The History of Ransomware: Where It’s Been and Where It’s Going

Ransomware is nothing new. In fact, it’s been around since 1989. Our 2023 Third Party Breach Report found that ransomware accounted for 27% of all third-party breaches last year. These results mean that ransomware causes more than 1 in 4 third-party breaches. We can combine this with a recent report on Who’s Who in Ransomware that predicted ransomware attacks would occur every two seconds by 2031. With these stats in mind, it should be clear – ransomware is an ongoing threat in the cybersecurity industry.  

The answer could be in the past when thinking about how to get ahead of ransomware attackers. Studying the history and evolution of ransomware can tell us much about how to protect organizations from ransomware now and in the future.

The history of ransomware

Ransomware has been making headlines since 1989. While this isn’t a complete history, here’s what we would consider the significant events in the origin and evolution of ransomware. Buckle up; it’s a wild ride:

• 1989: The first known instance of ransomware occurs.
• • Joseph L. Popp, a Harvard-educated evolutionary biologist, creates the AIDS Trojan/PC Cyborg virus. Popp mails floppy disks to attendees of the World Health Organization’s (WHO) International AIDS conference. The disks contain symmetric cryptography to encrypt file names on the users’ computers.
  • No one knows Popp’s motivation, but some think it is retaliation for being denied a job with the WHO. Victims mail a $189 payment to a P.O. Box in Panama to access their encrypted files and receive a second floppy disk containing the encryption key. 
  • Ransomware at this time targets individuals and follows the rise of the personal computer.
• 2005: Modern ransomware hits the scene. 
• • Ransomware threat actors create GpCoder/GPCode, an early “crypto ransomware” type, in May 2005. For this type of ransomware, attackers encrypt the victim’s files via an email spam attachment. GpCoder/GPCode relies on a custom symmetric encryption technique growing in popularity but easy to defeat due to weak encryption and unsophisticated infection methods.
  • Locker ransomware like Trojan.Winlock also appears during this time. This type of ransomware skips file encryption and instead displays images (risque or otherwise). Removing the images requires a ransom payment via text or premium-rate phone call.
• 2011: Ransomware grows in scale and variety.
• • Around this time, the birth of Bitcoin and anonymous payment services triggers tremendous growth in ransomware attacks. Bitcoin and other cryptocurrencies are easy and untraceable ransom payment forms, which makes ransomware an especially attractive form of attack for budding threat actors.
  • Attackers develop 30,000 new ransomware variants in the first quarter of the year and another 30,000 in the second quarter. By the third quarter of 2011, more than 60,000 new variants exist.
• 2016: Rise of ransomware as a service (RaaS).
• • RaaS is now the most popular business model for ransomware actors. Ransomware actors produce and sell variants in packages that often include support from the ransomware developer. Specialized hacking knowledge is no longer required, just money and a grudge.
• 2021: Ransomware disrupts critical infrastructure.
• • Ransomware group DarkSide targets Colonial Pipeline. The 5,000-mile oil pipeline crosses most of the United States and supplies nearly half of the oil used on the East Coast. DarkSide leverages a single stolen password and legacy VPN without multi-factor authentication to hack into the pipeline’s systems and steal over 100GB of data.
  • The ransomware group demands a cryptocurrency ransom equivalent to over $4 million, and the pipeline shuts down briefly. Though Colonial Pipeline pays the ransom, the company launches a security investigation and, due to the pipeline’s importance, notifies the FBI and other government organizations. As a result, the organization recovers $2.3 million of the ransom, and DarkSide apologizes and disbands. 
  • After this attack, ransomware gangs back away from attacks targeting critical infrastructure unless politically motivated. The Colonial Pipeline attack serves as a lesson to ransomware attackers to avoid targets that draw the attention of law enforcement.
• 2021-Present: Ransomware continues to grow in sophistication.
• • In the past couple of years post-COVID, we’ve seen a decrease in the number of attacks, but the amount of ransom requested in attacks is on the rise. Also, attackers are more organized and have moved from targeting individuals to corporations and government entities.

Recent global game changers in the ransomware story

Outside of the events above, when we ask security experts which recent trends are shaping the ransomware industry, here’s what they say:

Ten years ago: Individuals as ransomware targets

Ransomware in the early 2010s primarily targeted individuals and was triggered by the rise of the personal computer. Since ransoms were low and mainly directed at targeted individuals, ransomware wasn’t considered a large enough problem to warrant the attention of governments and regulatory bodies. 

Ultimately, this focus on individual attacks allowed ransomware to fly under the radar and flourish. Ransomware threat actors had time to learn from the rudimentary attacks of the late 80s and early 90s and iron out those flaws to discover more sophisticated variants. Had these attacks been bolder and more organized in the beginning, they may have attracted the attention of government agencies. These agencies would have had an opportunity to squash ransomware attacks before threat actors and their techniques could evolve.

Five years ago: Global ransomware threats enter the scene

We know that the shift from targeting individuals to corporations came with the rise of Bitcoin and other cryptocurrencies. Two events, however, announced the global change and demonstrated the impact of fast-spreading, more sophisticated ransomware.

WannaCry was a global epidemic in 2017 that spread through Microsoft Windows. In this attack, threat actors encrypted user files and demanded a Bitcoin ransom. The attack, which affected over 230,000 computers globally, thrived on outdated computer system usage and the failure of users to update their software.  

WannaCry demonstrated the importance of updating software and operating systems and brought additional attention to the rising impact of ransomware. 

The NotPetya ransomware attack also occurred in 2017. At the time, NotPetya was considered “The fastest propagating piece of malware.” The virus, released by Russian-based hackers, irreversibly encrypted master boot records on computers and is widely considered an act of cyberwar. The effects of NotPeta were significant: Corporations reported over $10 billion in total damages and experienced widespread business disruption. For example, global conglomerate Maersk disconnected its entire global network for over two hours.

These incidents paved the way for threat agents to shift from targeting individuals to corporations and government entities. WannaCry and NotPetya also demonstrated the capabilities of ransomware and the ability of these attacks to affect global operations for organizations, governments, etc.

The future of ransomware

Nowadays, ransomware evolves quickly. The rise of RaaS continues to fuel the creation of new ransomware variants. Security experts believe that RaaS will dominate the ransomware landscape as long as it remains the most profitable business model for threat actors. Reportedly, REvil developers earned $100 million in a year on their RaaS offerings. 

Additionally, variants are becoming more sophisticated. Experts believe that the large ransoms collected by ransomware groups will give groups the funds to leverage AI and machine learning (ML) technologies to power their ransomware. For example, the now-defunct group Conti collected $182 million in 2021. Large payouts like this are certainly enough to purchase the latest and greatest in these technologies.  

What does AI- and ML-powered ransomware look like? Ransomware defenders already use both technologies to detect and respond to ransomware. But threat actors can also use the same technology to automate the ransomware development process. Automating the development process can accelerate the number of variants produced and dramatically increase the number of victims targeted in each attack.

In the future, security professionals must consider how AI and ML will influence ransomware and developments in the RaaS business model.

Black Kite’s ransomware evolution

For years, Black Kite’s Ransomware Susceptibility Index® (RSI™) has helped organizations gauge their likelihood of experiencing a ransomware attack. RSI™ ratings collect data from various sources and transform it through ML and data analysis. Then, Black Kite assesses a company’s security posture and the likelihood of attack through the lens of technical and non-technical indicators. 

As ransomware evolves, Black Kite updates its RSI™ ratings to reflect changes in ransomware techniques, socio-political events, targeted industries, etc. For example, Black Kite recalibrated its RSI™ indicators when the Russia-Ukraine War began to account for regional risk. This recalibration gave U.S. and European organizations considered targets for Russian threat actors higher-than-average RSI™ ratings. 

Black Kite also began tracking and collecting stealer logs last year. Threat actors use stealer logs to identify, extract, and collect valuable data from victims. The stolen credential data from the logs are sold and distributed to threat actors to gain access to organizations’ networks. By tracking these logs, Black Kite can accurately assess an organization’s chances of being attacked based on the illegal distribution of its credential information. 

Black Kite will continue to develop and refine the RSI™ rating process to keep abreast of ransomware developments.

When it comes to ransomware: know your risk

Since bursting onto the scene in 1989, ransomware has evolved to become one of the leading worries in today’s digital landscape. With higher ransoms, more variants, and an increase in high-profile attacks, organizations are understandably concerned.

From the start, cybersecurity experts evaluated the responses of individuals, security specialists, and organizations when examining ransomware attacks for clues to build stronger security postures in the present and the future. At Black Kite, we believe it’s important to track the evolution of technology in ransomware and your organization’s (and vendors’) susceptibility to attack. After all, ransomware isn’t going anywhere and protecting your organization against production, reputation, and revenue losses has always been the goal.