30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels.
Written by Danny Palmer, Senior Writer

Ransomware has been one of the most prolific cyber threats facing the world throughout 2019, and it's unlikely to stop being a menace any time soon

Organisations from businesses and schools to entire city administrations have fallen victim to network-encrypting malware attacks that are now demanding hundreds of thousands of dollars in bitcoin or other cryptocurrency for the safe return of the files.

While law enforcement recommends that victims don't give into the demands of cyber criminals and pay the ransom, many opt to pay hundreds of thousands of dollars because they view it as the quickest and easiest means of restoring their network. That means some of the criminal groups operating ransomware campaigns in 2019 are making millions of dollars.

SEE: 10 tips for new cybersecurity pros (free PDF)

But what is now one of the major cyber scourges in the world today started with much more humble origins in December 1989 with a campaign by one man that would ultimately influence some of the biggest cyberattacks in the world thirty years later.

The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who'd attended the World Health Organization AIDS conference in Stockholm in 1989.

Attendees were sent floppy discs containing malicious code that installed itself onto MS-DOS systems and counted the number of the times the machine was booted. When the machine was booted for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive, making it unusable.

Victims saw instead a note claiming to be from 'PC Cyborg Corporation' which said their software lease had expired and that they needed to send $189 by post to an address in Panama in order to regain access to their system.

It was a ransom demand for payment in order for the victim to regain access to their computer: that made this the first ransomware.


The AIDS demand for payment - by post.

Image: Sophos

Fortunately, the encryption used by the trojan was weak, so security researchers were able to release a free decryption tool – and so started a battle that continues to this day, with cyber criminals developing ransomware and researchers attempting to reverse engineer it.

But after this, it wasn't for another 20 years that ransomware as we know it now first started to emerge; and those first attacks were still simple compared with ransomware today.

A common form of this kind of ransomware was the 'Police Locker' attack, which if downloaded – often from peer-to-peer downloads sites, or websites hosting pirate or adult material – would change the user's desktop to a note claiming to be from law enforcement, which stated the machine had been locked due to suspected unlawful activity.

SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

No encryption was actually used in these attacks and in many cases the locker could be removed by rebooting the computer – but for some, the fear-factor pushed them into paying up a few hundred dollars.

While Police Lockers reached their peak between about 2010 and 2012, they haven't disappeared – but they were superseded by what we recognise as 'real' ransomware.

"2012 to 2014 was kind of the Wild West of ransomware, it was a new idea and the general public wasn't aware of what it was and didn't understand what was going on. You had everything from the screen lockers to the ones with file encryption," says Michael Gillespie, ransomware researcher at Emsisoft.

It was at this point that ransomware turned towards encrypting files, so as to really turn the screw on victims, although it was rare for the ransom demands to be more than a few hundred dollars as the targets were still mostly home users – and because the ransoms were paid in standard currencies, it wasn't the most covert operation.

But the Bitcoin boom helped change everything and soon criminals distributing ransomware were demanding their ransoms should be paid in cryptocurrency because transactions are more difficult to trace than those made with regular currency, making those behind the attacks more difficult to uncover.

By 2016, ransomware-as-a-service had become common, with the creators of malware families like Cerber leasing out the ability to conduct attacks in return for a cut off the profits. It proved to be a successful business model and by the end of the year, ransomware variants ranked among the most common malware families.

Slowly but surely, the ransomware attacks were shifting their focus, with many of the professional criminal organisations turning away from attacking home users in favour of targeting businesses and public sector organisations, encrypting entire networks and making off with tens of thousands of dollars.

Despite this, ransomware still remained somewhat under the radar outside information security circles, but in May 2017, that changed forever with the arrival of WannaCry ransomware.

On that day, people at organisations around the world found themselves faced with a message demanding a ransom payment in exchange for the safe return of their files. WannaCry was spreading around the world with the help of EternalBlue, a leaked NSA hacking tool that had been made public months earlier.

The damage would have been much wider if security researchers hadn't found the killswitch for the attack, which was later blamed on North Korea. However, even if organisations did pay the ransom, there was no mechanism for retrieving the files – the attack seemed to be purely destructive in nature.

Just weeks later, something similar happened when NotPetya - an attack mostly likely launched by the Russian military intelligence - also hit targets around the world. It looked like ransomware, but acted like a destructive wiper.

SEE: Ransomware: 11 steps you should take to protect against disaster

But despite the high-profile nature of both these incidents, that wasn't the end of ransomware as organisations continued to leave their networks open to compromise by cyber attackers who'd soon find yet another new way to make ransomware even more powerful – and more lucrative – than before, as hackers realised they could spread the malware with more than just phishing attacks.

"WannaCry was the paradigm shift. Because then people realised they could combine lateral movement with a strong payload like ransomware," says Max Heinemeyer, director of threat hunting at Darktrace.

Since then, cyber criminals pushing ransomware have grown bolder and the attacks have gotten much bigger. Now, when entire networks are compromised by hackers, ransomware has become a means of monetizing the attack.

By combining attacks against internet-facing ports, the use of stolen credentials, lateral movement across the network and other techniques, attackers will snake their way through the network until they've compromised everything possible, before finally unleashing the ransomware and taking everything down – often including servers and backups.

This has led to ransomware becoming an extremely lucrative business, with attackers regularly demanding six-figure sums for the decryption key – and despite the numbers involved, 2019 has seen many organisations opt to pay the ransom.

In many cases, it's seen as the lesser of two evils – because restoring the network from scratch could take weeks and not only could it cost as much, the organisation will lose large amounts of business all the time the network is down. So victims pay up, demonstrating to attackers that ransomware works.

Because of this – and the way ransomware distributors rarely get brought to justice – ransomware has become more problematic than ever and the issue will continue into 2020. 

SEE: 2020 is when cybersecurity gets even weirder, so get ready

But by doing one simple thing, organisations of all sizes could counter the threat posed by ransomware attacks: making sure they have offline backups of their systems and make sure that those backups are regularly tested.

"It's Schrödinger's backup: the state of a backup isn't known until you have to restore from it: you need to know if it's going to save you if something happens," said Gillespie.

"Sometimes people don't want to pay for IT in general, they don't want to pay for a storage safety net they might never use – but there are options and in the grand scheme of things it's better for you," he added.

If organisations secure their networks against attacks and ensure there are backups available if the worst happens, they don't have to pay the ransom – and if people aren't paying ransoms, cyber criminals will stop seeing ransomware as lucrative.

Maybe if these lessons are learned now, ransomware won't be plaguing businesses over the next 30 years – but unfortunately, it's likely to get worse before it gets better.


Editorial standards