A Brief History of Ransomware

A Brief History of Ransomware | White Blue Ocean

What is Ransomware? Ransomware is a form of malicious software or ‘malware’ which is used by cyber criminals known as bad actors to gain access to individual computers or computer networks to encrypt and/or steal files. The targets generally range from small local businesses to large corporations, the latter of which is known as Big Game Hunting in the world of cyber crime. These bad actors will attack computers/networks with their ransomware and leave a digital ransom note for the victim requesting a sum of money for the file decryption key, and in some cases will threaten to delete the files or make them available for everyone with access to the internet. Simply put, a bad actor will find a vulnerability within a computer or computer network of a business, render the files unusable and request money to allow them to be accessed and used again. This can have a significantly detrimental effect for business’s and can potentially cost them millions before the ransom amount is even considered.

Ransomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved? 

The Birth of Ransomware

It might sound surprising, but Ransomware was born way back in 1989 and it wasn’t created by an IT specialist. The man known as the father of ransomware was none other than a Dr. Joseph L. Popp who was a Harvard educated biologist. Following the completion of the World Health Organisations AIDS conference, Dr. Popp created what is now known as the AIDS Trojan on 20,000 floppy disks. These disks where sent out in the post to attendees of the conference in packaging which made it look like a questionnaire to determine the likelihood of someone contracting HIV which, back in those days especially, there was no reason to reasonably question its legitimacy.

Once the floppy disk was inserted into a computer a symmetric encryptor blocked the user from accessing their files. A symmetric encryption is a key created by someone, which is essentially a string of numbers or letters. The key is used to encrypt files meaning that no one can gain access to them unless they hold the original key. Anyone who holds the original key can use it to decrypt the files and once again gain access. When the files had been encrypted a note from Dr. Popp would be revealed on the computer monitor demanding $189 plus another $378 for software release to be sent to a P.O. Box in Panama. When the victim had paid the ransom, they would be given access back to all of their files.

As this was the first application of ransomware in history it was fairly unsophisticated. IT specialists quickly worked out what the decryption key was and distributed it to the known victims so that they could access their files without having to pay the ransom. Following this, ransomware wasn’t really seen again for about another 15 years which, unsurprisingly, is when the internet started to become the normal in households and businesses all over the world.

The Early 2000’s

These were the early years of Ransomware and it was primarily facilitated by the fact that the internet had become a way of life for so many people around the world. During these early days the bad actors would write their own encryption code, target multiple victims and would request low ransom amounts often around the $20 mark. The ransomware strain known as GPcode was one of 2 revolutionary stains of ransomware back in the early days. It was transmitted to victims via a malicious website and through phishing emails targeting windows software because of its wide use. Once GPCode had gained access to the victims’ computer it would encrypt the data and request $20 to decrypt it. Unfortunately for the distributors of GPCode the victims managed to work out the encryption key fairly easily.

A malicious website is a fraudulent website which when accessed, or when a certain item is clicked on the website, transfers the ransomware to the victim’s computer. A phishing email is an email which is made to look professional and legitimate to hide its true intent from the victim. It can have links or attachments which, when clicked on, will transfer the ransomware to the victim’s computer. Phishing can also be used to obtain personal information or data from the victim who will unknowingly and willingly provide any information requested in the email as they believe it to be a legitimate request.

The Archievus ransomware was the first to use a 1204-bit RSA encryption code. An RSA encryption code is like the symmetric encryption with the difference being that the key to encrypt and decrypt the data is different. There is a public key and a private key one of which can be used to encrypt the data with the other being the only key that can decrypt the data. The 1204-bit refers to the length of the key.

Here’s a brief explanation of how RSA encryption would work in the real world for legitimate reasons.

Person A would create a 1204-bit RSA encryption code giving them a public key and a private key.

Person A would send the public key to Person B

Person B would encrypt the data with the public key and then send the encrypted data to Person A

As Person A is the only person with access to the private key they are able to decrypt the data

This was revolutionary in the world of Ransomware.

The Early/Mid 2010’s

The early 2010’s saw Ransomware evolve even further with the introduction of locker ransomware which provided even stronger encryption. This was also the beginning of the cryptocurrency phenomenon which allowed money to be transferred easily and, most importantly to the bad actors, anonymously. By this point ransomware was really finding its way and continued to keep evolving.  Up until this now it had been mostly used to target PC’s due to the large use of Microsoft Software but the ever-increasing use of mobile devices now played into the bad actors hands. They began to develop ransomware to attack those using android operating systems as well devices running Mac and Linux operating systems.

Up until the mid-2010’s ransomware would be used until it had run its course and then a new strain of ransomware would be created to replace it. From the mid 2010’s instead of just creating a new strain, the bad actors began releasing variants of already existing ransomware under different names. For example, Petya and WannaCry were 2 strains of ransomware used in the mid 2010’s and elements of both were used to create a new variant called Goldeneye.

In 2011 WinLock was the first strain to utilise locker ransomware which rather than just encrypting files would lock victims out of their devices and restricted their access to their Windows system. They made their money by imitating a windows product activation notice telling users to reactivate their operating system by calling a free number which unsurprisingly actually charged high fees.

This was the period in which Ransomware as a Service (Raas) was born and opened the door to a new era of cybercrime as very little skill was required to carry out a ransomware attack using this service. Anyone with access to the internet could buy ready-made ransomware on the dark web and either use it themselves or pay a bad actor to carry out the attack. This is when ransomware became readily available to the masses and the first strain to use this was Reveton in 2012 which was also the first strain that demanded payment in bitcoin. As all ransomware does, RaaS evolved and a variant called Ransom32, which was the first variant to be based entirely on JavaScript, was released in 2016. Being based on JavaScript meant that the ransomware could easily function across all operating systems and gave who ever used it much easier access. It’s just another example of how ransomware develops as technology does.

In 2013 CryptoLocker proved to be an inspiration to others purely because within the first 2 months of being used, the bad actors in control had made what is reported to be approximately $27million. It targeted windows computers using a legitimate looking email with a PDF file containing the ransomware attached. The victims would receive a message on screen telling them to pay the ransom within 72 – 100 hours either in US dollars, Euros or Bitcoin.

Simplelocker was the first ransomware to successfully attack android devices in 2013 by encrypting images, documents and videos contained on SD cards. This spurred on the creation of other ransomware variants which targeted android devices such as Lockerpin in 2015 which would change the pin number on users’ devices. It eventually became the first ransomware to target devices running the Linux operating system and could be used to attack windows, linux and mac devices using the same code.

The Late 2010’s/Early 2020’s

Ransomware has kept on evolving year on year with its creators always striving to find new and intuitive ways to bypass security systems, infiltrate computer networks and maximise their returns. Big Game Hunting became more and more prevalent and extortionware came onto the scene in a bid to further encourage victims to pay the ransom. Instead of encrypting the data belonging to their victims extortionware would be used to steal the data and threaten to release it on the internet, providing access to anyone who wanted it, unless a ransom amount was paid. Of course, like ransomware in general this tactic developed into what is known as double extortion and triple extortion. Double extortion being when the data is encrypted as well as stolen and triple extortion incorporated the addition of Distributed Denial-of-Service (DDoS) attacks against the organisation, shaming of the organisation online and in the media as well as intimidation of the organisations clients, employees and suppliers. A DDoS attack is a cyber-attack by which the attacker tries to overwhelm computer networks, machines and websites to make them unusable. This is particularly damaging to organisations that rely on their websites to conduct business as it would be inaccessible to their customers.

COVID 19 caused another set of problems due to the amount of people who began working from home. The need for the sudden move to working remotely meant it took a while for organisations to put the appropriate security measures in place and opened up vulnerabilities that ransomware could exploit.

In comparison to the early days when someone would create some ransomware and distribute it themselves, the way in which ransomware was deployed started to look very different. Ransomware groups such as Conti and Lockbit started to be run more like a business. Essentially there is a hierarchy within the group and they manage the ransomware, finances and run the negotiations. The actual ransomware attacks are carried out by affiliates who will target an organisation, deploy the ransomware and are paid a fee by the ransomware group for their services. As you can imagine this is a very attractive way to work for the affiliate as it provides a level of anonymity should either party be located by authorities.

The WannaCry ransomware in 2017 is a variant that carried out its attacks using a cryptoworm. A cryptoworm is coded to semi-autonomously replicate itself so that it could easily spread through the system it was targeting. At the time of writing it is still referred to as the biggest ransomware attack in history as it affected hundreds of thousands of machines in around 150 countries.

When the Finnish Psychotherapy Service Vastaamo was the victim of a cyber-attack in 2020 the initial ransom request was unsuccessful. As a result of they began publishing hundreds of patients records a day on the dark web and emailed clients demanding ransom payments from them in return for not publishing their sensitive data.

It’s safe to say that Ransomware isn’t going anywhere anytime soon. In 34 years, Ransomware has gone from being a simple symmetric encryption sent out via snail mail on floppy disks to a huge number of variants which can be distributed to hundreds of thousands of computers worldwide through something as simple as an email attachment. Of course, there are a variety of sophisticated ways and tactics which are used these days but this just shows how easily it can be done, and you don’t even have to be an IT specialist to carry out a cyber-attack. If the last 34 years have shown us anything it’s that as long as it continues to make money ransomware is likely to continue to evolve and be a risk no matter what we do.






The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

SIAE Data Breach

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Ransomware attack results in the shutdown of the Colonial Pipeline

The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

Read more
How to tidy up a data-irresponsible past

The world has never been more interconnected than at the present time, through devices like smartphones, laptops, and The risks of IoT devices, that create, collect, transmit, process, analyse, copy and store unprecedented amounts of data. This has led to concerns on how much control users have over their own data, and what level of privacy they can maintain when navigating online. Read more...

Read more
Why phishing emails contain errors?

You have probably noticed that all the phishing mails are poorly written and some details may let us think they are somewhat unprofessional. Find out why.

Read more
New cyber extortionists on the block: the Lapsus$ gang

In just 5 months the Lapsus$ cyber gang has become one of the most talked about hacker groups, going from launching localised attacks, to conducting a large-scale extortion campaign, successfully breaching technology giants and stealing their source codes.

Read more
You've heard about ransomware, now get ready for extortionware

What is extortionware and how does it differ from ransomware?

Read more
Cyber threat landscape: who is LockBit gang?

The cyber threat landscape has undergone many shifts in the past year, from the involvement of ransomware cyber gangs in hacktivist activity during the war between Russia and Ukraine, to the disappearance from the scene of the most prolific ransomware groups. These include DarkSide, the hacker group behind the Colonial Pipeline attack, and REvil, One of the groups that has been active since 2019 and continues to grow regardless of the shifts in the cyber threat landscape is the LockBit gang.

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!