carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Aug 28, 2017

The evolution of a cybercrime: A timeline of ransomware advances

Color illustration of laptop screen showing a security warning.

Ransomware, the malicious code that holds data hostage, is now a more common threat to businesses than data breaches. It continues to be a thorn in the side of companies large and small, and has enriched many cybercriminals throughout the course of its history. Ransomware targets computers, mobile devices and even machines connected to the Internet of Things.

The ransomware we know today is predominantly crypto-ransomware, which encryption technology to hold victims' data hostage until a ransom is paid. Other types include locker ransomware, which prevents users from accessing their devices; ransomware hoaxes, which claim to encrypt data when they haven’t; advanced ransomware threats, highly specialized attacks of an organization designed to do the most damage; and destructive ransomware, which encrypts or deletes data with no capability to restore it.

So how did we come to be in this situation? Here's a timeline showing how ransomware has advanced technologically over the last three decades.

1989: Ransomware is born
The idea of ransomware was conceptualized in 1989 with the so-called AIDS Trojan, which was distributed on a 5.25 inch floppy disk mailed to victims. It contained a program that claimed to be a survey. But while victims were taking the survey, the program encrypted the victim’s hard drive then printed a ransom demand of $189. The author of the AIDS Trojan was eventually found and further disks were not mailed out.

The computer virus was distributed during an era of much experimentation in malicious code and cyber-attacks, but with little monetization occurring due to the limited ability of lone hackers and small groups to launder money and hide their tracks effectively. Ransomware didn't make another major appearance until 2004.

GPCode ransomware encrypted files on Windows machines with a custom encryption algorithm. Ransom messages were delivered in a text file on the victim’s desktop stating that their files could be decrypted with the purchase of a decryption program. Fortunately, the custom encryption algorithm used by GPCode was easy for analysts to crack.

In 2006, Archievus ransomware appeared on some Microsoft Windows-based computers. Archievus encrypted the contents of the My Documents folder using RSA asymmetric encryption. The ransomware demanded that victims make purchases from certain websites to receive the decryption key. The designer of Archievus used the same decryption key for all infections. Once this fact was discovered, people began to ignore the ransom demands.

Trojan.Ransom.A was also distributed in 2006. This locking Trojan placed itself in the Windows startup program so that a message is displayed on the screen along with pornographic images. The ransom note covered the entire screen, preventing the victim from clicking anywhere else. Trojan.Ransom.A demanded payment in the form of a Western Union wire transfer of $10.99. The CIDN number on the receipt had to be entered to remove the ransom message. However, Trojan.Ransom.A was more like adware than ransomware. It modified internet settings and created many popups and password prompts.

In 2012, Reveton ransomware made its debut. The ransomware masqueraded as a message from the FBI, which notified victims that their computers were locked because of copyright violations and distribution of pornographic content. It claimed that access was denied to the machine until a fine was paid. This was the first of many variants that came to be called “police ransomware.” Reveton was distributed when victims clicked links on compromised websites and it demanded payment through Paysafecard or Ukash.

In 2013, the world met CryptoLocker, which spread through compromised websites and malicious email attachments. The creation of Bitcoin in 2009 opened up an anonymous method of extortion that had previously been unavailable to attackers. As a result, it became easier for cybercriminals to get paid without getting caught. CryptoLocker used AES-256 to encrypt files and command and control servers spread across the Zeus botnet to distribute decryption keys. All these techniques combined to make it much harder to track down the criminals behind CryptoLocker. However, CryptoLocker’s over-reliance on command and control servers proved to be its downfall when the Zeus botnet was largely demolished in 2014.

The battle against ransomware continued to heat up in 2014 when CryptoWall ransomware was heavily distributed, producing an estimated revenue of $325 million for cybercriminals. It fixed flaws in its predecessor, CryptoDefense, which used 2048-bit RSA encryption but left the decryption key in plain text on the computer. CryptoWall employed exploit kits and was harder to eradicate because it could copy itself into registry keys and startup folders.

CTB-Locker was also released in 2014. This ransomware deleted Windows volume shadow copies. Shadow copies track changes to files so that previous versions of a file can be retrieved. Up until this point, shadow copies had been an easy way for victims to restore their data. Victims who relied chiefly on shadow copies as their backup method were rudely awakened to method's inadequacy.

Sypeng was the first ransomware to target mobile devices. It was detected in 2014 when victims started receiving text messages that appeared to be Adobe Flash updates. Instead, the messages contained the Sypeng ransomware and locked the victim’s Android phone or tablet, demanding $200 in MoneyPacks as ransom. Later the same year, SimpLocker attacked Android phones and encrypted them rather than simply locking users out.

Attacks on mobile devices continued in 2015 with the release of LockerPin, which reset the pin code on Android phones and demanded $500 from victims to unlock the device.

A new form of ransomware designed to target Linux users was also released in 2015. Encoder was the first ransomware to target Linux-based web hosting systems such as the popular Magento and cPanel. It locked web directories and encrypted the contents.

Chimera ransomware didn't just encrypt files, it also threatened to publish files online if ransoms were not paid in a practice known as doxing.

Ransomware as a Service (RaaS) gained major traction in 2015. RaaS kits allow criminals to distribute ransomware by paying another criminal for access to the code. With RaaS, just about anyone can become a cybercriminal, even those who aren't very technologically savvy. In 2016, many new RaaS kits such as Petya, Mischa, Tox, Ransom32 and CryptoLocker Service entered the market, making ransomware much more accessible to criminals. Increased RaaS competition led to more differentiation and a reduction in price. Cybercriminals can now obtain RaaS kits for as low as $39.

Ransomware variants continued to get trickier—and far more numerous—in 2016. For starters, 2016 was the year that the first ransomware targeting Macs, KeRanger, burst onto the scene. KeRanger was distributed through a fake Transmission BitTorrent client. Another first was the release of a ransomware virus built on JavaScript. Ransom32 used JavaScript to infect machines running on multiple platforms including, including Windows, Linux and Mac.

Jigsaw ransomware taunted victims by threatening to delete one file every hour until the $150 ransom demand was paid. It also threatened to delete 1,000 files if the machine was restarted or if the ransomware process was interupted in some other way.

Additionally, cybercriminals introduced new features to make it easier for victims to pay ransoms. SamSam ransomware, for example, offered victims the opportunity to chat live with the criminals who encrypted their data. This "customer service" function was designed to guide victims through the process of paying the ransom.

Petya introduced a new propagation method, spreading itself through cloud file sharing services. Petya used Dropbox to distribute itself, and once it infected machines, proceeded to lock them by encrypting the master boot record. Later in 2016, Mamba ransomware thoroughly encrypted victims' hard drives and any external components plugged into the machine.

ZCryptor was the first well-known ransomware worm. It was distributed through spam and phishing email campaigns, and it had the ability to spread itself across a business network. At the same time, TeslaCrypt and Locky were used extensively by criminal enterprises seeking a quick payout.

Researchers scrambled to analyze and develop countermeasures for an increasing number of ransomware variants. In response, cybercriminals equipped CryptXXX ransomware with functions designed to stop its processes if it was ran in a testing environment. This made it difficult for researchers to obtain information on how CryptXXX operated.

WannaCry was easily the fastest spreading ransomware in history. In four days, it had infected more than 250,000 devices using techniques from the leaked EternalBlue NSA hacking tool and a server message block protocol vulnerability. NotPetya was initially distributed via fake email updates about tax software. It then exploited a server message block vulnerability to encrypt victims' files. This particular version of Petya did not provide victims with recovery keys.

The fight against ransomware continues as cybercriminals develop new and more dangerous ransomware. The key to protecting yourself and your business from ransomware is to practice digital hygiene best practices, educate employees, and most importantly, make sure all of your valuable data is properly backed up. When your data is backed up, there's no reason to pay the ransom.


Eric Vanderburg

Eric Vanderburg is an information security executive and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” because his cybersecurity team at JurInnov protects companies from cyberthreats, investigates data breaches, and provides guidance on safe computing. Eric is passionate about sharing cybersecurity and technology news, insights and best practices. He regularly presents on security topics and maintains a security blog. You can find him throughout the day posting valuable and informative content on his social media channels.

Related content