The Evolution of Ransomware

Trent Fowler
Apr 15, 2022


Ransomware is one of the most effective ways for criminals to exploit businesses and individuals. Over the past year, we’ve seen a number of ransomware attacks against critical infrastructure—from the Colonial gas pipeline to food distribution companies—and with each new high-profile incident, the threat posed by ransomware becomes ever clearer.

And this is a growing problem; ransomware attacks in 2020 were up more than 150% compared to the previous year, while ransomware payments increased by 300%. With a bewildering variety of constantly-adapting ransomware strains executing hacks of increasing size, frequency, and boldness, it is more important than ever to shed light on the necessity of protecting yourself and your business.

A crucial component of this is better understanding your enemy. In this post, we’ll begin with a high-level definition of ransomware, then we’ll examine the different strains and how they’ve evolved in the past 30 years. Though it’s no substitute for good security practices, having this context should help you think about and correct your own vulnerabilities.

What is ransomware?

Ransomware is a type of malicious software used by cybercriminals to extort money from their victims. Ransomware hackers typically use different social engineering methods, such as phishing, in order to gain entry into a system. They then steal personal or professional information stored on that system before demanding a ransom payment in exchange for its return.

The most common types of ransomware include crypto, locker, scareware and, more recently, ransomware-as-a-service.

These names do a good job of communicating how each approach works. Crypto ransomware encrypts files on a computer and demands a ransom in exchange for the decryption key, locker ransomware blocks access to computer systems entirely, and scareware is a malware tactic that manipulates users into believing they need to download or buy malicious software.

Perhaps most troubling, ransomware-as-a-service marks a turn towards the professionalization of the industry, as it now boasts hosting solutions, franchising, and sophisticated systems of distribution.

The Evolution of Ransomware

The Beginning - 1989

Ransomware first surfaced in 1989 when a biologist, Dr. Joseph Popp, distributed his malware at the World Health Organization AIDS conference. Dr. Popp handed out over 20,000 infected floppy disks disguised as information for the event to researchers from around the world. Also known as the PC Cyborg Virus, the malware was used to encrypt data on these machines and then leverage that data to extort a ransom payment from the victim.

Early 2000s

By 2005, ransomware attacks had slowly but surely started increasing in size and scope. PGPCoder, also known as GPCode, is a Trojan Horse Virus that attackers used to encrypt files having certain extensions–such as .doc, .html, .jpg, .xls, .rar and .zip–before demanding payment in exchange for unencrypting them. Amounts ranged from $100-$200, and victims were instructed to pay the amount to an E-gold or Liberty Reserve account.


The CryptoLocker outbreak in 2013 was the first time many people heard the term “ransomware.” Distributed through spam emails, CryptoLocker affected over 250,000 computers worldwide, with the United States and United Kingdom hit the hardest.

Late 2010s

WannaCry ransomware was deployed in global attacks in May 2017. Despite popular belief, the strain did not get its name by making victims “want to cry” after their data was encrypted; on the contrary, its binary code may have influenced this naming choice. The attack affected over 200,000 companies across 150 countries. The Spanish Mobile Company, Telefonia, was one of the first companies impacted. Shortly after, thousands of NHS hospitals across the United Kingdom suffered as well.


In the modern era, the growth in the sophistication of ransomware strains has been matched by a growth in their ruthlessness. Organizations targeted today sometimes pay the ransom and still don’t receive a decryption key.

And the amounts involved have ascended into a different category. In the first half of 2021 alone, the $304.7M paid to ransomware groups surpassed the $304.6M figure for the entire previous year.

We’ve also witnessed the most staggering attacks on infrastructure to date. On May 6th, 2021, Colonial Pipeline fell victim to cybercrime group DarkSide. DarkSide was able to gain entry into their systems through a private network account that employees used for remote access. This attack impacted their pipeline management systems, resulting in an increase in gas prices on the East Coast.

Not so Fun Facts

  • The total global costs for damage done by ransomware attacks are predicted to exceed $265B by 2031.
  • Mainstream sources estimate that victims paid $350M in ransom in 2020, a 311% increase over 2019. Working from our industry-leading blockchain data, our own estimate is that victims paid $779M in 2020, a 361% increase over 2019. In either case, the data tell a story of serious escalation.
  • By 2021 a company will be hit with ransomware every 11 seconds.
  • 1 in 3 health care organizations globally reported being hit by ransomware in 2020.


Ransomware has been a prominent threat to businesses and individuals alike for over 30 years, and its development is far from over. Ransomware has evolved from the efforts of a lone man distributing corrupted floppy disks into a multibillion dollar industry claiming more victims every day. The organizations behind ransomware attacks show no signs of slowing down, and will continue working to stay several steps ahead of their victims and law enforcement.

It is of the utmost importance, therefore, to establish tools and protocols aimed at preventing these cyberattacks and mitigating their consequences.

We’ll be sharing some of our insights into the dynamics of the ransomware industry and how it can be fought in the coming weeks, so subscribe by entering your email below to keep up-to-date!

To learn more about blockchain analytics, cybercrime, and how we’re making crypto transparent, please send us a note at