Ransomware – a brief history and evolution of cryptovirology

October 9, 2022

Ransomware attacks are often in the headlines. Although traditionally, the reporting of these sorts of incidents have featured in media and technology news pieces, cyber-attacks as a result of ransomware are now increasingly making headlines in the mass media. Indeed, with some of these attacks responsible for widespread, even catastrophic, impacts on businesses, livelihoods, and in rare cases, endangering the lives of individual’s, it’s no wonder they’re making the news.

We need to understand that the term ransomware refers to a specific type of malware; in particular, one that is by its very design known as cryptovirology. Ransomware seeks to extort organisations or individuals infected by it through means of denying them access to their data and/or threatening to publish private, confidential and sensitive information if the demand for payment – the ransom – is not met.

The history and evolution of ransomware

As ransomware has evolved over the years, so too has the sophistication of the cyber attackers and threat groups behind it. Whereas before, denying users access to their information was the extent of the problem when a ransomware attack took place, now the evolution in the use encryption methods and the threat of publishing sensitive data are added consequences to consider. The result and impact can differ greatly, from computer devices and networks being made inaccessible to users, devices being rendered to a state of non-useability or destruction, to even holding data hostage with the threat of exposure looming over the victim’s heads. In all this, of course, the reputation of an organisation falling victim to such an attack is on the line.

To truly understand how ransomware has evolved, it’s useful to look at the history of ransomware. Whilst ransomware seems to have been a staple feature in any recent cyber risk forecast over the last few years, many organisations and individuals alike may be surprised to learn that the first known documented case of ransomware – was way back in 1989.

An evolutionary biologist from Harvard, Dr Joseph Popp, wrote malware and shipped out physical floppy disks to a mailing list from the World Health Organisations AIDS conference in Stockholm, Sweden. The floppy disk was entitled “AID Information Introductory Diskette” which many of the victims who received it believed it to contain medical research on the AIDS virus. The data on the disk in fact contained the ransomware which became known as the “AIDS Trojan”.

The ransomware was poorly coded and could be bypassed easily enough, as it only encrypted the filenames of the computers system it infected. The message it displayed on screen had many of the hallmarks found in current ransomware: a red screen invoking a sense of impending danger and a demand for payment ($189 in this case) to be sent to a postal address.

During his arrest and court trial, Dr Joseph Popp stated, Robin Hood like, that he intended to donate the proceeds from the AIDS Trojan to AIDS research. Dr Joseph Popp died in 2017 but his legacy of extortion through malware, the first known ransomware, unfortunately lives on.

The five major types of ransomware attacks

Over the decades since, ransomware has evolved significantly. Whilst the end objective of ransomware remains much the same, there are now various types of ransomware and models of operations that are being utilised. Some are more sophisticated, whilst others remain opportunistic seeking to make a quick buck preying on the most vulnerable computer users and systems.

In general, ransomware, can be broken down into five common types. These are:

  1. Scareware
  2. Locker ransomware
  3. Crypto ransomware
  4. Leakware
  5. Ransomware-as-a-Service (RaaS)


Scareware is very much built on bravado. Its sole purpose is to frighten victims by bluffing about the consequences of what might happen to their data and/or device if payment isn’t made. This type of ransomware employs a wide range of visual theatrics: flashing imagery of impending doom; pop-up messages and warnings of attackers having got hold of your information; or your computer slowing down unless payment is made by a set date.

The threat, mostly, is only skin deep and scareware deploys the modus operandi of minimum effort (for a technical attack) to achieve maximum pay out. The unsuspecting, unknowing user might cave to this threat. Indeed, many home computers users and individuals have. Without expert knowledge and advice, it might be difficult to distinguish between a scareware incident and a real ransomware one.

Locker ransomware

Locker ransomware is a step up in a technical capacity from scareware. Whilst locker ransomware tends not to destroy or exfiltrate data, it does not restrict your access to it. Commonplace in this type of ransomware is a user being presented with a screen demanding payment within a certain timeframe. The ransom demands can often increase each time the clock counts down to zero. Whilst data is more often than not still intact, the user cannot get past this screen, and normal keystrokes or mouse clicks could be disabled until the ransom is paid.

Crypto ransomware

Crypto ransomware is the stage at which a more technical prowess and sophistication is deployed. Victims of this type of ransomware might not have the ‘all singing and dancing’ flashing red screens of impending doom, and they might well be able to see all their data in a folder and even use their computer devices. However, that data will be encrypted and inaccessible. The ransom demand might be made simply as a note, email or even a document outlining instruction on the computer. The threat from this form of attack can be very real. More often than not, the attackers will stipulate the ransom be paid in full within a day or so before the amount increases. In order for the attackers to guarantee a pay out for them, they may threaten to – and even carry out – the deletion of data from your computer devices after a certain amount of time.


Whilst the deletion of data could be more than inconvenient and even upsetting, leakware (or Doxware) takes this a step further. The purpose of this type of ransomware is not just to monetise but also to cause serious reputational harm to victims, whether individuals or corporate organisations. Data destruction is less of a concern here as the attacker will publicise and publish your sensitive and confidential data in the public domain unless their demands are met. It is worth noting that even if demands are met and paid, there is no guarantee that paying will stop the data appearing at a later date, given they have your information anyway.


Corporate businesses have leveraged a great advantage from Software-as-a-Servce (SaaS) over the years to outsource complex tasks to experts. Ransomware operators, cybercriminal gangs and threat groups are using the exact same business model. RaaS provides these groups, who may have a low level of technical expertise, the opportunity to tap into a vast affiliated network of cybercriminals using a subscription-based model to deploy ransomware attacks over the years. It overcomes barriers of technical knowledge prerequisites and ensures those in its affiliated model all get a percentage of the income generated by RaaS. In turn, the more ransoms that are paid, the more it fuels the model to succeed by providing development at a technical level, funding threat groups who facilitate access to targets and victims and supporting the non-technical criminals who run the operations.

All in all, ransomware, and the threat groups that operate and facilitate its use, is still evolving. The attack models are becoming even more complex, which is evident from reports by the likes of the FBI Internet Crime Complaint Center (IC3). IC3 reported ransomware related attacks totalling losses of $16.8m in the first six months of last year – an increase of 62% in reporting from the previous year. Of course, this is just one report from a USA-centric agency but globally, the stats are increasing across differing geographies.

The strains of ransomware – and the threat groups utilising their criminal gain – have created an ecosystem of operation which is innovative and has caught many off-guard. Double, triple and multiple extortion demands are not uncommon. You may get access back to your network after an attack but multiple threats to publish data in chunks could carry on for some time. Likewise, ransomware might be one of many other types of attacks once you have been targeted. Denial of Service type attacks could follow adding further pain to an incident. Finally, cyber criminals have turned their focus to targeting supply chains, managed service providers and other data source providers in a multi-pronged attack.

Protecting yourself and your supply chain is not as simple or straight forward as bolting a door to make sure threat actors can’t get in. This should be an organisation wide effort that includes:

  • ensuring the right technical tools and monitoring services are deployed on your network
  • keeping updated with the latest vulnerabilities and software patched
  • having the right skillsets in house and with external security providers
  • auditing systems, processes, and technologies
  • having a playbook and team that can execute emergency processes should the worst-case scenario happen.

A completely holistic view of your entire network’s security is required to keep yourself secure. No one single solution, or even a combination can ever be 100% guaranteed – but making yourself a difficult target to penetrate will certainly help in avoiding ransomware attacks and the reputations damage that might ensue from it.

Posted in Uncategorized