But as 2017 went on the impact of ransomware dwindled. Detections of Locky, Cerber and other long-standing ransomware families massively declined.
Indeed, Kaspersky Lab's latest Kaspersky Security Network report claims that ransomware as a whole is "rapidly vanishing" with a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year.
And a recent threat report by McAfee Labs also suggests a drop in the detection of ransomware attacks -- putting the decline at 32 percent. There appears to be a clear trend here -- that the number of ransomware attacks and the number of ransomware families is dropping off.
"A year ago we probably had four large groups dealing in ransomware, distributing themselves or running an affiliate model, but we've seen those large groups go away. There are a couple remaining, but it's not quite as dramatic during 2017," Keith Jarvis, senior security researcher at Secureworks told ZDNet.
A key factor behind the decline is the rise of cryptocurrency mining malware and low-level cyber criminals shifting their attention to 'cryptojacking' as a simpler, less risky means of illicitly making money.
These cryptojacking attacks involve attackers infecting a PC with malware which secretly uses the processing power to mine for cryptocurrency -- usually the relatively simple-to-mine Monero -- which is deposited into their own wallet.
The Atlanta attack came as a result of SamSam, a family of ransomware which has been in operation since 2015. Unlike the spray-and-pray tactic used by some of its commericialised counterparts, potentially vulnerable targets are specially sought out in order to ensure that the ransomware can be set to spread across the network once the hackers activate the attack.
It's proven successful with victims often paying tens of thousands of dollars to retrieve their files: in January a hospital paid out a $55,000 bitcoin ransom following a SamSam infection -- despite having backups available, because paying up was deemed the quickest way to get systems back online.
It's because it is so successful -- and that the whole operation requires a level of expertise to run -- that ransomware like SamSam remains a threat to businesses.
"There's a strong human element to deploy it, not just in the compromise and initial attack, but to deploy the ransomware," Jérôme Segura, security researcher at Malwarebytes told ZDNet.
"There's definitely more effort that goes into deploying this ransomware but it makes sense because it's not just a mass shotgun approach, it's a much more targeting approach looking for victims that have a lot more at stake when infected and will potentially pay a lot more money to unlock their files than average users."
Another successful ransomware variation is GandCrab, which offers an affiliate model, that first appeared in January and has received updates ever since.
"GandCrab is using agile technology because they're using techniques which are like the software industry. They're patching their ransomware on an almost daily basis, they fix bugs as they go along -- it's a really nice approach," Yaniv Balmas, malware research team leader at Check Point, told ZDNet.
"It tells us that these guys are sophisticated, they know what they're doing, they put a lot of effort in. That's one of the reasons you can't say ransomware is gone: people are still working on it and putting a lot of effort into it," he said.
A third form of ransomware which is still causing plenty of problems is a new kid on the block -- DataKeeper, which emerged in February and those behind it are serious enough that they monitor research blogs which mention it.
"They're applying a lot of technical best practice, they're an active adversary. We see the DataKeeper guys looking at security research blogs and releases of detection -- and soon as something is released, a very short time later they're changing and updating their stuff," James Lyne, global research advisor at Sophos, told ZDNet.
But despite the effectiveness of these campaigns, they're not on the same scale as previous ransomware attacks. Compared with the sheer mass of Locky emails which were sent out to organisations -- tens of millions could be sent in the space of hours -- these ransomware attacks might look relatively small in scale, so are easier to ignore.
"That's a side effect of the volumes like the Locky campaign. That was extremely high volume, tens of millions of emails going out and hundreds of thousands of infected machines -- it's in your face and prominent and affects a lot of different people," said Jarvis.
In SamSam's case, it may only target a few victims a day.
"You have much lower volumes of just a handful per day and when it strikes, the last thing these smaller businesses want to do is talk about it -- they want to avoid the publicity associated with the attacks. They're damaging attacks, but they're lower volume, so they fly under the radar," Jarvis said.
Ransomware may no longer be flavour of the month but it still remains a significant threat. The short-term damage means business can't be done while files are encrypted while the longer-term impact may result in loss of trust from customers and users who may not feel that the victim can be trusted to keep their data secure.
There's also the possibility that a victim who pays the ransom could easily become infected again as attackers realise they've got an easy target on their hands. For cybercriminals ransomware still offers a big payday, quickly, unlike malicious cryptocurrency mining which requires patience to realise a pay-off.
Behind much of the potency of ransomware is the EternalBlue SMB vulnerability which allowed WannaCry, NotPetya and other ransomware attacks to self-perpetuate around networks.
It's over a year since the NSA vulnerability was leaked by hackers but there are plenty of organisations which, despite the clear demonstrations of the damage attacks exploiting EternalBlue can do, still haven't patched their networks.
"If the opportunity presents itself, we could still see large-scale deployment of ransomware. We're still waiting to see if we're going to experience another WannaCry or NotPetya -- that could still happen," said Segura.
"We're still seeing all that infrastructure exposed, the EternalBlue SMB vulnerability, there are a lot of companies that are still exposed, so this is still possible."
All of this is why cyber criminals are still deploying ransomware -- because it continues to make them money.
"If you have a machine that's infected, what's the easiest and fastest way to make money from that? For a long time it was dropping ransomware on there and hoping that the percentage of victims who paid would help you make money," said Jarvis.
"It's a fundamental computer security problem that's not going to be solved, we're not going to suddenly solve it any time soon, so it's just going to continue."
It means organisations need to be prepared to face any cyber threat, even ones that are apparently out of fashion.
"I've been hearing a lot of noise of people talking about ransomware as a thing of the past and that it's now all about cryptocurrency mining. The main lesson we should learn is that this is not true: ransomware is still out there and still very much a threat," said Balmas.
"The situation can change any minute, any day -- it depends on so many factors and it's so fragile. We could wake up next week and ransomware could be a huge deal again, so lowering defences against it isn't a smart thing to do. We should treat it as big a threat as we did last year".