How has ransomware evolved over the years?

Ransomware is malicious software that restricts system access or encrypts data until a ransom is paid. It has undergone significant changes since its emergence in 1989. It has grown more sophisticated over the years, with its methods and objectives adapting to the expanding digital environment.

The first recorded ransomware attack, known as the AIDS Trojan or P.C. Cyborg, was introduced by Joseph Popp in 1989. Popp sent approximately 20,000 floppy disks to attendees of the World Health Organisation’s AIDS conference, claiming the disks contained research information. However, after the infected system was rebooted 90 times, the malware would hide files and demand $189 in ransom, payable to a P.O. box in Panama. This attack was crude and relatively easy to overcome because it used symmetric cryptography, eventually allowing security experts to develop tools to decrypt the files without paying the ransom.

Despite being the first of its kind, ransomware didn’t become a widespread threat. The slow adoption of ransomware in the 1990s can be attributed to limited internet access and connectivity. However, the stage was set for ransomware to evolve in the coming decades as the digital landscape grew.

Ransomware took off in the early 2010s, with CryptoLocker emerging in 2013 as a pivotal moment in ransomware history. This malware represents a significant evolution, using more robust encryption that makes decryption without paying the ransom nearly impossible. CryptoLocker’s success can be attributed to two key factors: the widespread availability of Bitcoin for anonymous payments and the use of the Gameover Zeus botnet to distribute the malware.

Unlike earlier ransomware, CryptoLocker demonstrated the financial potential of encrypting files and demanding ransoms, kicking off what many called the “Gold Rush” of ransomware. Although the original CryptoLocker was shut down in 2014 through a coordinated effort between law enforcement and cyber security companies, its success spurred the development of numerous copycats, accelerating the spread of ransomware.

As ransomware operators became more organised, the Ransomware-as-a-Service (RaaS) concept emerged. Similar to legitimate software services, RaaS allowed attackers with little technical knowledge to “rent” ransomware from more experienced cyber criminals. This significantly lowered the barrier to entry for ransomware attacks and fuelled an explosion of incidents from 2016 onwards.

The WannaCry outbreak in 2017 showcased the scale of damage that could be caused. Using an exploit known as EternalBlue (developed by the NSA and leaked), WannaCry spread rapidly across the globe, affecting hundreds of thousands of computers in over 150 countries. The malware encrypted files and demanded ransom payments in Bitcoin. Despite its destructive nature, WannaCry was poorly executed, and many victims could not recover their data even after paying the ransom.

By 2020, cyber criminals transitioned from indiscriminate attacks to more focused efforts, a tactic called big game hunting (BGH). Rather than targeting numerous small targets, cyber criminals concentrated their efforts on high-value organisations such as hospitals, corporations, and government agencies, where the potential for a substantial ransom was significantly greater. This approach frequently required weeks or months of careful planning and preparation before executing the ransomware attack.

In addition to encrypting data, attackers started employing a double extortion strategy by attempting to steal sensitive information, vowing to make it public if the ransom wasn’t met. This added a layer of pressure on organisations to meet the demands.

One notorious example of this evolution was the DarkSide ransomware attack on Colonial Pipeline in 2021, which caused widespread fuel shortages across the Eastern U.S. The attack highlighted how critical infrastructure could be crippled by ransomware, pushing the threat into the mainstream media.

Today, ransomware is continuing to evolve. Ransomware gangs have become more sophisticated, often operating like businesses with customer support for victims and collaborations between other criminal groups. Some ransomware groups now employ Distributed Denial of Service (DDoS) attacks or personally harass employees of targeted companies to escalate the pressure.

Additionally, the rise of leak sites has become another tool for extortion. Criminals now post exfiltrated data online in stages, starting with less sensitive information and escalating to critical data to coerce payment from victims. This adds pressure on the victims to pay for their data to be removed from the site.