Organisations from businesses and schools to entire city administrations have fallen victim to network-encrypting malware attacks that are now demanding hundreds of thousands of dollars in bitcoin or other cryptocurrency for the safe return of the files.
But what is now one of the major cyber scourges in the world today started with much more humble origins in December 1989 with a campaign by one man that would ultimately influence some of the biggest cyberattacks in the world thirty years later.
The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who'd attended the World Health Organization AIDS conference in Stockholm in 1989.
Attendees were sent floppy discs containing malicious code that installed itself onto MS-DOS systems and counted the number of the times the machine was booted. When the machine was booted for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive, making it unusable.
Victims saw instead a note claiming to be from 'PC Cyborg Corporation' which said their software lease had expired and that they needed to send $189 by post to an address in Panama in order to regain access to their system.
It was a ransom demand for payment in order for the victim to regain access to their computer: that made this the first ransomware.
Fortunately, the encryption used by the trojan was weak, so security researchers were able to release a free decryption tool – and so started a battle that continues to this day, with cyber criminals developing ransomware and researchers attempting to reverse engineer it.
But after this, it wasn't for another 20 years that ransomware as we know it now first started to emerge; and those first attacks were still simple compared with ransomware today.
A common form of this kind of ransomware was the 'Police Locker' attack, which if downloaded – often from peer-to-peer downloads sites, or websites hosting pirate or adult material – would change the user's desktop to a note claiming to be from law enforcement, which stated the machine had been locked due to suspected unlawful activity.
No encryption was actually used in these attacks and in many cases the locker could be removed by rebooting the computer – but for some, the fear-factor pushed them into paying up a few hundred dollars.
While Police Lockers reached their peak between about 2010 and 2012, they haven't disappeared – but they were superseded by what we recognise as 'real' ransomware.
"2012 to 2014 was kind of the Wild West of ransomware, it was a new idea and the general public wasn't aware of what it was and didn't understand what was going on. You had everything from the screen lockers to the ones with file encryption," says Michael Gillespie, ransomware researcher at Emsisoft.
It was at this point that ransomware turned towards encrypting files, so as to really turn the screw on victims, although it was rare for the ransom demands to be more than a few hundred dollars as the targets were still mostly home users – and because the ransoms were paid in standard currencies, it wasn't the most covert operation.
But the Bitcoin boom helped change everything and soon criminals distributing ransomware were demanding their ransoms should be paid in cryptocurrency because transactions are more difficult to trace than those made with regular currency, making those behind the attacks more difficult to uncover.
Despite this, ransomware still remained somewhat under the radar outside information security circles, but in May 2017, that changed forever with the arrival of WannaCry ransomware.
On that day, people at organisations around the world found themselves faced with a message demanding a ransom payment in exchange for the safe return of their files. WannaCry was spreading around the world with the help of EternalBlue, a leaked NSA hacking tool that had been made public months earlier.
The damage would have been much wider if security researchers hadn't found the killswitch for the attack, which was later blamed on North Korea. However, even if organisations did pay the ransom, there was no mechanism for retrieving the files – the attack seemed to be purely destructive in nature.
But despite the high-profile nature of both these incidents, that wasn't the end of ransomware as organisations continued to leave their networks open to compromise by cyber attackers who'd soon find yet another new way to make ransomware even more powerful – and more lucrative – than before, as hackers realised they could spread the malware with more than just phishing attacks.
"WannaCry was the paradigm shift. Because then people realised they could combine lateral movement with a strong payload like ransomware," says Max Heinemeyer, director of threat hunting at Darktrace.
In many cases, it's seen as the lesser of two evils – because restoring the network from scratch could take weeks and not only could it cost as much, the organisation will lose large amounts of business all the time the network is down. So victims pay up, demonstrating to attackers that ransomware works.
But by doing one simple thing, organisations of all sizes could counter the threat posed by ransomware attacks: making sure they have offline backups of their systems and make sure that those backups are regularly tested.
"It's Schrödinger's backup: the state of a backup isn't known until you have to restore from it: you need to know if it's going to save you if something happens," said Gillespie.
"Sometimes people don't want to pay for IT in general, they don't want to pay for a storage safety net they might never use – but there are options and in the grand scheme of things it's better for you," he added.
If organisations secure their networks against attacks and ensure there are backups available if the worst happens, they don't have to pay the ransom – and if people aren't paying ransoms, cyber criminals will stop seeing ransomware as lucrative.