History and evolution of ransomware attacks

29.03.2023 771 0

Don’t neglect the permanent cyber threat called Ransomware attacks. They have been around for a while and have evolved to become even more dangerous. That’s not all, their frequency is staggering!

Just to give you an idea, in 2021, 623.3 million ransomware attacks were executed worldwide (official number). In the first six months of 2022, there were 236.1 million ransomware attacks around the world. This 2023 in the US, only in January, 33 ransomware attacks were already publicly disclosed. Education institutions suffered 11 attacks, followed by healthcare and government sectors. In February, the number of publicly reported ransomware attacks increased to 40. This time, government institutions were the most hit. But honestly, everybody can be a target.

Based on research on the Dark Web by Marcelo Rivero, a ransomware specialist of malwarebytes.com, dark statistics (published by criminals on the Dark web) are higher. Most ransomware attacks (RaaS) perpetrated this February 2023 are coming from Lockbit (126 ransomware attacks executed), ALPHV (32), Medusa (19), Royal (16), BianLian (13), and PLAY (11). And the list of enemies is sadly longer.

Considering numbers from previous years and the fact that 2023 is still very young, we can assume that the worst is yet to come! Undoubtedly, knowing the enemy is critical to keep safe your organization or business. Let’s dive deeper into the history and evolution of ransomware attacks!

To know more about ransomware, you can read “What is ransomware and how can we protect?”.

When was the first ransomware attack?

The first ransomware attack was the AIDS trojan (1989). Its name comes from the 1989 AIDS conference of the World Health Organization. During this event, Joseph Popp (biologist) distributed 20 thousand infected floppy discs among the attendees. Once every user booted it up 90 times, all his/her files’ names would be encrypted. Then, a ransom message would be displayed asking for 189 USD to be sent to a PO box in Panama. In this case, the tone of the message was not threatening or aggressive. It looked like a reminder to pay the lease for the software. It could seem convincing to users. Experts said this ransomware was removable through easy-accessible online tools for decryption.

Ransomware’s next move: modern encryption

In 2005, ransomware attacks surprise new victims through the use of asymmetric encryption. This for sure made the situation harder for users to solve. “Archiveus” trojan was the first ransomware using Rivest-Shamir-Adleman or RSA public-key cryptosystem to encrypt all users’ files in the specific folder named My Documents. To decrypt them, the user required a 30-digit password that would be delivered by the scammer once the ransom was paid. The “Archiveus” password was cracked in 2006.

“Gpcode” was another early threat to Windows operating systems. First, it used symmetric encryption but in 2010, it jumped to a more complex choice (RSA-1024) to encrypt documents with specific file extensions.

A new headache appeared in 2009; “Vundo” – a virus used to encrypt computers and get money by selling the decryptors to victims. When users clicked on malicious email attachments, “Vundo” was able to download itself. It also exploited vulnerabilities in browser plugins (Java). Already installed in the users’ computers, it attacked anti-malware software.

In 2010, the “WinLock” trojan got onto the stage. A Russian ransomware gang of ten criminals got 16 million USD using “WinLock”. Once they locked victims’ computers, pornography was displayed on them as an extra way to push victims to pay the ransom (the equivalent in rubles of 10 USD). The criminals were caught but let’s say that from the technical aspect, their scam truly worked.

“WinLock” was “enhanced” (2011) so it was even easier to scam victims. It deceived them while simulating it was the Microsoft Product Activation for Windows. It asked for a “necessary” re-installation and once done, the extortion took place.

In 2012, a new villain appeared: “Reveton”. The tone of the threat escalated. Aggressive messages claimed to be from US law enforcement and informed the user was caught consuming illegal pornography so only the payment (ransom) could liberate him or her from prosecution.

Cryptocurrencies as the catalysts of the ransomware attacks

A parallel event boosted ransomware attacks: the creation of cryptocurrencies, like Bitcoin (2010). This meant  an attractive payment method (instant and anonymous) to not leave zero trace behind for ransomware criminals. The increase in ransomware attacks was clear even though it still had a disadvantage. Many victims were not related at all to such virtual currencies and the way they worked, but it was only a matter of time before cryptocurrencies got more popular and for criminals to make this malicious business very lucrative.

In this context, “CryptoLocker” attacked (2013). It took advantage of the crypto transactions, but also “CryptoLocker” was the first ransomware spread by a botnet. It implemented a more advanced encryption, a 2048-bit RSA key pair (public and private). This was created by a server and sent to the victims to encrypt their files. To obtain the key, users were asked for 300 USD.

The inglorious success of “CryptoLocker” inspired  similar variants to emerge very soon, like “CryptoWall” (2014). Phishing (emails) was the way to spread it and numbers showed that four years later in 2018, the damage caused by its use was estimated at 325 million USD.

The lucrative success of ransomware attacks led to the rise of RaaS or ransomware-as-a-service (2016-2018). Hackers looked for vulnerabilities and wrote code for ransomware to work efficiently. They even included a user dashboard, guides, and technical support for its use. Unfortunately, profits made by criminals pushed their nasty business to the next level, a more organized one. “Shark” and “Ransom32” were popular examples of early RaaS.

“Petya” came in 2016 and its stronger variant “notPetya” (2017) spread globally through a Windows vulnerability, EternalBlue. The White House blamed “notPetya” for damage of 10 billion USD. In the same year, “WannaCry” emerged using this vulnerability too. Soon, it infected around 230,000 computers in 150 different countries, with a damage cost of 4 billion USD.

A catastrophic merge occurred

Ransomware attacks were already costing billions when in 2018, ransomware merged with malware. This was the origin of threats like “GrandCrab,” a combination of malware to steal information and ransomware to lock the files. It became the most-used RaaS from 2018 to 2019.

Team Snatch, a malicious gang, and “GrandCrab” partnered and added to the extortion the threat of publishing the victim’s stolen data if he or she refused to pay the ransom. Before, having a proper backup could be enough to avoid the ransom payment. But this new threat meant to expose publicly sensitive data of the victims. Ransomware attacks got more leverage to extort.

This set up the bases for the “Maze” ransomware and leak websites. “Maze” was created by a group but soon, different attackers used it to extort. It copied and encrypted data. Variants and leak sites sprang up like mushrooms. In 2020, only the “NetWalker” ransomware group obtained approximately 25 million USD.

Now, the creation of ransomware and the attacks were run by organizations and not only random individuals.

“REvil” ransomware gang was created in 2019. It extorted thousands of individuals, and all types and sizes of organizations worldwide, including Donald Trump, who was president of the US at that time (2020). He was asked for 42 million USD as ransom. Besides, “REvil” (software) was offered to more criminals on a subscription basis. This says a lot about how far criminals have gone running this fraudulent business. They even diversified income sources to ensure profit.

“REvil” accounted for 37% of ransomware attacks perpetrated during 2021 and the official number pointed to 623.3 million attacks in total. “REvil” also attacked Apple (2021) and demanded 50 million USD as ransom. Not paying it meant “REvil” group would publish data and schematics of upcoming Apple products. Malicious links attached to emails were the main method to spread “REvil” ransomware. When victims clicked on them, they were tricked to enable a QakBot, malware with backdoor capabilities, a banking trojan to steal keystrokes, browser information, credentials, and financial data of the victims. Once the QakBot was enabled, criminals could take over.

Another dangerous group that seems to have disbanded recently (2022) was “Conti”. A Russia-based ransomware gang, allegedly connected to Russian security institutions and law enforcement. In May 2022, the US government offered a 15 million USD bounty for the “Conti” leaders.

Still, there are traces of “Conti” activity. When these groups stop working together, other criminals can use malicious software. Remember, the use of the software by others is also a source of income for criminals. Perhaps, members of the previous “Conti” organization are still active somewhere. They could re-appear using a different brand. And that means we cannot lower our guard in terms of security!


This history and evolution of ransomware attacks show you key moments and technologies that boosted this crime. More than three decades after the first ransomware attack has been enough to evolve and become a constant and harmful threat. For a long time already, Macs (read about viruses on Mac) and mobiles are also targets.

Now government and security institutions are more vigilant, but criminals are not stopping. It’s clear that everybody must have a strong and permanent security strategy in case of a ransomware attack. There is too much at stake! Lots of sensitive data (intellectual property, financial and personal information), your infrastructure, reputation, etc.

Now, you know the enemy and the tricks behind its criminal operation, strengthen your business’ defenses! How can you protect it? Well, you should read “What is ransomware and how can we protect?”.

And be sure you include this Backup-as-a-Service service in your security strategy.

Leave a Reply

Your email address will not be published.