History of Ransomware

Following the evolution of ransomware, from a petty crime to a major economic windfall for global criminal enterprises, underscores why businesses should be deeply concerned about the threat. While its explosive growth over the past few years may make it seem otherwise, ransomware didn’t come out of nowhere.

timeline of the evolution of ransomware from 2005 to 2019First Sightings

Ransomware first cropped up around 2005 as just one subcategory of the overall class of scareware that includes fake AV and phony computer-cleaning utilities. While it showed some promise early on, it took a few changes in technical and economic conditions before the pump was truly primed for peak ransomware profit.

First, the early method used by the criminals to obfuscate or block access to data were fairly rudimentary and easy to bypass.

As a result, the percentage of victims willing to pay the ransom remained fairly low. Even more tricky, though, was the problem of payment logistics.

In ransomware’s early days there was no simple, anonymous and ubiquitous way to receive payment from victims. With fake AV and utilities, crooks could operate under a thin veil of legitimacy, setting up shell corporations to receive credit card payments as semi-legitimate card merchants. Since ransomware was out-and-out fraud, that option wasn’t available to receive funds. However, once the FTC, attorneys general and law enforcement officials started catching up with the scareware ventures around the 2008 timeframe, the cost of business for fake AV and utilities providers started to climb.

At that point it made more economic sense for the criminals to opt for the simplicity of ransomware’s overt blackmail and begin exploring alternative avenues of payment. That’s likely one of the reasons why from about 2010 through 2012 more ransomware scams started cropping up that had victims pay small ransoms through prepaid cash cards, retail shopping cards and even premium SMS texts. These campaigns saw middling success that lead to an increasing but not necessarily explosive growth curve.


Then Bitcoin changed everything. While it had been under development for several years prior, it wasn’t until the end of 2012, when Bitcoin Foundation was formed and Bitcoin Central was recognized as a licensed European bank, that Bitcoin started to hit its stride as a viable form of currency.


Learn More

Want an in-depth analysis of the history of ransomware? Learn how adversary TTPs are evolving to maximize profits. Read: A Deep Dive into Ransomware's Evolution

As it started to gain more mainstream appeal, ransomware criminals recognized it as just the method of monetary extraction they’d been seeking. Bitcoin exchanges provided adversaries the means of receiving instant payments while maintaining anonymity, all transacted outside the strictures of traditional financial institutions.

CryptoLocker Appears

The table was set perfectly for the entrance of CryptoLocker in 2013. This revolutionary new breed of ransomware not only harnessed the power of Bitcoin transactions, but combined it with more advanced forms of encryption. It used 2048-bit RSA key pairs generated from a command-andcontrol server and delivered to the victim to encrypt their files, making sure victims had no way out unless they paid a tidy sum of about $300 for the key.

The Gameover Zeus banking Trojan became a delivery mechanism for CryptoLocker. The threat actors behind the botnet were among the first to truly realize the potential value of ransomware with strong encryption, to extend their profits beyond traditional Automated Clearing House (ACH) and wire fraud attacks that target the customers of financial institutions. CryptoLocker’s backers had hit pay dirt, kicking off ransomware’s criminal Gold Rush.

CryptoLocker Gameover Zeus was shut down in an operation spearheaded by the FBI and technical assistance from CrowdStrike researchers. Even though it was out of operation within seven months of starting, it served as proof to the entire cybercrime community of ransomware’s tremendous business upside. This was the true inflection point for ransomware’s hockey-stick growth.

Within a few months, security researchers were finding copious numbers of CryptoLocker clones in the wild and criminals from all over the world were scrambling to get a piece of the action. Since then, many organized crime gangs have shifted investments and resources from older core businesses, including fake AV, into ransomware operations. The criminal technologists have been working overtime to serve these potential customers by cranking up specialized operations to develop better ransomware code and exploit kit components, flooding Dark Web marketplaces with their wares.

The Advent of Big Game Hunting

model of how big game hunting ransomware works

Now that the momentum has built to a critical mass, criminals are innovating their techniques and expanding their markets. They’re getting too rich off ransomware to stop anytime soon.

Cybercriminals recognized that if consumers or one-off business users are willing to pay $300 to $500 to unlock run-of-the-mill data on a single endpoint, businesses and other organizations would likely be willing to pay much more for mission-critical data, or to unlock an entire fleet of endpoints held hostage in a single instance.

So to optimize their efforts, eCrime operators decided to pivot from the “spray and pray” style of attacks that were dominating the ransomware space and focus on “big game hunting” (BGH). BGH combines ransomware with the tactics, techniques and procedures (TTPs) common in targeted attacks aimed at larger organizations. Rather than launching large numbers of ransomware attacks against small targets, the goal of BGH is to focus efforts on fewer victims that can yield a greater financial payoff — one that is worth the criminals’ time and effort.

This transition has been so pronounced that BGH was recognized as one of the most prominent trends affecting the eCrime ecosystem in the CrowdStrike 2020 Global Threat Report. Recent eCrime statistics show that while the volume of ransomware attacks has decreased, the sophistication of these attacks has increased substantially.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now