Ransomware is a form of malicious software that encrypts a victim’s files and demands payment in order to restore access. The first known ransomware attacks date back to the late 1980s. The creators of early ransomware variants were often cybercriminals and hackers motivated by financial gain. However, the creators of ransomware have evolved over time, and now include nation-state actors and organized cybercrime groups. Understanding the origins and key innovators behind ransomware can provide insight into how this threat emerged and transformed into the global epidemic it is today.
The advent of cryptovirology
The theoretical basis for ransomware was established in the mid-1990s by cryptographer Adam Young and mathematician Moti Yung. In an academic paper, they outlined the idea of “cryptovirology,” which involved using public key cryptography to launch cyber attacks. The paper described hypothetical scenarios like encrypting all the data on a victim’s computer and demanding money in exchange for the decryption key. This marked the genesis of the ransomware concept, though it would take years for it to materialize into actual malware.
Young and Yung’s contribution
While Young and Yung did not actually create ransomware, their academic paper was groundbreaking in envisioning this new class of cyber attack. They demonstrated how cryptography could be used maliciously to hold a victim’s data hostage. The cryptovirology concepts they described eventually served as inspiration for early ransomware developers.
First ransomware attacks
The first primitive ransomware attacks emerged in the late 1980s. These early examples were limited in scope and not considered very successful. However, they marked the first instances of extortion via malware. Some key early ransomware variants included:
- The AIDS Trojan – Distributed via floppy disks in 1989, this ransomware encrypted filenames on a victim’s machine and demanded payment.
- PC Cyborg Trojan – Created by Joseph Popp in 1989, this is considered the first program to use encryption for extortion.
- Archievus Trojan – Discovered in the early 1990s, Archievus was spread via floppy disks and encrypted files on infected Windows PCs.
While innovative for their time, these early ransomware examples had limitations like weak encryption and primitive payment mechanisms. However, they established the basic model for what would later evolve into more sophisticated threats.
Limited scope and impact
The ransomware attacks of the late 80s and early 90s were mostly proof-of-concepts by lone cybercriminals. Most targeted individual users via floppy disk and only encrypted file names or parts of files. Payment was difficult since cryptocurrencies did not exist yet. As a result, these early ransomware programs did not become widespread or highly successful at monetization.
Rise of encryption ransomware
After a lull in the 1990s, ransomware reemerged in the mid-2000s in new forms that utilized encryption to lock files. This generation of ransomware was much more advanced thanks to improvements in cryptography. Two examples included:
- PGPCoder – Emerged in 2005 as one of the first ransomware tools to use robust encryption based on public-key cryptography. Victims could no longer simply delete the malware to regain access to files.
- Archiveus – Appeared in 2006 and was one of the first widely spread ransomware families. It used encryption algorithms like RSA to encrypt files.
Encryption ransomware marked a major evolution because victims could no longer easily recover their data without paying. Cybercriminals now had a solid foundation for extortion.
Stronger cryptography, better monetization
Advanced encryption was the key innovation that made ransomware a viable business model for cybercriminals in the 2000s. Paired with payment methods like premium text messages or online payment vouchers, they had ransomware that could reliably infect victims, encrypt data, and collect payments.
Noteworthy ransomware families
In the 2010s, ransomware proliferated rapidly and a number of notorious ransomware families emerged. These sophisticated strains were developed by cybercriminal groups to maximize infections and revenue generation. Major ransomware family innovators included:
Reveton ransomware
Reveton debuted in 2012 and was the first example of “police ransomware.” It impersonated law enforcement agencies like the FBI to accuse victims of crimes and demand payment of fictional fines. If victims did not pay within 72 hours, it threatened increased fees or criminal prosecution. Reveton demonstrated ransomware’s potential for social engineering.
CryptoLocker
Appearing in 2013, CryptoLocker pioneered the use of cryptocurrencies as ransom payment. Victims had to pay in Bitcoin or prepaid cash vouchers. The crypto payments made money laundering easy for the criminals behind CryptoLocker. It infected over 250,000 computers before being shut down by authorities.
WannaCry
The massive WannaCry attack in 2017 was notable for leveraging leaked NSA hacking tools. It propagated via the EternalBlue exploit and encrypted files on over 200,000 systems globally. WannaCry was likely distributed by North Korean state hackers to generate revenue for the regime.
Ryuk
First observed in 2018, Ryuk stands out as one of the most profitable ransomware strains. It has extracted tens of millions in ransom payments from major corporations. Ryuk is commercial ransomware developed by cybercriminals specifically to target large organizations and public agencies.
Other major families
Many other influential ransomware families that emerged over the years include Locky, Cerber, SamSam, MedusaLocker and Conti among others. Each introduced innovations in distribution, encryption, command and control, and ransom demands.
Nation-state actors
In addition to cybercriminals, some nation states have also sponsored ransomware development. These government-backed ransomware efforts include:
WannaCry links to North Korea
As noted earlier, the perpetrators behind the WannaCry attacks in 2017 are believed to be associated with the North Korean regime based on links to Lazarus Group hackers. WannaCry allowed North Korea to potentially collect large ransoms while also damaging the systems of adversary nations.
Russia
Several ransomware strains like Ryuk, HermeticWiper and Industroyer are believed to have connections to Russian state interests based on forensic evidence and similarities to previous Russian cyber activity. Russia appears to tolerate ransomware criminals operating within its borders.
Iran
Iran has backed malware like Shamoon and ZeroCleare that destroys data instead of encrypting it. However, Iran also cultivates relations with commercial ransomware gangs that target Western victims. This provides Iran with cyber capabilities while retaining some deniability.
The rise of Ransomware-as-a-Service
In recent years, many ransomware operations have moved to an affiliate structure known as Ransomware-as-a-Service (RaaS). This model involves:
- Developers who build and maintain the ransomware code.
- Affiliates who distribute the malware to victims.
Developers manage the ransomware infrastructure and payouts in exchange for a cut of the profits. Affiliates take a percentage of ransoms from their victims. This distributed model has enabled ransomware gangs to scale up attacks dramatically.
Notable RaaS operations
Major ransomware groups utilizing the RaaS model include:
- REvil (Sodinokibi) – Emerged in 2019 and offers a full-featured ransomware kit to affiliates via dark web markets.
- Conti – Appeared in 2020 and employs an affiliate program to conduct ransomware attacks focused on large organizations.
- DarkSide – Surface in 2020 and conducted the Colonial Pipeline attack in 2021 before shutting down operations.
Increased scale
RaaS lowered the barrier to entry, allowing many more threat actors to distribute ransomware. Attacks could now scale to tens of thousands of targets by leveraging large affiliate networks. Ransomware became “commoditized” via RaaS.
Cybercrime gangs take over
In the 2020s, ransomware threat actors shifted predominantly to cybercrime syndicates and gangs motivated by financial gain. Some top players engaging in targeted big game hunting ransomware include:
Wizard Spider
Wizard Spider is a Russia-based group that operates the Ryuk ransomware strain. The Ryuk gang has pulled in over $150 million in ransoms from major corporations, hospitals, and government agencies.
REvil (Sodinokibi)
The REvil gang offers ransomware-as-a-service to affiliates. They have exploited supply chain vendors like Kaseya to spread ransomware through downstream customers.
Clop
The Clop ransomware group compromises internal networks and lingers for weeks to map systems and steal data before encrypting. They demand multi-million dollar ransoms from victims.
Conclusions
Ransomware emerged from cryptovirology theories in the 1990s to become a major global cyber threat. Early ransomware creators focused on basic encryption and limited payment systems. By the 2010s, huge financial potential led organized cybercriminals to develop sophisticated ransomware operations designed for maximum revenue generation. RaaS enabled ransomware to scale rapidly by crowdsourcing attacks. Today’s ransomware landscape is dominated by for-profit cybercrime groups targeting major enterprises. Combatting ransomware will require disrupting these commercial models and dismantling ransomware networks.