Ransomware history highlights: from AIDS Trojan to Locky

Ransomware attacks are not a fake threat – they are real and increasing day by day. The below insights on ransomware history can help you understand the evolution of its delivery and extortion strategies and be better prepared in case you become the victim of an attack.

Ransomware, locker or crypto-malware, has been around for a long time — decades in fact. Originally, ransomware was an annoyance and a con-trick, but today’s ransomware is considerably different and presents much more of a sophisticated threat to systems and users.

We believe that the ground zero for the ransomware history is the 1989 AIDS Trojan, also known as the PC Cyborg Trojan, developed by Dr. Joseph Popp, an evolutionary biologist. This first-generation ransomware was unsophisticated and easily defeated. It was delivered via diskettes, the original form of removable storage If you’re too young to know what a diskette was. The ransomware was used at the WHO AIDS conference in Montreal — 20,000 copies in total. Popp’s malware hid files in the victim’s computer and encrypted the file names before demanding (or extorting) $189 for a repair tool.

Nearly thirty years later, ransomware is a much more insidious threat. As a piece of malware, its capabilities and effectiveness have increased exponentially, as have the number of ways one can be infected. Cybercriminals have become skilled at launching their ransomware campaigns, using platforms such as Ransomware as a Service to generate millions of dollars from each attack.

2000-2005: Fake anti-virus and spyware removal tools

Fake anti-virus, fake spyware removal tools and PC performance enhancement tools designed to trick victims into paying for a fix, patch or solution to the advertised problem were the biggest worry. This simple form of extortion started to appear on our computer screens from around 2005 onwards, but didn’t lock or encrypt data like today’s malware. For the cybercriminals though, the misleading application market proved the concept and business model for today’s ransomware. Fake anti-virus was so successful at conning users into paying for a “fix” to their “problem,” that in 2008, one malware distribution affiliate reported earnings of $158,000 in a week.

2006-2011: First encryption Trojans

The Achievus Trojan was an early piece of ransomware malware that used the “asymmetric” RSA encryption to encrypt the files in the user’s My Documents folder, then it would demand victims purchase goods from an online pharmacy in order to receive a 30-character decryption key to gain access to their files. Also in this year, email became the distribution mechanism for ransomware. This is where we see the birth of the crypto-malware we see today.

Between 2006 and 2011, the GPcode encryption Trojan spread via an email attachment claiming to be a job application. Locking malware such as Winlock or Ransomlock, which simply locked your computer until a fee was paid, were also popular at this time.

2011 gave us the first large-scale ransomware attack in history, claiming to be a Windows Product Activation notice, which users were duped by on a large scale. This attack was aided in part by the ubiquity of new and anonymous payment services. Services which made it much easier for hackers and cybercriminals to collect payment from victims without being traced. Ransomware as a Service networks first appeared on the mass-cybercrime-market in 2012. The newly created and sophisticated Citadel toolkit allowed would-be-hackers and cybercriminals the ability to build, deploy and manage a botnet and associated ransomware campaign for under $50.

2013-2014: CryptoLocker

2013 was a ground-breaking year for cybercriminals and hackers, as they released many new and much more sophisticated types of ransomware. CryptoLocker was the poster child at this time, and we saw the first utilization of the e-currency-as-payment method with Bitcoin. CryptoLocker was easily spread by drive-by downloads from malicious or compromised websites and by malicious email attachments. In email, a new tactic emerged too: socially engineered content, designed to look like customer complaint letters, invoices or account alerts encouraging the recipient to open an attachment. In this same year, other devices and operating systems started to be affected too. Smartphones running Android were targeted, as were Mac computers running the OSX operating system.

In 2014, ransomware such as CryptoDefence, CryptoWall, Koler (AndroidOS) and others which were all based on CryptoLocker, started to infect more victims. However, in a win for the good guys, an international team of law enforcement and security experts managed to sinkhole the botnet which controlled most of the world’s ransomware traffic. The Gameover ZeuS, or GoZ, botnet was comprised of more than a million infected endpoints which contributed significantly to the global volume of ransomware traffic. Once offline, there was a brief decline in traffic, but that was short-lived.

2015: CryptoWall

CryptoWall quickly took over now that the sink-holed CryptoLocker was offline. CryptoWall quickly became the most successful and lucrative piece of ransomware yet. Famously, when CryptoWall 2.0 was killed off, it took the developers of the malware just 48 hours to build CryptoWall 3.0 from a completely new code base. Impressive, even with its nefarious intentions, you have to admit. 2015 also gave us CryptoWall 4.0, TorrentLocker, TeslaCrypt, Lowlevel04, LockerPin and many more. In a response to this “new” threat, an FBI Special Agent famously said; “The ransomware is that good. To be honest, we often advise people just to pay the ransom.” The FBI have since issued more appropriate advice.

2016: Ransom32 and Ransomware as a Service

Ransom32 was a new and exciting ransomware we had to deal with as it used JavaScript, unlike any other codebase we had seen before. Delivered by a Ransomware as a Service network, Ransom32 had the ability to support not only JavaScript, but also HTML and CSS.

2016 also saw the return of Office-document macros as a delivery mechanism for malware. Not seen for perhaps the last fifteen years, all of a sudden Microsoft Office file types such as Word and Excel were being used to circumvent traditional security products and services. Locky is the best example of this and was spread by the Dridex network using phishing campaigns that sent a malicious Word document to its victim. Once the attachment was opened and the macro enabled, ransomware was downloaded by the macro to the victim’s computer.

The Petya ransomware of 2016 was the first ransomware to encrypt the entire hard drive, preventing the system from booting by overwriting the MBR (Master Boot Record) for added effect.

2017: Petya, WannaCry and other guys

Jaff, Cerber, Sage, Mamba, Petya, NotPetya and arguably the most successful — WannaCry. 2017 has been a bumper year so far. WannaCry was the ransomware you see on the news because it took down large parts of the critical infrastructure of telecoms companies and the UK National Health Service. 2017 was a watershed year for ransomware authoring too. Both Petya and WannaCry were written to exploit previously unknown vulnerabilities and exploits that were leaked from US government organizations by the Shadow Brokers hacking group. The exploit, called EternalBlue, leveraged a weakness in the Microsoft SMB protocol (CVE-2017-0144) to allow attackers to execute arbitrary code on the victim’s computer.

Even Locky made a comeback in 2017 with a campaign that pumped out 23 million emails in just 24 hours.


2017 is proving to be the most successful year in the ransomware history so far, and given the amount of money that can be earned by these ransomware authoring cybercriminals, it’s hard to see an end to this problem anytime soon. Ransomware will continue to be a major problem well into the future, requiring organizations of all sizes to take reliable protection and prevention measures. Keep your data safe and stay tuned!

Read also how Veeam helps you recover from ransomware:

Article language
Similar Blog Posts
Business | May 14, 2024
Business | May 13, 2024
Technical | March 11, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
Veeam Data Platform
Free trial
Veeam Data Platform
We Keep Your Business Running