- Ransomware has evolved from simple floppy disk blockers to advanced encryptors with double and triple extortion, affecting all sectors.
- The combination of cryptocurrencies, Ransomware-as-a-Service, and initial access intermediaries has industrialized cybercrime and skyrocketed the number of attacks.
- WannaCry, NotPetya, and Big Game Hunting marked milestones by combining extortion, geopolitical sabotage, and highly targeted attacks on large organizations.
- Effective defense requires immutable backups, segmentation, modern endpoint solutions, proactive detection, and investment in training and incident response.
El ransomware has become the "star business" of cybercrimeIt has gone from being a technical curiosity in the 80s to a global extortion machine that moves billions and paralyzes hospitals, factories, universities, and public administrations. Far from being a passing fad, it is a threat that reinvents itself with every technological advance, from the popularization of the internet to the emergence of artificial intelligence.
To understand why we see more incidents and higher rescue rates each year, we need to follow the A historical overview of ransomware: its origins, its technical mutations, and its business modelOnly by understanding how it has evolved—from the floppy disks of the “AIDS Trojan” to AI-powered Ransomware-as-a-Service platforms—is it possible to design realistic defenses, make better decisions when an incident occurs, and, above all, prepare the organization to avoid becoming the next headline.
From floppy disks to asymmetric encryption: the first steps of ransomware
The documented history of ransomware begins in 1989 with a case as peculiar as it is disturbing: the Evolutionary biologist Joseph L. Popp distributed 20.000 infected floppy disks among attendees of an international AIDS conference. The floppy disks, labeled “AIDS Information – Introductory Disks”, included a purported questionnaire to assess the risk of contracting the disease.
After a certain number of system restarts, the malware —known as “AIDS Trojan” or “PC Cyborg”— It modified the MS-DOS boot process and encrypted the machine's data, displaying a ransom note demanding $189 sent to a post office box in Panama. Police traced the virus' origin and arrested Popp, but he was declared unfit to stand trial, and the incident remains a rarity in the history of computer viruses.
During the 90s and early 2000s, attention was focused more on massive worms, DDoS attacks and “classic” virusesThis was partly because ransomware was easier to trace through payments. However, the advancement of cryptography and the emergence of anonymous digital payments paved the way for its return.
Around 2005, PGPCoder or Gpcode appeared, one of the first ransomware distributed massively via the InternetIt spread as an email attachment using techniques of cloning phishing posing as job applications, it targeted documents and compressed files (.doc, .xls, .rar, .zip, .jpg, among others). Its early variants used relatively weak encryption, but quickly evolved to use 660-bit and 1024-bit RSA keys, which are much harder to break.
In 2006, Archiveus (also known as Archievus) emerged, a Trojan horse that popularized the use of RSA asymmetric encryption in ransomwareIt encrypted all the contents of the user's "My Documents" folder and left a file named "how to get your files back.txt" explaining that, to recover the data, the victim had to make purchases at an online pharmacy in exchange for a password of several dozen characters. It was later discovered that a single password worked for all victims, which put an end to the operation of that particular variant.
Blockers and growth with the mass adoption of the Internet
With the expansion of the Internet in the early 2000s—email, social media, forums, P2P networks—ransomware found a perfect propagation channel to attack millions of usersDuring this stage, so-called "blockers" became popular; these did not encrypt files, but prevented normal use of the system.
WinLock, very active between 2011 and 2014, blocked access to the Windows desktop and displayed a pornographic image accompanied by a request for payment via premium rate SMSTechnically it was simpler than modern encryption, but very effective: the user would see their computer rendered unusable and, out of shame or fear, would quickly pay.
Soon after, variants appeared that impersonated police forces. Reveton, detected around 2012, displayed a message supposedly originating from the FBI or other law enforcement agencies, accusing the user of crimes (piracy, distribution of pornography, etc.) and demanding a “fine” of about $200 to unlock the device. The combination of legal intimidation and system lockout drove up the payout rate.
In parallel, the use of alternative and semi-anonymous payment methodssuch as electronic wallets and premium SMS services. This extortion model proved highly profitable, to the point that law enforcement and payment providers began to react.
The regulatory and police response focused on cutting off funding and activating Internet security alerts: tighten controls on electronic payments, track money and close the channels used to collect ransomsThis pressure reduced the profitability of the blockers' model and forced many groups to change tactics or disappear.
The crypto revolution and the impact of Bitcoin
The real qualitative leap came with the popularization of Bitcoin and other cryptocurrencies, by offering a payment system difficult to track and without centralized controlIt became the perfect complement to ransomware. Attackers no longer had to rely on premium SMS services or more regulated e-wallets.
Instead of simply blocking the operating system or browser, the new families began to Encrypt personal and corporate files robustlyThe victim was unable to recover their data even by reinstalling the system. For malicious actors, this opened the door to much larger ransoms: hundreds of dollars for individual users and tens of thousands for businesses.
Between 2014 and 2016, Kaspersky data shows that ransomware infection attempts skyrocketed: from just over 130.000 to more than 700.000 in a single yearFamilies such as TeslaCrypt, CTB-Locker, Scatter, and Cryakl dominated the landscape, accounting for nearly 80% of the attacks detected during that period, although some of them ended up with public decryption tools.
The geography of the attacks also expanded. Countries such as India, Russia, Kazakhstan, Vietnam, Algeria, Brazil, and Ukraine were particularly affected by “older” or less sophisticated variantsMeanwhile, in markets like Italy and Germany, it became common to encounter aggressive encryption, where "ransomware" became practically synonymous with "your entire disk encrypted".
At the same time, the criminals changed their focus: They went from attacking almost exclusively home users to also focusing on businessesThe proportion of affected organizations grew rapidly, as the operational impact of losing servers, databases, and critical systems made companies much more lucrative targets.
CryptoLocker, Petya and the professionalization of the model
The year 2013 marked a turning point with CryptoLocker. This malware introduced the widespread use of Command and control (C&C) servers to manage the attackOnce the machine was infected, it communicated with a remote infrastructure controlled by the attackers, who generated unique keys, negotiated deadlines, and could even prolong the pressure on the victim.
Thanks to this more “business-oriented” approach — broad campaigns, negotiation, deadlines, “customer” support for payments — CryptoLocker raised tens of millions of dollars in just a few monthsHe was also one of the first to systematically demand payment in Bitcoin, laying the foundation for the current model.
In 2014 and 2015, ransomware expanded its technical targets: Android devices and Linux systems began to be attacked through families like SimpleLocker, Sypeng, or Encoder, which were often distributed disguised as legitimate software updates (for example, fake Flash updates). The message was clear: it was no longer just about Windows PCs.
In 2016, Petya appeared, which took the classic approach of encrypting only files a step further. Instead, it attacked the master file table (MFT) of the disk, completely disabling the systemThe device would lock with a dreaded red skull on the screen, and the only apparent option was to pay. Its distribution through phishing campaigns targeting businesses demonstrated that the attackers had perfected the use of email as a vector.
The media impact of these campaigns—with screenshots, companies shutting down, and public testimonies— It unwittingly served as a marketing campaign for ransomware.This sparked the interest of new criminal groups who saw this type of attack as a source of income far superior to other traditional online frauds.
WannaCry, NotPetya and ransomware as a geopolitical weapon
Between 2017 and 2018, the use of zero-day vulnerabilities stolen from government agencies It took ransomware to a new level. The leak of tools like EternalBlue and EternalRomance—attributed to the NSA—allowed attackers to combine encryption with worm capabilities, spreading from machine to machine without human intervention.
WannaCry, in 2017, is probably the best-known case: in a few hours it infected hundreds of thousands of devices in more than 150 countriesaffecting businesses, hospitals, public agencies, and all types of organizations. It exploited EternalBlue to move laterally across unpatched Windows networks, displaying a ransom note with a timer and threatening to delete data.
Paradoxically, WannaCry's very aggressiveness backfired on its creators: the attack spread so rapidly that They lost control over their own campaignThe discovery of a kill switch in the code helped stop the spread. Even so, the financial damage was enormous, and many companies responded by investing in backups and disaster recovery plans.
Criminal groups were quick to adapt. If organizations were better protected with backups, the next step was also attack backup repositories and redundant storage systems, so that the only viable alternative for many victims was to negotiate the ransom.
NotPetya, also from 2017 and originating from the conflict between Russia and Ukraine, reused some of the same vulnerabilities, but for a different purpose. Although it was presented as ransomware, in practice It functioned as a "wiper" designed to destroy data on a large scaleTheir real objective did not appear to be to raise money, but to cause maximum damage to critical Ukrainian infrastructure and related companies, even affecting international supply chains.
This type of incident demonstrated that ransomware It was no longer just a tool for economic extortion, but also a weapon of digital warfareGovernments and large companies began to take the need for rapid patching, network segmentation, and business continuity plans much more seriously.
Big Game Hunting and the era of double and triple extortion
From 2019 onwards, a different strategy took hold: instead of launching massive and noisy campaigns, many groups opted for targeted attacks against large organizationsThis tactic is known as “Big Game Hunting”: the value of each victim is so high that it compensates for the additional effort of reconnaissance and penetration.
Attackers thoroughly analyze their target, identify critical systems, study billing, search for cyber insurance policies, and even They negotiate with knowledge of the company's economic capabilities.During this period, average ransom demands tripled, rising from five-figure sums to six or seven-figure amounts in dollars.
At the same time, the model of double extortionEncrypting data is no longer enough: before doing so, criminals exfiltrate it. If the victim decides to restore from backups and refuses to pay, the group threatens to publish sensitive information (source code, customer data, medical records, etc.) on dark web forums or leak it to the media.
Some groups even went so far as to directly pressure customers, patients or partners of the affected companiesThey were told that their data had been compromised and could be released if the organization did not pay. One particularly notorious case was that of a psychotherapy clinic in Finland, where patients were extorted one by one.
Families like Maze, Egregor, or Sodinokibi/REvil perfected this model, combining encryption, data theft, and aggressive communication campaigns. Shaming pages on the dark webLists of victims who refuse to pay became a central element of the pressure strategy.
Ransomware-as-a-Service and the industrialization of crime
Around 2020-2021, ransomware took another leap: the emergence of Ransomware-as-a-Service (RaaS) platforms which operate almost like criminal startups. The malware developers provide the infrastructure, control panel, and encryption tools; the affiliates handle compromising victims and deploying the attack.
In return, the platform operators keep a percentage of the redemption—sometimes close to 10%, leaving 90% to the affiliate—which It drastically reduces the barrier to entry for cybercriminals with less technical knowledge.Cases like the Conti franchise showed the extent to which the model could be professionalized, with "junior employees", fixed salaries, bonuses and leaked internal manuals.
Meanwhile, the following gained prominence Initial Access Brokers (IAB)These are groups specializing in obtaining credentials, exploiting vulnerabilities, or maintaining backdoors in corporate networks, which they then resell to ransomware operators and other malicious actors. In this way, the intrusion phase is "outsourced" to specialists.
Threat intelligence studies indicate that, in the second half of 2021 alone, there were over a thousand corporate accesses for sale specifically targeted at ransomware operations. Attacking the business of these intermediaries has become a key objective in disrupting the ransomware value chain.
This entire ecosystem has led to ransomware functioning today as a perfectly structured criminal industrywith differentiated roles (developers, affiliates, negotiators, money launderers, IAB…), support services and a continuous malware innovation cycle.
Ransomware in numbers: global and sectoral impact
Recent statistics show the magnitude of the problem. In the first half of 2022, more than 236 million ransomware attacks worldwideAccording to Statista, another report indicated that nearly 71% of companies suffered at least one ransomware incident that same year, and that almost two-thirds of the victims ended up paying.
When analyzing by sector, the following stand out as recurring objectives: small and medium-sized enterprises, healthcare, education, public administration, industrial services and bankingIn healthcare, for example, the impact is not only economic: delays in surgeries, ambulance diversions, and even deaths indirectly related to the unavailability of critical systems have been documented.
Joint studies by security manufacturers and analysis firms, such as VDC Research and Kaspersky, have estimated potential losses in tens of billions of dollars in sectors like manufacturing aloneRegions such as Asia-Pacific concentrate a very significant part of that risk due to their rapid digital transformation.
The use of cryptocurrencies remains the norm. For years, over 95% of payments for some large corporations went through them. poorly regulated exchange platformsMany of them are in jurisdictions with less international cooperation, which complicates police pursuit.
All of this makes ransomware one of the most serious economic threats to businesses today, with an average breach cost of around several million dollars when bailouts, production stoppages, reputational losses and regulatory sanctions are added together.
From encryption to multiple extortion and attacks without encryption
Beyond mere encryption, modern ransomware has transformed into a flexible extortion mechanismDouble extortion (encrypting + stealing data) has become established, and many groups have moved on to triple extortion, adding DDoS attacks or direct pressure on customers and partners.
In recent years there has also been an increase in attacks without encryptionIn these attacks, the group forgoes blocking systems and focuses solely on stealing sensitive information. By showing the victim a small sample of the stolen data, they aim to demonstrate that they possess the rest and expedite payment, reducing the time they spend on the network and the risk of detection.
In this context, the relationship between attacker and victim has become more "business-like." Static messages with a timer are no longer as common; now it's typical to have... interactive communication channels (chats on the dark web, encrypted emails) where deadlines, discounts, partial decryption tests, etc. are discussed.
The groups take into account whether the company has good backups, operates in a regulated sector, is subject to GDPR or other data protection regulations, and adapt the threats to the specific legal and reputational exposure of each victimThis sophistication means that incident response requires coordinated lawyers, compliance specialists, negotiators, and technical experts.
In parallel, the very use of ransomware as a cover for purely destructive operations —as in the case of NotPetya— adds an extra layer of uncertainty: it is not always clear whether the real objective is to raise money or damage infrastructure, which complicates decision-making during an incident.
AI, IoT and the immediate future of ransomware
In recent years, the impact of Artificial intelligence and language models in the hands of attackersEmerging groups have used AI to generate code, improve phishing with messages almost indistinguishable from legitimate ones, or automate part of the pre-attack reconnaissance.
A shift towards less traditional vectorsThese devices, such as IoT devices, IP cameras, connected appliances, and other systems, are often poorly patched and lack robust security solutions. This equipment can serve as both entry points and leverage for extortion (for example, by threatening to release videos or data captured by these devices).
In the short term, we are likely to see Ransomware-as-a-Service platforms powered by AI capable of automating much of the attack chainFrom mass target scanning, vulnerability exploitation and lateral movement, to drafting customized ransom notes and even using deepfakes to pressure executives.
This automation could skyrocket the number of victims, especially among managed service providers and complex supply chains, where a single incident spreads to hundreds or thousands of customers. Low-cost, high-volume operations These will be combined with highly targeted attacks on "big prey," keeping the criminal business diversified.
Given this scenario, organizations need to strengthen not only their traditional measures (patches, backups, antivirus), but also advanced detection and response capabilitiesBehavioral analysis, network segmentation, and specific controls over remote access and cloud environments.
From classic antivirus to defense in depth against ransomware
Traditional antivirus programs, based primarily on signatures, fall short compared to ransomware that constantly changes its form and techniquesToday it is essential to combine several layers of protection that cover everything from the endpoint to the network and the cloud.
A good strategy involves integrating modern endpoint security solutions (EPP/EDR/XDR) With exploit prevention capabilities, blocking of suspicious behavior, process isolation, and automated response, these tools allow for cutting off lateral movement, halting communication with C&C servers, and containing the threat in its early stages.
Equally crucial is having regular, disconnected, and immutable backupsstored on systems that are not permanently accessible from the corporate network. Otherwise, ransomware can also encrypt backups and leave the organization without a plan B.
Network microsegmentation, hardening of privileged access, robust multi-factor authentication, and constant software updates significantly reduce the attack surface. This is further enhanced by... continuous training of employees to recognize phishing emails, suspicious links, and anomalous behavior.
Finally, having a proven incident response plan—including clear roles, isolation procedures, internal and external communication, law enforcement relations, and forensic analysis—and relying on a resilient template for CISO It makes the difference between a controlled scare and a prolonged crisis.
After more than three decades of evolution, ransomware has gone from an experiment distributed on floppy disks to becoming a A highly professionalized global criminal industry, supported by cryptocurrencies, RaaS services, and artificial intelligenceAlthough the tactics, techniques, and objectives have evolved—blockers, encryption, double extortion, disguised wipers, and attacks without encryption—the essence remains the same: pure and simple extortion. Organizations that accept that ransomware is here to stay and strengthen their security posture with robust backups, defense in depth, network visibility, and ongoing training will have a much better chance of weathering the storm than those that continue to rely solely on basic or outdated solutions.
