The History and Evolution of Ransomware

Ransomware has become an efficient tool for illegal money extortion and achieving political goals worldwide. This article recounts the history of ransomware from the first unsuccessful attempt to the modern-day cyber incidents.

Most of the sources found online focus on the history of particular incidents, the sum of ransom, and the number of victims. We decided to apply a different approach and trace the development of various components of the ransomware attack in the preceding years. 

This article explains how the joint efforts of a disturbed evolutionary scientist, several exceptionally talented cryptologists, known and unknown hackers, and dot.com entrepreneurs shaped the technology and created perfect conditions for ransomware pandemics.

1989 AIDS Trojan – the first ransomware

In 1989, 20,000 people received a letter in their mailbox from PC Cyborg Corp. Inside they found a floppy disk and information leaflet. Little did they know that PC Cyborg Corp. was a fake organization and the letter they received was created by an evolutionary biologist Dr. Joseph L. Popp.

Popp who was researching AIDS at the time was allegedly denied a position in the World Health Organization. That was the possible reason why he decided to target predominantly the subscribers to the WHO Conference.

The leaflet explained that the diskette contained an interactive program to learn about AIDS, a new disease at the time. It also contained system requirements and detailed instructions on how to run the program.

The diskette contained two files, one of them carrying the virus. Upon insertion of the diskette, the virus would hijack the autoexec.bat, the file that starts the Windows on a computer. 

Upon several dozens of executions, the virus encrypted all the file extensions in the system making it impossible to use them. After this, a ransom note would appear demanding to pay a yearly or lifetime ransom ($189 and $378 respectively)  for the decryption.

AIDS Trojan ransomware attack features

AIDS trojan had the following features of a ransomware attack:

1. Delivery via mail;
2. Social engineering playing on popular fears;
3. Encryption that made using the data impossible;
4. Ransom note;
5. The account is beyond the reach of authorities (in a Panama bank);
6. The criminal remained anonymous and disguised as a fake entity.

Many of these features can be seen in modern ransomware attacks with slight changes. First, most ransomware attacks are delivered via email instead of post. Second, most criminals demand ransom in digital currency rather than using the accounts in banks.

AIDS Trojan weaknesses

There were three weaknesses in Popp’s ransomware attack that were fixed later on by the development of technology. First, AIDS used symmetrical encryption, i.e., the encryption and decryption are performed with one key, which could be extorted from the virus itself.

Second, the price of the attack was very high. The retail price of a floppy disk was about $5 dollars in the mid-1980s, which means that Popp spent about $100,000 on purchasing 20K diskettes (appr. $259,295 in 2024), plus he had to pay for all the international post deliveries (appr. $15,200 in 1989 or 37,601 in 2024). The investigators suspected that he could have an accomplice. However, these suspicions were never proven.

Third, the investigators managed to link the crime to Popp pretty quickly, and he was arrested within a year.

The aftermath

The outcome of the AIDS Trojan was devastating. Most victims were medical researchers. They used the diskette on their work computers where their research data was stored. Instead of paying ransom or looking for a tech specialist to fight the virus, they simply wiped their computers. The loss of data was immense, and the negative impact of this event on humanity can’t be overestimated.

Popp who was allegedly planning to fund the AIDS research never profited from his crime. As mentioned before, most victims didn’t pay the ransom. He was found unfit to stand trial and went on to live an uneventful life. The butterfly sanctuary he founded, recently experienced serious issues and couldn’t open 

Refining Ransomware 1990-2000

As mentioned earlier, the first ransomware attack was too expensive and too risky. And the encryption could be cracked. In the 1990s, cybersecurity experts theorized how to improve the attack, making it more efficient. 

Here are the main steps of ransomware refinement:

Improving the Encryption

1996 – Young and Yong came up with the idea of a virus with asymmetric cryptography that uses two keys. The public key is embedded within the virus and used for encryption. The private key is owned by the virus creator and is used for decryption.

Both Young and Yong presented their findings at the 1996 IEEE Symposium on Security and Privacy and later published them in the Proceedings of the Symposium. 

Yong and Young’s goal was purely theoretical. They wanted to know if the weaknesses of the AIDS virus can be overcome. Both were renowned scientists in their field. Their paper was a warning to cybersecurity experts about the possibility of a virus that is impossible to crack. 

What Youung and Yong didn’t think about is the possibility of hackers using their theoretical knowledge to apply it in practice. To this day, we cannot be sure if their paper advanced the evolution of ransomware or not. The AIDS failure was quickly forgotten, outshined by the rapid technological progress of the 1990s. Maybe, if the scientists hadn’t been so passionate about the betterment of the AIDS Trojan virus, we would have lived in a ransomware-free world.

Fixing the delivery method

After the Symposium, there was a short period when everyone seemingly forgot about ransomware. One of the possible reasons is the lack of a solution to the delivery issue.

The solution came in 2000 when a 24-year-old Onel de Guzman decided to create a virus that stole credentials for Internet access. The young man didn’t have enough money to pay for the access and decided to take it from others.

What’s prominent about this attack for us, is that Guzman used phishing emails to deliver a virus. The email skillfully played on the modern fascination with romantic love. The subject line “ILOVEYOU” and a downloadable attached file “LOVE-LETTER-FOR-YOU.TXT.vbs.” promised happiness and thrill that are hard to say no to.

The letter spread like fire from the Philippines westward, setting foot on US soil in just 5 hours. The outreach totaled 45M users. On its way across the world, ILOVEYOU hit the British Parliament, Pentagon, and Ford Motor among others. The global damages were estimated at $8.7B and the cost of virus removal – another $15B.

The “love” virus wasn’t the first to spread via email. The first email-transmitted malware variants were sent in the late 1990s, for example, the Melissa virus. However, none of them reached the “success” rate of ILOVEYOU. We think the masterful social engineering greatly contributed to the latter’s spread.

Securing the payment

1992 – David Naccache and Sebstian von Solms offer to use anonymous cash systems for ransom collection.

1996 – the cryptologists Adam Young and Moti Yong predicted the use of cryptocurrency for extortion. 

As mentioned above, Popp had to rely on the Panama bank to extort money from his victims. It made him vulnerable to exposure.

Luckily for modern hackers, another prominent cryptographer David Chaum came up with the idea of digital cash in 1983. Furthermore, he created a technology that enabled complete anonymity of people who carried out the transactions. 

Chaum founded the first ecash company DigiCash in the same year Popp sent out his diskettes. His business didn’t gain popularity among Internet users for several reasons, including the underdevelopment of e-commerce, the lack of trust in e-products, and the number of Internet users worldwide.

Chaum’s company went bankrupt in 1998, two years after the first successful digital money company e-gold was founded.

Despite the emergence of multiple e-currency companies worldwide, digital money hadn’t been popular until the introduction of bitcoin cryptocurrency in 2008. Since then crypto-wallets have become a safe haven for all sorts of criminals to conduct monetary operations avoiding scrutiny from the authorities. Ransomware gangs have been using Bitcoin for money extortion since 2008. 

The 2000-2010s: The Beginning of the Ransomware Era

After the notorious findings of Yong and Young, the history of ransomware becomes obscure. We can only know part of it – the successful attacks, the epic ransom payments, the new ransomware strains, and twisted extortion methods. People who have been the main drivers of ransomware development after Popp, Yong, and Young, remain mostly unknown. We can only speculate that their motives are profit or attaining political goals.

Testing grounds

In the mid-2000s the first ransomware viruses began circulating in the wild. It is believed that the key factor in their spread was global digitalization. The number of Internet users has been growing exponentially from 39.14M in 1995 to 414M in 2000 to 1B in 2005 to 2B in 2010.

The ransomware strains of the time were still “crackable” as many used custom decryption keys. The ransoms were tiny, e.g., $20 for a GPCode decryptor. The hackers also preferred quantity over quality approach.

The attacks of the time looked more like a side gig and experimentation, nothing like the complex attacks of today.

The first commercial success

Things began to change in the late 2000s when hackers decided to apply RSA encryption to their viruses. RSA is an asymmetrical (or public-key) encryption developed by three cryptographers Ron Rivest, Adi Shamir, and Leonard Adleman in 1977.

For example, the 2006 virus Archiveus had RSA, and GPCode was reinforced with RSA-1024 in 2010. The new encryption system was practically uncrackable and hackers quickly understood the power of new ransomware strains.

As Young and Yong had predicted, ransomware became a powerful weapon in the hands of criminals.

By the early 2010s, humanity had seemingly created and refined most of the elements of a successful ransomware attack: money extortion via data kidnapping, phishing email delivery methodology, asymmetric encryption, and the anonymity of cryptocurrencies.

The first significant strike took place in 2013-2014. The new strain of ransomware CryptoLocker quickly spread via email and the established botnet. It used the strongest encryption so far: RSA-2048. The hackers demanded a ransom of $400 and provided two payment methods: prepaid cash vouchers or bitcoin. It is estimated that they collected at least $27M.

Get a list of Ransomware attacks

Modern Ransomware Trends

While the ransomware pandemic was rampaging across the globe, cybersecurity experts introduced new tools to fight ransomware. Backups and proactive ransomware protection tools have proven most efficient. This forced hackers to come up with new methodologies. 

• Ransomware in the cloud
• Ransomware-as-a-service
• Doube extortion
• Triple extortion
• Zero-day attacks

Wrapping up, ransomware is a real-life threat to your business-critical on-prem and cloud data. Its technologies and extortion methods were created and developed by some of the best minds in the world. Proactive protection against ransomware is the only way to secure your digital assets and avoid the havoc caused by this type of malware. 

Get Ransomware Protection

FAQ