Skip to content

The evolution of ransomware

  • by

This week I’m presenting my article published in Issue 50 of the IPA Journal – a quarterly magazine (comes out online and as a physical copy) by the Irish Section of the International Police Association.

Here it comes:

The history and evolution of ransomware: from vouchers to cryptocurrency

If you have followed the news broadcasts or social media postings over the last few months, then you couldn’t have missed the major news story about what was probably the most serious cyber-attack that was ever perpetrated against this state – the Conti ransomware infection of the HSE computer networks last may.

It was also one of the biggest cybersecurity-related news stories in Europe so far this year, generating numerous national and international debates. Here at home, some of those debates centred on whether the state should or should not pay off the cybercriminals. That cyber-attack also brought into sharp focus the adequacy of Ireland’s cyber defence capabilities.

The topic of ransomware was new to some people, but this attack vector against IT systems is now decades old. So – what exactly is ransomware and how did it come about?

ransomware OSINT


Ransomware (or “ransom software”) is a computer program designed to apply a rogue encryption algorithm to files on a hard drive, making accessing those files impossible to their legitimate owner, unless a ransom is paid in exchange for a decryption key.

The first documented case of a ransomware attack happened years before the Internet began taking its modern shape. In 1989, attendees of the World Health Organisation’s AIDS conference were handed out floppy disks (who remembers those nowadays!) that contained a malicious program.

That program, later referred to as the AIDS trojan, copied itself onto the hard drive, stayed dormant for a while and then unexpectedly locked the C drive system files. Unlocking them required sending $189 to a P.O. box in Panama.

It turned out that the person behind this attack was a Harvard educated biologist, whose motives ultimately remained unclear – he was identified and arrested but was later declared mentally unfit to stand trial.

Despite its novelty, the AIDS trojan was considered basic software that used pretty simple cryptography, which was eventually cracked making it possible to unlock any affected files without paying the extortionist.


In the following years, through the expansion of the Internet, ransomware evolved so that it could proliferate between computers using network protocols – no more need for handing out floppy disks or physical media. It kept its “trojan” characteristic though – like the mythical Trojan horse, ransomware would masquerade as benign, or even useful, legitimate software.

In 2005, PGPCoder – a trojan that used a more complex encryption, accompanied by a text file demanding ransom payable through the early e-commerce platform, Liberty Reserve hit its first victims. A year later came the Archiveus trojan with its unusual system for ransom payment – through making a purchase at an online pharmacy.

Then came other forms of ransomware, some more primitive than others, that would lock the user’s screen with a malicious pop-up and demand payment through Ukash cards, PayPal deposits or even Amazon vouchers.

Some researchers class this type of software as “scareware” – in some cases it was relatively easy to bypass its locking mechanism by booting the system up into safe mode or restoring it without the loss of any data.

Irish users saw their fair share of these attacks in the form of the “Garda Ukash virus”, which attempted to scare them into paying “a fine” for accessing illegal content.

All of the above modes of operation highlighted one critical issue for the ransomware operators: the limited ability to extort and process payments through third party services, who were not sympathetic to their criminal cause. This would soon change, with the growing popularity of Bitcoin and other cryptocurrencies.

Ukash Garda virus scareware
Example of a 2012 vintage scareware pop up screen


Between 2011 and 2012 an observable trend began to form, which saw an increased reliance by cybercriminals and their extortive software on Bitcoin – a decentralised, censorship resistant digital currency of the Internet. Bitcoin allows its holder to be their own financial custodian, who can freely transact with other users without relying on any intermediaries (although exchanging Bitcoin for a fiat currency still requires a third-party service).

The ransomware operators also upped their technical game – for example, the infamous CryptoLocker or TeslaCrypt that began mass-attacking networks in 2013, relied on huge ‘botnets’ – a network made up of thousands of malware infected computers that can be used to spread spam or malware, as well as conduct denial of service attacks on online systems anywhere in the world. Botnets allowed ransomware operators conduct massive organised campaigns, in which they sent hundreds of thousands of malicious emails and links used to proliferate their malicious software.

The emergence of botnets and a properly organised and maintained attack infrastructure led to the development of the “ransomware as a service” (RaaS) modus operandi for the ransom software developers. This quasi-business model somewhat mirrors the services offered by global big tech entities – for a monthly subscription fee in the region of $50 – $100, a less technically sophisticated cybercriminal can purchase a ready-togo ransomware kit, along with access to dedicated training materials, online forums or botnets for hire.


Another significant milestone for ransomware was WannaCry – the first global ransomware epidemic, which took place in early 2017. WannaCry targeted outdated and unpatched Windows systems all around the world, attacking anything from individual users to institutions, or even parts of traditional infrastructures – such as traffic lights systems, air conditioning controllers or hospital and maintenance equipment.

The biggest difference between WannaCry and the previous iterations of ransomware was its ability to automatically seek out vulnerable systems and replicate itself onto them. The attack itself lasted only for a few days, but it had dire ramifications – worldwide, several hundred thousand computer systems were infected, a lot of which were not even officially reported. Ever since WannaCry, ransomware has remained a global threat, yet it would change modus operandi once again.

Current ransomware campaigns are heavily targeted against those corporations and large institutions that cyber criminals identify as lucrative and likely to pay the ransom. Conti, REvil, Maze, Lockbit and several other nefarious actors engage in what the cybersecurity research company Crowdstrike describes as “big game hunting”.

They go after targets that have a lot to lose in terms of their services downtime and reputational damage, therefore they might pay not only to obtain a decryption key, but also to prevent their data from being exfiltrated into the public domain. This tactic is called double extortion – ransom payment is demanded not only for unlocking the data, but also for not leaking it.

Companies that pay the ransom often calculate their losses and choose the lesser evil, especially in the light of potentially significant fines for noncompliance with the GDPR.

Conti ransomware note
Screenshot from a Conti ransomware "recovery service" site


There are many signs to suggest that ransomware attacks might soon be treated on par with acts of terrorism, especially if they result in massive disruptions and losses of human life.

This year alone there were several cases of medical patients dying due to ransomware attacks on hospitals and medical facilities all over the world.

The HSE attack could easily be considered an act of cyber terrorism, same as the crippling attack on the US Colonial Pipeline, which resulted in huge delays in fuel distribution. When state services or critical infrastructure cannot function as a result of a cyber-attack, we are no longer talking about regular, profit-driven criminal activity.

One thing is certain – matters will unfortunately get worse before they get better. Ransomware gangs will continue to operate as long as they are harboured by pariah States and as long as there is no coordinated, global response against them.

Leave a Reply

Your email address will not be published. Required fields are marked *