The history and evolution of ransomware
Ransomware has evolved from a malicious floppy disk demanding $189 in ransom to a multibillion-dollar industry with ransom for rent, sophisticated techniques and big-name victims.
Today's headlines are filled with news of the latest ransomware attacks. Individuals and companies continue to fall victim to the crime -- and it's far from a new phenomenon. A threat that began with floppy disks distributed via snail mail changed with the tide as the internet and then blockchain technologies and cryptocurrencies took the world by storm.
Cybercriminals' methods have changed over the years, but the premise remains the same: Attackers target vulnerable victims, block access to something the victims need and demand a ransom to reinstate access.
Let's look at the history and evolution of ransomware to fully understand how it became the ubiquitous threat it is today.
1989: The beginning of ransomware
Believe it or not, ransomware has been making its mark for more than 30 years.
Following the World Health Organization's AIDS conference in 1989, Joseph L. Popp, a Harvard-educated biologist, mailed 20,000 floppy disks to event attendees. The packaging suggested the disk contained a questionnaire that could be used to determine the likelihood of someone contracting HIV.
At the time, there was little reason to believe the disks were sent in bad faith. After all, the package came from an accredited researcher -- and no one had ever heard of ransomware before.
After making its way onto victims' systems, the malware, dubbed the AIDS Trojan, used a simple symmetric encryptor to block users from accessing their files. A message appeared on users' screens demanding they mail $189 to a P.O. box in Panama in exchange for access to their files. Due to the simplicity of the virus, IT specialists quickly discovered a decryption key, which enabled victims to regain access without paying the ransom.
Popp probably made little money off the scam -- just consider the cost of shipping 20,000 disks across the globe, along with the hassle of mailing payment to Panama. But his idea would eventually develop into a multibillion-dollar industry and cause him to be named the "father of ransomware."
2000s: Ransomware returns as the internet booms
Ransomware took a nearly 15-year hiatus after Popp's AIDS Trojan. It reemerged in the early 2000s, as the internet became a household commodity and email became a way of life.
Two of the most notable ransomware attacks at the start of the internet era were GPCode and Archievus. Unlike much of today's ransomware, threat actors then focused on quantity over quality, attacking multiple targets and requesting low ransom fees.
2004's GPCode infected systems via malicious website links and phishing emails. It used a custom encryption algorithm to encrypt files on Windows systems. The attackers requested as little as $20 for a decryption key. Fortunately for victims, the custom encryption key was fairly straightforward to crack.
By 2006's Archievus, ransomware authors understood the importance of strong encryption. It was the first strain to use an advanced 1,024-bit RSA encryption code. The ransomware authors failed to use different passwords to unlock systems, however. Victims discovered the blunder, and Archievus fell out of favor.
While GPCode and Archievus were revolutionary for their time, they are rudimentary by today's standards.
Early 2010s: Ransomware goes mainstream
The early 2010s saw the emergence of locker ransomware, stronger encryption algorithms and the newly created concept of cryptocurrencies. This period in the evolution of ransomware was shaped by several variants, including WinLock, Reveton and CryptoLocker.
In 2011, WinLock emerged as the first locker ransomware, a variant that completely locks victims out of their devices. The nonencrypting malware infected users through malicious websites.
2012's Reveton was the first ransomware as a service (RaaS) -- a rental service that gave cybercriminals with limited technical skills the ability to purchase ransomware on the dark web. Reveton displayed fraudulent law enforcement messages that accused victims of committing a crime. The attackers threatened victims with jail time if they didn't pay the ransom. Starting with Reveton, the ability to infect victims with ransomware was brought to the masses.
Reveton was also notably one of the first ransomware attacks to demand payment in bitcoin. Cryptocurrencies, which began in 2009, transformed the ransomware game, enabling threat actors and victims to transfer ransom payments easily and anonymously.
In 2013, a ransomware strain using an advanced 2,048-bit RSA key was discovered. The most sophisticated ransomware yet, CryptoLocker was both a locker and crypto variant. It propagated as attachments to seemingly innocuous emails. Also one of the biggest moneymaking variants of its day, the cybercriminals behind CryptoLocker pocketed $27 million in payments within its first two months -- clearly a different league from GPCode's $20 ransom demands.
Mid-2010s: Ransomware sets its sights on new targets
Until the mid-2010s, ransomware predominantly targeted PCs due to Microsoft's popularity and large user base. This changed as threat actors began to set their sights on mobile, Mac and Linux devices.
In 2014, Simplelocker became the first ransomware to encrypt files on Android devices. The strain encrypted images, documents and videos on devices' SD cards. This marked a massive shift in the evolution of ransomware because it opened the doors to a new set of victims and attacks.
In 2015, Lockerpin, which also targeted Android devices, was released. Rather than encrypt files, Lockerpin completely locked users out by changing the device's PIN. Months later, threat actors released Linux.Encoder.1, the first ransomware to target Linux devices.
This evolutionary shift culminated in a new variant capable of attacking Windows, Linux and Mac devices without separate code for each. Ransom32, a RaaS that appeared in 2016, was the first variant based entirely on JavaScript. This enabled threat actors to cast a wider net due to the code's ability to function across all OSes.
In 2016, some of the first proof-of-concept ransomware attacks on IoT devices were presented by security researchers at DEF CON.
Late 2010s: Ransomware goes global as techniques evolve
The next phase of ransomware brought continued sophistication in attack techniques, as well as ransomware attacks expanding to a global level.
In 2016, Petya was the first variant to not encrypt individual files, but rather overwrite the master boot record and encrypt the master file table. This locked victims out of their entire hard drive more quickly than other ransomware techniques.
Three months later, the world was exposed to Zcryptor, which combined features of ransomware with worms, creating a threat called a cryptoworm or ransomworm. This combination is especially damaging due to its ability to discretely duplicate itself across an entire system and any networked devices.
The infamous 2017 WannaCry ransomware attack hit hundreds of thousands of machines across more than 150 countries in organizations ranging from banks to healthcare institutions to law enforcement agencies. It is often referred to as the biggest ransomware attack in history. WannaCry -- also a ransomworm strain -- spread via the EternalBlue vulnerability, an exploit leaked from the National Security Agency. To this day, it targets computers using legacy versions of the Server Message Block protocol -- for which Microsoft released a patch in March 2017, two months before the initial WannaCry attack.
Beyond bringing new ransomware tactics, such as ransomworms, this period in the evolution of ransomware notably ushered in the trend of improving existing ransomware with new variants rather than creating new strains. 2017's Goldeneye, a variant of Petya and sibling of WannaCry, epitomized this. The authors fixed decryption faults in the ransomware's predecessors to build a stronger, more dangerous ransomware strain.
The same year, Petya variant NotPetya emerged. It encrypted victims' hard drives, like its forerunner, but it also incorporated new wiper features that could delete and destroy users' files.
Late 2010s, early 2020s: Ransomware comes of age
By the late 2010s and into the early 2020s, ransomware reached its most damaging and destructive stage so far. Two factors have shaped this phase: extortionware and big-game hunting.
Throughout the evolution of ransomware, threat actors remained motivated by money but often ran the risk of victims refusing to pay the ransom. Extortionware came onto the scene, with attackers not encrypting data but stealing it to blackmail victims. Newly created double extortion ransomware attacks enabled threat actors to both encrypt and steal victims' data. If victims refused to pay the ransom to unencrypt their files -- for example, because they have backups from which they can restore their systems -- threat actors could threaten to make the data public to ensure payment or sell the victim's data on the dark web, a win-win for the attacker.
One example of double extortion ransomware is 2017's Maze RaaS. It performed both a ransomware attack and data breach by extracting files to an external server. Shortly after Maze disbanded in 2020, the Egregor RaaS double extortion variant appeared. Interestingly, if victims paid the ransom, the threat actors offered victims advice on how to better protect their systems from future ransomware attacks.
Big-game hunting, a term describing the increase in attacks on larger corporations, also became more popular. In earlier ransomware phases, attackers focused on infecting many individual victims. While these smaller attacks still occur today, many attackers spend months researching larger, specific or well-known targets to maximize profits. Some notable recent ransomware attack victims include the city of Atlanta, the city of Baltimore, Colonial Pipeline and JBS USA.
In 2020, triple extortion ransomware emerged. In addition to encrypting files and exporting data to try to get a victim organization to pay a ransom, attackers added a third extortion factor -- for example, DDoS attacks against the victim organization; media shaming; or intimidation of the victim organization's clients, employees, customers and/or suppliers into paying ransoms. One example of triple extortion ransomware in October 2020 involved ransomware attackers of Finnish psychotherapy provider Vastaamo sending blackmail requests to the victims of the company's data breach.
The global COVID-19 pandemic also propelled the spread of double and triple extorsion variants, as well as RaaS. In May 2021, the REvil RaaS variant was used to perform one of the biggest ransomware attacks in history. The REvil gang demanded $70 million in ransom to unlock the more than 1 million devices affected in an attack against managed service provider Kaseya.
Between 2021 and 2022, initial access brokers (IABs) started becoming key players in ransomware attacks. IABs are nefarious actors who sell access to networks. Ransomware attackers use IABs and RaaS groups to improve the speed, efficiency and effectiveness of their attacks.
What's next in ransomware?
The evolution and history of ransomware lead us to ask the following questions:
- What will the future of ransomware bring?
- Has it reached its tipping point?
- What will the next big attack vector be?
- Who will the next victim be?
The future may be unknown, but what is known is that malicious actors will continue to refine their methods to become more sophisticated, efficient and effective. Attackers' tactics and techniques will mature, and victims will continue to face locked systems, encrypted files and ransom demands. And, as long as attackers continue to make money, attacks will continue to occur.
