The History and Evolution of Ransomware

Ransomware has seen a rapid rise over the last few years to become one of the most dangerous cyber threats any business faces today. But this is not a new issue.

Indeed, ever since the first ransomware was delivered via floppy disk in the late 80s, authors of these attacks have sought to constantly evolve their tactics to evade detection and increase the chances of their victims paying out.

This may include developing more destructive strains of ransomware, adding double or triple extortion threats or targeting their attacks at organizations likely to suffer the biggest impact. It’s therefore vital that enterprises ensure they’re up to date with the latest trends and techniques.

However, companies can learn a lot from previous incidents about how ransomware attacks are carried out, the type of businesses they target, and the damage they can cause.

We’ve been keeping track of key trends in the sector in our annual State of Ransomware report, with detailed breakdowns for 2020, 2021, 2022 and 2023. 

In 2024, the threat is greater than ever. Indeed, our latest data shows that both the prevalence and cost of this type of attack continue to grow, with the average payout reaching over $391,000 as of July – a 2.4 percent increase from the start of the year.

So how did we get to this situation? Here’s how ransomware has evolved over the years and some of the key moments that have made it one of the world’s biggest cyberthreats.

Ransomware has been around longer than many people may think. The first recorded attack that we’d now call ransomware took place in 1989 and was distributed via mail – not email attachments, but physically posted materials. It occurred when Joseph Popp – an evolutionary biologist by training, not a computing professional – sent 20,000 floppy disks to attendees of a World Health Organization conference in Stockholm using a mailing list he’d acquired.

Anyone who inserted the disks into their drive activated a virus that hid file directories and locked file names, with victims told they could only regain access by sending $189 to a PO Box in Panama.

It’s unknown how many people paid the ransom, but the proof of concept showed how damaging ransomware could be. Some victims were reported to have lost years’ worth of work, though others were able to reverse the encryption without data loss, as the virus used in the attack was relatively unsophisticated.

The time-consuming and expensive nature of the attack – the mailing costs alone would have been likely more than any ransom received – meant it was more symbolic than a serious attempt to make money. However, the seeds had been planted.

With the internet making it simpler to deliver ransomware without the need to rely on the postal service, it has become much easier over the years for ransomware to spread. However, it was still almost 20 years after Joseph Popp’s floppy disks before ransomware started to attract attention again.

The first real advancement in ransomware was the introduction of ‘locker’ attacks around 2007. Unlike earlier attacks that sought to encrypt documents, these variants targeted essential system files, which had the effect of locking victims’ entire machines – in some cases even making the use of the keyboard and mouse impossible.

In 2013, one of these attacks, called CryptoLocker, marked the first large-scale, modern ransomware. Using innovations such as tougher encryption and Bitcoin for untraceable payments, it quickly became one of the most prevalent variants. By the end of 2015, the FBI estimated it had earned its operators $27 million in payments.

Other developments in this period included the emergence of ransomware-as-a-service (RaaS), which allowed anyone to launch an attack even if they lacked technical knowledge, simply by buying the tools from ransomware creators. This made it much easier for hackers to get started, with the result that payments increased quickly. By 2020, the global cost of ransomware had reached $20 billion, a 57-fold increase from 2015.

The malware continues to evolve, and today the biggest threat comes in the form of double extortion ransomware. This was pioneered by the Maze group in 2020, but quickly became the most popular type of ransomware due to how effective it proved to be in getting victims to pay.

In addition to encrypting information, it works by exfiltrating data back to ransomware command and control servers. Once it is in the hands of cybercriminals, they typically threaten to release it publicly unless the ransom is made. This is often much more dangerous to businesses than traditional forms of ransomware, which can often be countered with an effective backup and recovery process. However, the prospect of having sensitive and confidential data exposed is often enough to persuade firms to pay.

Indeed, this has become the primary tactic for most ransomware in 2024. BlackFog’s data shows that more than nine out of ten ransomware attacks (93 percent) now include a data exfiltration element. What’s more, this appears to be having an impact, as in the second quarter of 2024, 43 percent of exfiltration victims paid a ransom, up from 36 percent the previous quarter.

The vast majority of ransomware attacks today go unreported. In fact, BlackFog’s figures suggest undisclosed attacks outnumber acknowledged incidents by as much as five times. However, there have been a number of high-profile attacks over the years that have brought the risk of ransomware to wider public attention and resulted in hard lessons for cybersecurity professionals.

Some of the biggest and most consequential incidents include the following.

The 2017 WannaCry attack was characterized by the speed and scale at which it spread and has been described as the costliest single ransomware attack in history. It reached over 150 countries, affecting organizations such as telecommunications companies and healthcare providers. Among the most notable victims was the UK’s National Health Service, which was forced to cancel appointments and operations and spend around $100 million to recover from the disruption.

WannaCry took advantage of a vulnerability within Windows, which illustrates the importance of keeping up to date with essential cybersecurity best practices such as regularly patching equipment. Overall, the attack is estimated to have cost the global economy more than $4 billion to fix.

A variant of the earlier Petya ransomware, NotPetya was thought to be the work of hackers backed by Russia when it emerged in 2018. The ransomware was able to spread by itself without users opening infected files and proved highly difficult to remove. Danish shipping group Maersk, for example, had to reinstall 4,000 servers and 45,000 PCs due to the incident, with it reporting total losses of up to $300 million.

NotPetya was also significant as one of the largest state-sponsored attacks, being primarily aimed at organizations in Ukraine – though as Maersk showed, the effect ended up being far more widespread. Its main purpose was to cause disruption rather than extract payment and it therefore marked a new phase of ransomware, with the techniques being used as a weapon of cyberwarfare and not just a way for criminals to make money.

The impact that ransomware can have outside of IT was clearly demonstrated in 2021 by the attack on US-based energy company Colonial Pipeline. This shut down its operations for five days and impacted delivery of fuel throughout the east coast of the US, resulting in shortages and panic buying, before the firm paid a $4 million ransom to restore operations.

What this shows is how vulnerable critical infrastructure can be to ransomware attack and the major knock-on effects this may have. The fact Colonial Pipeline felt it had no choice but to pay up also illustrates how effective these attacks are at pressuring victims into paying.

The 2024 ransomware attack on US company Change Healthcare – one of the country’s largest payment processing providers for the industry – has been described as the most significant and consequential cyberattack against the US healthcare system in history.

It was estimated that more than 100 million patients had sensitive healthcare information compromised. What’s more, the $22 million Change Healthcare paid in order to prevent this data from being disclosed is one of the largest ransoms so far – though this is set to be dwarfed by the total estimated cost to the firm of $1.5 billion.

This incident highlights how targeting particularly sensitive data such as medical records and then threatening to publicly expose it has become one of the most lucrative and disruptive forms of attack for ransomware groups today.

While developments like RaaS allow almost anyone to launch a ransomware attack, the majority of incidents can be traced back to a few large-scale ransomware groups and variants. These highly organized gangs, which may even be backed by hostile nation-states, can target thousands of enterprises every year and bring in tens of millions of dollars worth of payments, not to mention the destruction they leave behind.

Some of the most notable families of ransomware and the groups that run them include the following.

REvil was one of the first large-scale, well-organized groups to hit the headlines and its double extortion tactics have since been copied by many other groups. At one point before being taken down by Russian authorities, it was estimated to have been responsible for a third of all ransomware attacks. One of its more noteworthy targets was managed service provider Kaseya, which in turn led to over 1,500 other businesses that used its products being infected.

Among today’s most notorious ransomware gangs, LockBit rose to prominence in 2019 as one of the largest RaaS providers, focusing on double extortion tactics. The group was thought to have been taken down by law enforcement in early 2024, but has since resurfaced, illustrating just how difficult it can be to stop these groups.

Another of 2023’s most prominent groups, BlackCat, also known as ALPHV or Noberu, adds the threat of DDoS attacks to its demands, meaning victims that don’t pay up can expect further disruption. Notable targets included aviation services provider Swissport, which had 1.6TB of data exfiltrated by the group, including internal documents and personal information.

Clop (or Cl0p) is one of the more recent gangs to come to attention, with the FBI placing a $10 million bounty for information on the group. It has used previously unknown SQL injection vulnerabilities to infiltrate victims and was behind the MOVEit exploit in 2023, which impacted hundreds of organizations, from British Airways and the BBC to multiple US government agencies.

The continued increase in ransomware attacks – and the associated costs of dealing with these incidents – shows no sign of slowing down any time soon. Indeed, as long as victims are prepared to pay out in order to restore operations, end disruption and prevent the disclosure of sensitive information, cybercriminals will keep targeting them.

However, the techniques used are set to keep evolving as new technology emerges. For example, the UK’s National Cyber Security Centre has warned that one of the biggest ransomware threats in the coming years is set to come from artificial intelligence (AI). 

It noted that this will have an impact in various ways. For instance, AI will enable attackers to more effectively conduct reconnaissance on targets to spot weaknesses, while generative AI can be used to make social engineering tactics such as phishing more convincing. Threat actors will also be able to analyze exfiltrated data faster and more effectively, while it will also lower the barrier of entry for hackers.

Elsewhere, criminals are also set to respond to changes in working patterns to target remote and hybrid employees using mobile devices. The World Economic Forum has stated that these items often have less stringent security measures or access networks via unsecure public Wi-Fi, making mobile ransomware a promising target for hackers, especially as the rollout of 5G makes it easier to exfiltrate large quantities of data.

In order to counter ransomware today and in the future, a comprehensive defense strategy is required. This should include layers of technology, as well as education to tackle the human factors that frequently lead to data breaches.

Among the essential best practices and technologies that will need to be deployed in order to stop ransomware are:

• Strong perimeter defenses
• Comprehensive, ongoing employee training
• Tough data encryption
• Advanced backup and recovery programs
• Anti data exfiltration (ADX) solutions

None of these can function alone – they each have their own distinct role to play as part of a comprehensive ransomware protection strategy. For example, regular training is vital in guarding against phishing and other social engineering tactics, while ADX is crucial for preventing the most dangerous double extortion ransomware variants.