chess player paying his opponent

A history of ransomware: How did it get this far?

Today’s ransomware is the scourge of many organizations. But where did it start?

If we define ransomware as malware that encrypts files to extort the owner of the system, then the first malware that could be classified as ransomware is the 1989 AIDS Trojan. However, while it encrypted file(name)s and asked for a ransom, it was far from effective. 

The AIDS Trojan was sent by snail mail on a floppy disk to participants of a WHO conference about HIV. It reached about 20,000 people and medical institutions. On the infected system it added itself to autoexec.bat and waited for 90 reboots before starting an encryption routine of all the files on the C: drive, hid directories, and displayed a ransom note. The ransom note instructed the victim to mail at least $189 to a PO Box in Panama. Not many victims did this, and the symmetric encryption was relatively easy to crack.

Nowadays things have changed quite a bit. Here are a few ways:

No more snail mail and floppy disks

These days, popular delivery methods for ransomware are malspam, malvertising, and vulnerabilities in popular software or networking devices. But what really requires a high speed internet connection is the large amounts of data that ransomware gangs steal from affected networks to add extra leverage to their ransom demands.

Not all files are encrypted

The criminals quickly learned that it is beneficial if the victim is still able to use their device to the extent that they can read the instructions and pay the ransom. So modern day ransomware uses an exclusion list to avoid encrypting files that are essential for the system’s operations.

Payment is made in cryptocurrency

Ransom payments in pseudo-anonymous cryptocurrencies does allow the tracking of payments through the blockchain, but the real identity of the receiver can be hidden until the money is used to make payments or exchanged in fiat currency. The use of cryptocurrency allows cybercriminals to transfer their funds to a place where they feel they can safely use it.

More powerful computers means stronger encryption

Strong encryption routines are relatively resource heavy (a 1989 machine would definitely struggle) but modern machines have hardly any problem with it. Errors that lead to ransomware variants that could be decrypted without paying for the key are become more rare because the criminals learn from each other’s mistakes and a lot of code has been made publicly available. The use of asymmetrical encryption allows encryption routines to do their work without leaving a decryption key behind on the affected system.

Leaked Code

Stolen or leaked code has made it possible for relative beginners to create their own ransomware. As an example, one of the most notorious ransomware gangs (Lockbit) had their ransomware builder leaked online by a disgruntled developer.

Bulletproof hosting

The Dark Web and bulletproof hosting are helpful for criminals in that they allow them to keep websites and other necessary services up for longer. Having to move your leak site and command and control (C2) servers every day would make life a lot harder for ransomware operators since they would have to be prepared for the fact that their sites, compromised or otherwise, would be taken out of their control.

Pen testing tools

Many Initial Access Brokers (IABs) are happy to deploy pen testing tools (i.e. Cobalt Strike) to compromise networks and enable lateral movement once the breach has been established. Penetration testing, or pen testing, is the practice of running controlled attacks on a computer system, network, software, or other application in an attempt to find unpatched vulnerabilities or flaws. By performing pen tests, an organization can find ways to harden its systems against possible future real attacks, and thus make them less exploitable. To this end, some tools were developed that inevitably fell into the hands of criminals.

Protective governments

It also helps criminals that some ransomware gangs are rumored to be allowed by governments as long as they don’t attack domestic machines. Some governments even allegedly sponsor ransomware gangs because they disrupt critical infrastructure of their enemies or competitors. The Commonwealth of Independent States (CIS) is an international organization comprised of Russia and other republics that used to be part of the Soviet Union. There are a number of techniques that ransomware creators commonly use and include in their code to avoid CIS countries, such as hard-coding country names and geographical territories, and checking the system language.

Ransomware as a service

The ransomware as a service (RaaS) model—where ransomware gangs “rent out” their technology on a subscription basis to other groups—makes it possible to scale operations and divide the workload in an effective way. It also makes the “industry” easier to access for less talented cybercriminals.

The RaaS business model also requires mutual trust, which is not always easy to maintain when everyone is trying to stay anonymous. We often see affiliates switch sides after an arrest or an infrastructure shutdown. Others no longer feel like sharing the revenues and feel confident they can do it alone or in a smaller group.

Thankfully, defences against ransomware have evolved too. Here are a few ways to secure your organization:

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

This article was originally presented as a Malwarebytes webinar in German about the history and development of ransomware, hosted by Carrie Mackenzie and Pieter Arntz.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.