When Did Ransomware Start

Ransomware infections have been a major threat to large enterprises, organizations, SMBs, and even individuals since the mid-2000s. The FBI’s IC3 (Internet Crime Complaint Center) received a whopping 1,783 ransomware complaints in 2017. These caused losses of around 2.3 million US dollars in total.

The sad part is that these complaints only account for those reported to the FBI IC3 department. The estimated number of ransomware attacks and the loss they cause is much higher globally.

The first half of 2022 faced nearly 236.1 million attacks. Ransomware was originally devised to target individuals, but most recent targeted attacks are geared toward larger organizations and companies to make ransom payments. However, this does not mean that individuals are not attacked or are entirely safe.

In this guide, we shall look closely at the history of ransomware attacks since they first began in 1989. We shall also go over the most damaging variants and attacks and the current status of ransomware infections. But first, let us look at what ransomware is, how it works and what its vectors are. Let’s get going!

What Is Ransomware?

Ransomware is malware or malicious software with a code that helps a threat actor access system files or networks. A data file or encrypted files are then used to hold entire devices or systems hostage. A decryption key acting as a ransom note is provided upon ransom or demand payment so the victim can regain access to confidential files/systems.

Ransomware has been around for a long time, but new variants with advanced technology are quickly becoming a pain. Ransomware authors have created true ransomware variants that are used for encrypting files, and program files, evading detection, spreading, and holding data hostage, and can also perform data theft and steal login credentials via brute force attacks.

New ransomware also spreads faster and is difficult to decrypt. Certain ransomware variants refuse to decrypt files even upon ransom payment. This causes even greater loss and financial burden and calls for more sophisticated safety measures.

How Does A Ransomware Attack Work?

Ransomware code extorts user data and sensitive business information for criminal benefits. For an attack to be successful, ransomware actors need to gain access to files, networks, and systems so they can hold data hostage.

Access is gained through attack vectors/infections. Both viruses and malware share many similarities and therefore use weak points and vectors to gain entry. The final step is RSA encryption, to encrypt files using a private key and demand a ransom for decryption.

What Are Ransomware Vectors?

Let us now look at common ransomware vectors that are used to channel attacks/infections:

Spear Phishing Emails

Ransomware gangs often use spear phishing emails to distribute ransomware. Emails with links or attachments are made to seem important so that the recipient downloads the malware onto their system.

Examples include fake invoices, tracking information, or other deceptive messages.


Online pop-ups that appear as you are using sites on the Internet are often used as disguises. These are made to resemble new or current software, making prompts look more genuine. Users that click these accidentally download ransomware onto their devices.

Deceptive Messages

Some threat actors also make use of deceptive messages. They message their targets on social media using Facebook Messenger or the like. They pretend to be friends with the victim to get them to open up attachments that lead to network access and a full-fledged attack.

When Was The First Ransomware Attack?

Even though ransomware became a serious threat around 2005, it has been around for quite a few years. The first ransomware infection in history, as Becker’s Hospital Review reported, occurred in 1989 and attacked the healthcare industry. The AIDS Trojan launched this.

Even nearly 28 years later, the healthcare industry is still the most prone to ransomware attacks. The first attack in 1989 was launched by a Ph.D. holder and AIDS researcher: Joseph Popp. He distributed around 20k infected floppy disks to AIDS researchers in over 90 countries.

He claimed that the disks contained software that worked like a quiz to determine how at risk an individual was at acquiring AIDS. The disks contained malicious code that only activated after a computer was powered on 90 times.

Once the 90-start threshold was reached, the malware initially prompted messages demanding $189 and then $378 for software lease. This ransomware attack came to be known as the PC Cyborg or the AIDS Trojan.

History Of Ransomware Evolution

The first ransomware threat was alarming, but it had flaws and loopholes. However, it set a platform for ransomware history and evolution and paved the way for more cunning attack strategies used today.

Older cyber criminals often typed up malicious code themselves. Modern threat actors, however, make use of off-the-shelf libraries. This means they use harder-to-rack strategies, such as new spear-phishing campaigns. These emails go undetected by email spam filters and can cause massive damage.

Advanced threat actors also monetize ransomware by selling RaaS (Ransomware-as-a-Service) programs to non-technical people. Those with zero coding knowledge can also purchase and launch the biggest ransomware attacks.

RaaS has led to many new attacks, such as those caused by Locky, CryptoLocker, TeslaCrypt, and CryptoWall. CryptoWall alone was able to cause a loss of nearly 320 million US dollars.

Not many attacks occurred after the first one in 1989 up until the mid-2000s. The era after this began using encryption algorithms such as RSA, which were more sophisticated and difficult to crack. Ransomware popular during this era included Cryzip, Gpcode, Krotten, and TROJ.RANSOM.A, Archiveus Trojan, and MayArchive.

A ransomware worm that mimicked the Windows Product Activation notice appeared in 2011. This was when it became increasingly difficult to differentiate between real and fake notifications.

Around 2015, several variants were causing chaos around the globe. The most famous ransomware threats from April 2014 to March 2015 included Cryakl, Scatter, TorrentLocker, Mor, CryptoWall, CTB-Locker, Lortok, Aura, Shade, and Fury.

Around 101,568 victims were targeted globally, and nearly 77.48% of all users accounted for during the crypto-ransomware timeframe. By 2016, this rose to 79.21%, all thanks to Cryakl, CTB-Locker, TeslaCrypt, and Scatter, also from 2017, the WannaCry ransomware attack.

Top Variants And Massive Ransomware Attacks

The advancements in attack strategies and ransomware campaigns are why infections have become so common over the last few years. Even ransom demands are getting higher. Each ransomware group demands around $300 on average in the mid-2000s, which has increased to $500 in recent years.

Most cyber-criminals assign a deadline for a ransom demand, after which the demand is usually doubled, or files are locked/destroyed permanently.

CryptoLocker ransomware was one variant that made the most profits. It attacked nearly 250k systems between September and December of 2013. Gameover ZeuS botnet or CryptoLocker made over 3 million US dollars for its creators before being taken offline in an international operation in 2014.

The encryption model of the bot was analyzed carefully, which helped create an online tool that is now widely available to decrypt files held hostage by Locker ransomware. Sadly, the end of CryptoLocker did not stop new ransomware strains from emerging.

Gameover ZeuS and a clone called TorrentLocker reemerged again in 2014. These sent out malicious spam messages that targeted healthcare, banking, government departments, and large enterprises.

CryptoWall was the top variant used in attacks from 2014 to 2016. Other variants, varieties, and types also attacked thousands of individuals and companies. Around the middle of 2015, CryptoWall had already accumulated 18 million US dollars. This caused the FBI to broadcast an advisory threat for safety.

TeslaCrypt/AlphaCrypt also emerged in 2015, attacked 163 victims and made 76,522 US dollars. Ransom was demanded in the form of Bitcoin, My Cash cards, or PayPal. The ransom averaged around 150 to 1000 US dollars.

Armada Collective is another ransomware infection that wreaked havoc by attacking a chain of Greek banks. Three major Greek financial organization files were encrypted, and a ransom of 7 million Euros was demanded from each. This amounted to 20,000 Bitcoins at the time. However, the banks did not pay the ransom, upgraded security, and continued servicing like normal despite multiple Armada attempts.

Other attacks have been reported to demand 50k US dollars in a single ransomware attack during that time. However, a ransomware attack on the HPMC (Hollywood Presbyterian Medical Center), a Los Angeles hospital system, demanded 3.4 million US dollars. This attack prevented the hospital from gaining access to the network and, subsequently, patient data for nearly 10 days.

Eventually, the hospital paid only 17,000 US dollars to gain access to critical information and essential communication services. The HPMC updated that initial demand reports were inaccurate and that 40 Bitcoins had helped solve the issue.

Around a week later, the Los Angeles County Department of Health Services faced a data block. The organization isolated infected users/devices and avoided paying the ransom.

March 2016 Onwards

In March 2016, the Ottawa Hospital faced an attack that compromised 9,800 systems. The hospital quickly wiped the drives, restored backed-up data, and avoided paying the ransom.

Chino Valley Medical Center, Kentucky Methodist Hospital, and Desert Valley Hospital in California were also attacked in the same month. The director of Kentucky Methodist Hospital information systems, Jamie Reid, named the ransomware Locky. This new variant encrypted images, documents, and files and renamed them with an extension: .locky. BBC reported that none paid the ransom, and data was restored on March 24 after the attack on the 18th of that same month. This March 2016 attack did cause problems for other hospitals as shared computer systems went offline.

The Petya ransomware strain also emerged in March 2016. Petya encrypted a PC’s master file table. The master boot record was replaced with a ransom demand note causing the system to be useless until the ransom was paid. By May, this same variant had evolved to include a failsafe. A direct file encryption feature was added. Petya was amongst the first variants to be sold as RaaS as well.

The most popular ransomware families in May 2016 included Cryptowall: 3.4%, Teslacrypt: 58.4%, and CTB-Locker: 23.5%. These used malicious links/attachments in spam emails to open infected web pages.

By the middle of 2016, Locky became one of the most widely used variants and outpaced CryptoWall.

On November 25, 2016 (Black Friday), the San Francisco Municipal Transportation Agency was attacked, disrupting bus management and train ticketing. A ransom of 100 Bitcoin, or nearly 73k US dollars, was demanded. The SFMTA reacted quickly and used their backup to restore the systems within just 2 days. Even though the agency did not pay the ransom, they still had to bear the fare costs of passengers that traveled within those 2 days. It is believed that the ransomware used in the attack was HDDCryptor or Mamba.

A ransomware attack on Apple OS X also happened the same year. KeRanger mostly affected Apple users that were using the Transmission application. It managed to hack 6,500 systems in one and a half days. However, the ransomware was quickly removed as soon as it was detected.

Early 2017 reports estimated that threat actors had caused a loss of nearly 1 billion US dollars in total. NotPetya emerged on June 17, 2017. It was launched in Ukraine initially and quickly spread globally via EternalBlue, a Windows vulnerability. It caused a loss of 10 billion US dollars.

LeakerLocker was mobile ransomware that also emerged in 2017. It did not encrypt files but was embedded into malicious apps on the Play Store. This variant showed phone users sample data which it threatened to leak to the entire contact list if the ransom was not paid.

WannaCry was another variant that spread using the EternalBlue Exploit in May 2017. It affected 230k systems and caused 4 billion dollars in damage in nearly 150 countries. Microsoft released a patch for this exploit two months back, and Windows operating systems users that had not updated their systems were affected. Marcus Hutchins discovered a kill switch that ultimately stopped the WannaCry outbreak. Most people blame North Korea, but Marcus was also arrested.

2018 To The Present

GandCrab emerged in January 2018 and was ultimately merged with Vidar. Vidar is a data theft malware that encrypts a victim’s computer system files and steals data. It quickly became a popular RaaS between 2018 and 2019.

Team Snatch partnered with GandCrab to threaten targets to publish their data if the ransom is not paid. Team Snatch began threatening to publish data in April 2019, starting first with Citycomp. Truniger, the owner, posted on Exploit that he would make all the data public if the ransom were not paid.

GandCrab ransomware developers retired on June 1, 2019, and the law enforcement agencies released decryption keys in July of the same year. GandCrab paved the way for Maze ransomware.

Maze ransomware emerged in November 2019 and published 700 MB worth of data snatched from Allied Universal. The publication of sensitive data pressurizes victims into paying the ransom as they can face greater financial loss through leakage of sensitive data, trade secrets, and PII (customer personally identifiable information).

Failure to back up data and security systems also puts further pressure. However, data leaks mean that even backups are no longer useful. Using this strategy, the NetWalker group made over 25 million US dollars in 2020.

Maze ransomware started publishing target data, leading to other ransomware operators/ransomware families doing the same. Increased visibility and cooperation formed a Maze cartel that shares resources, TTP, procedures, tactics, and techniques to carry out ransomware operations.

Sodinokibi is another one that emerged during this time and is run by the REvil collective. The damage it caused was at par with Maze.

At Present 

  • The Ransomware family, ransomware operators/threat actors, continue to cause damage. According to the FBI’s Internet Crime Report, the loss was estimated to be around 42.9 million US dollars in 2021.
  • Ransomware has continually been on the rise for nearly 30 years. It became popular due to encrypted files technology, malware integration, and payment acquisition through Bitcoin and other forms of payment.
  • Ransomware has not completely replaced other malware but has become one of the top choices for malicious actors. RaaS programs have made it easier for non-technical individuals and ransomware groups to regain access and use ransomware.
  • File encrypting ransomware demands have increased due to an advanced RSA encryption key and other tools that aid access to corporate networks. This means attacks are now more profitable and can be used to demand huge ransoms in exchange for a decryption key.

Final Thoughts

To avoid a destructive ransomware threat, it is very important to take strict security measures and back up data regularly. Never keep the backup data within the enterprise network, as backups can be lost if an entire network is compromised.

Use anti-ransomware, educate employees and avoid downloading malicious content or clicking on attachments/links that are not from a good source.

Endpoint Detection and Response (EDR) tools can also come in handy to protect endpoints and easily identify network threats. Blocking a threat is your best bet, as ransomware attacks may be difficult to reverse, even by security researchers.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.