leaked from the National Security Agency. To this day, it targets computers using legacy versions of the Server Message Block protocol -- for which Microsoft released a patch in March 2017, two months before the initial WannaCry attack.

Beyond bringing new ransomware tactics, such as ransomworms, this period in the evolution of ransomware also notably ushered in the trend of improving existing ransomware with new variants rather than creating new strains.

2017's Goldeneye, a variant of Petya and sibling of WannaCry, epitomized this. The authors fixed decryption faults in the ransomware's predecessors to build a stronger, more dangerous ransomware strain.

The same year, Petya variant NotPetya emerged. It encrypted victims' hard drives, like its forerunner, but it also incorporated new wiper features that could delete and destroy users' files.

Ransomware comes of age

The past five years have brought ransomware to its most damaging and destructive stage so far. Two factors have shaped this phase: double extortion and big-game hunting.

Throughout the evolution of ransomware, threat actors have remained motivated by money but often run the risk of victims refusing to pay the ransom. But, with double extortion ransomware attacks, threat actors both encrypt and steal victims' data. Therefore, if victims refuse to pay the ransom to unencrypt their files -- often because they have backups from which they can restore their systems -- the threat actors can threaten to make the data public to ensure payment or sell the victim's data on the dark web, a win-win for the attacker.

One example of double extortion ransomware is 2017's Maze RaaS. It performed both a ransomware attack and data breach by extracting files to an external server. Shortly after Maze disbanded in 2020, the Egregor RaaS double extortion variant appeared. Interestingly, if victims paid the ransom, the threat actors offered victims advice on how to better protect their systems from future ransomware attacks.

The past five years have also seen the emergence of big-game hunting, a term describing the increase in attacks on larger corporations. In earlier ransomware phases, attackers focused on infecting many individual victims. While these smaller attacks still occur today, many attackers spend months researching larger, specific or well-known targets to maximize profits. Some notable recent ransomware attack victims include the city of Atlanta, the city of Baltimore, Colonial Pipeline and JBS USA.

The global COVID-19 pandemic also propelled the spread of double extorsion variants, as well as RaaS. In May 2021, the REvil RaaS variant was used to perform one of the biggest ransomware attacks in history. The REvil gang demanded $70 million in ransom to unlock the more than 1 million devices affected in an attack against managed service provider Kaseya.

What's next in ransomware?

The questions to ask now include the following

• What will the future of ransomware bring?
• Has it reached its tipping point?
• What will the next big attack vector be?
• Who will the next victim be?

The future may be unknown, but what is known is that malicious actors will continue to refine their methods to become more sophisticated, efficient and effective. Attackers' tactics and techniques will mature, and victims will continue to face locked systems, encrypted files and ransom demands. And, as long as attackers continue to make money, attacks will continue to occur.