Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Ransomware on the rise: The evolution of a cyberattack

public://pictures/Stu Sjouwerman.jpg
Stu Sjouwerman Founder and CEO, KnowBe4

Ransomware attacks cause downtime, data loss, and possible intellectual property theft and in certain industries are considered a data breach.

Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money, or ransom, is paid. There are many variants; some ransomware is designed to attack Windows PCs, while other strains infect Macs and even mobile devices. It is highly effective because the encryption used is practically impossible to break.

This is only the early days of ransomware, but it’s a very successful criminal business model with many copycats. New strains of ransomware regularly get spotted in the wild, as cybercriminals furiously innovate in both the technical and social engineering areas.

You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
— Kevin Mitnick

Understanding how ransomware has evolved is the first step to planning your defense. Here is a brief history of the evolution. 

The state of ransomware: A rising criminal enterprise

Ransomware went pro in September 2013. What we call ransomware today is malware that usually gets installed on a user's workstation (PC or Mac) via a social engineering attack. The user gets tricked into clicking on a link or opening an attachment. Once the malware is on the machine, it starts to encrypt all data files it can find on the machine itself and on any network shares the PC has access to.

Once a user finds that access to the files is blocked and alerts a system admin, the sysadmin usually finds two files in the directory that indicate the files have been taken hostage, along with instructions on how to pay the ransom to decrypt the files. Strains of ransomware come and go as new cyber-mafias muscle into the "business." Some examples are CryptoLocker, CryptoWall, Locky, and TeslaCrypt. Ransomware is a very successful criminal business model. As an illustration, CryptoWall has generated over $320 million in revenues.

The only way to get encrypted files back is to restore a recent backup or pay the ransom. The problem is that backups often fail. Storage Magazine reports that over 34 percent of companies do not test their backups, and of those that tested, 77 percent found that tape backups failed to restore. According to Microsoft, 42 percent of attempted recoveries from tape backups in the past year have failed.

A ransom is usually about $500 if paid within a certain time frame, and when that deadline expires, the ransom doubles. Payments are typically required to be in an untraceable crypto-currency such as bitcoin(This 101-page primer can help you get going if you need to pay a ransom.) Recently, sophisticated cyber-gangs have penetrated whole networks, infecting all machines at the same time and extorting tens of thousands of dollars. 

But that's what ransomware has become. It's not how it started

The ransomware timeline


The first ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp. It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information — Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. The AIDS Trojan was “generation one” ransomware and relatively easy to overcome. The Trojan used simple symmetric cryptography, and tools were soon available to decrypt the filenames. But the AIDS Trojan set the scene for what was to come.


Seventeen years after the first ransomware malware was distributed, another strain was released, but the Archiveus Trojan was much more invasive and difficult to remove than its predecessor. It was the first ransomware virus to use RSA encryption. The Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to purchase items from an online pharmacy to receive a 30-digit password.

June 2006 — the GPCode, an encryption Trojan that spread via an email attachment purporting to be a job application, used a 660-bit RSA public key.


At the same time that GPCode and its many variants were infecting victims, other types of ransomware circulated that did not involve encryption, but simply locked out users. WinLock displayed pornographic images until the users sent a $10, premium-rate SMS to receive the unlocking code.


Two years after the initial GPCode virus was created, a variant called GPcode.AK was unleashed on the public using a 1,024-bit RSA key.


Mid 2011 — The first large-scale ransomware outbreak marks ransomware's move into the big time due to the use of anonymous payment services, which made it much easier for ransomware authors to collect money from their victims. There were about 30,000 new ransomware samples detected in each of the first two quarters of 2011.

July 2011 — During the third quarter of 2011, new ransomware detections doubled to 60,000.


January 2012 — The cybercrime ecosystem comes of age as Citadel, a toolkit for distributing malware and managing botnets, surfaces. Citadel makes it simple to produce ransomware and infect systems wholesale with pay-per-install programs allowing cybercriminals to pay a minimal fee to install their ransomware viruses on computers that are already infected by other malware. Due to the introduction of Citadel, ransomware infections surpass 100,000 in the first quarter of 2012.

January 2012 — Cybercriminals begin buying crime kits such as Lyposit—malware that pretends to come from a local law enforcement agency based on the computer’s regional settings and instructs victims to use payment services in a specific country—for just a share of the profit instead of for a fixed amount.

March 2012 — Citadel and Lyposit lead to the Reveton worm, an attempt to extort money in the form of a phony criminal fine. Reveton first showed up in European countries in early 2012. The exact “crime”—either pirated software or child pornography—and “law enforcement agency” are tailored to the user’s location. Users are locked out of the infected computer, their screens taken over by a notice informing them of their "crime" and instructing them that to unlock their computer they must pay the appropriate fine using a service such as UkashPaysafe, or MoneyPak.

April 2012 — Urausy Police Ransomware Trojans show up. They are responsible for scams that spread throughout North and South America.

July 2012 — Ransomware detections increase to more than 2,000 per day.

November 2012 — Another version of Reveton is released pretending to be from the FBI’s Internet Crime Complaint Center (IC3). Like most malware, Reveton continues to evolve.


July 2013 — A version of ransomware is released targeting OS X users. It runs in Safari and demands a $300 fine. This strain does not lock the computer or encrypt files, but just opens a large number of iframes (browser windows) that the user would have to close. A version purporting to be from the Department of Homeland Security locks computers and demands a $300 fine.

July 2013 — The mobile Trojan Svpeng targets Android devices. Discovered by Kaspersky in July 2013, it was originally designed to steal payment card information from Russian bank customers. By early 2014, it had evolved into ransomware, locking phones and displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment. Variants showed up in the UK, Switzerland, India, and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days.

August 2013 — The fake security software known as Live Security Professional begins infecting systems.

September 2013 — CryptoLocker is released. It is the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments made to look like customer complaints. It is controlled through the Gameover ZeuS botnet, which had been capturing online banking information since 2011.

CryptoLocker uses a 2,048-bit RSA key pair, uploaded to a command-and-control server and used to encrypt files with certain file extensions, while deleting the originals. It threatens to delete the private key if payment is not received within three days. Payments initially could be received in the form of bitcoins or prepaid cash vouchers.

With some versions of CryptoLocker, if the payment wasn’t received within three days, users were given a second opportunity to pay a much higher ransom to get their files back. Ransom amounts varied over time and with the particular version being used. The earliest CryptoLocker Payments could be made by CashUUkashPaysafecardMoneyPak, or bitcoin. Prices were initially set at $100, €100, £100, two bitcoins, and other figures for various currencies.

November 2013 — The ransom changes. The going ransom had been two bitcoins, or about $460. Victims who missed the original ransom deadline could pay 10 bitcoins ($2,300) to use a service that connected to the command-and-control servers. After paying for that service, the first 1,024 bytes of an encrypted file would be uploaded to the server, and the server would then search for the associated private key.

Early December 2013 — With 250,000 machines infected, it's found that 41,928 bitcoins had been moved through those four bitcoin accounts associated with CryptoLocker between October 15 and December 18. Given the then-current price of $661 per bitcoin, that would represent more than $27 million in payments received, not counting all the other payment methods.

Mid-December 2013 — The first CryptoLocker copycat software emerges. Locker charges users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number.

Late December 2013 — Despite the similar name, CryptoLocker 2.0 was written using C#, whereas the original was in C++, so it was likely done by a different programming team. Among other differences, 2.0 accepts only bitcoins, and it encrypts image, music, and video files, which the original skipped. And, while it claims to use RSA-4096, it actually uses RSA-1024. However, the infection methods are the same and the screen image very close to the original.

Also during this time frame, CryptorBit surfaces. Unlike CryptoLocker and CryptoDefense, which only target specific file extensions, CryptorBit corrupts the first 212 or 1,024 bytes of any data file it finds. It also seems to be able to bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber-gang responsible uses social engineering to get the end user to install the ransomware, employing such devices as a rogue antivirus product. Once the files are encrypted, the user is asked to install the Tor browser, enter his address, and follow the instructions to make the ransom payment—up to $500 in bitcoins. The software also installs cryptocoin mining software that uses the victim’s computer to mine digital coins such as bitcoin and deposit them in the malware developer’s digital wallet.


February 2014 — CryptoDefense is released. It uses Tor and bitcoin for anonymity and 2,048-bit encryption. However, because it uses Windows’ built-in encryption APIs, the private key is stored in plain text on the infected computer. Despite this flaw, the hackers still manage to extort at least $34,000 in the first month, according to Symantec.

April 2014 — The cybercriminals behind CryptoDefense release an improved version called CryptoWall. While largely similar to the earlier edition, CryptoWall doesn’t store the encryption key where the user can get to it. In addition, while CryptoDefense required the user to open an infected attachment, CryptoWall uses a Java vulnerability. Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper, and many others lead people to CryptoWall-infected sites, where their drives are encrypted. According to an August 27 report from the Dell SecureWorks Counter Threat Unit (CTU), “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.” More than 600,000 systems are infected between mid-March and August 24, with 5.25 billion files being encrypted. Of those victims, 1,683 (0.27%) are known to pay a total $1,101,900 in ransom. Nearly two-thirds of those pay $500, but the amounts range from $200 to $10,000.

Koler.a: Launched in April, this police ransom Trojan infects around 200,000 Android users, three quarters of them in the US, who were searching for porn and wound up downloading the software. Because Android requires permission to install any software, it is unknown how many people actually install it after download. Users are required to pay $100 to $300 to remove it.

May 2014 — A multinational team composed of government agencies manages to disable the Gameover ZeuS botnet. The US Department of Justice also issues an indictment against Evgeniy Bogachev, who operated the botnet from his base on the Black Sea.

May 2014 — Users in Australia and the US start seeing a lock screen on their iPhones and iPads saying they have been locked by “Oleg Pliss” that requires payment of $50 to $100 to unlock. It is unknown how many people are affected, but in June the Russian police arrest two people responsible and report how they operated. Rather than requiring the installation of malware, it is a straight-up con using people’s naiveté and features built into iOS. First, people are scammed into signing up for a fake video service that requires entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those IDs and use the Find My Phone feature, which includes the ability to lock a stolen phone, to lock the owners out of their own devices.

July 2014 — The original Gameover ZeuS/CryptoLocker network resurfaces. It no longer requires payment using a MoneyPak key in the GUI. Instead, users must install Tor or another layered encryption browser to pay the crooks securely and directly. This allows malware authors to skip money mules and improve their bottom line.

July 2014 — Trend Micro reports a new Cryptoblocker ransomware that doesn’t encrypt files that are larger than 100 MB and will skip anything in the C:\Windows, C:\Program Files, and C:\Program Files (x86) folders. It uses AES rather than RSA encryption.

July 23 — Kaspersky reports that Koler has been taken down, but doesn’t say by whom.

August 2014 — Symantec reports that crypto-style ransomware has seen a year-over-year increase of more than 700 percent.

August 2014 — SynoLocker appears. Instead of targeting end-user devices, it is designed for Synology network-attached storage devices. And unlike most encryption ransomware, SynoLocker encrypts files one by one. Payment is 0.6 bitcoins. Users must go to an address on the Tor network to unlock the files. Early versions have an English-language GUI, but Russian is added later. The first infections are mainly in Russia, so the developers are likely from some other Eastern European country, because the Russian security services quickly arrest and shut down any Russians hacking people in their own country.

Late 2014 — According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses components of CryptoLocker and CryptoWall but with completely different code from these other two ransomware families.” It spreads through spam and uses the Rijndael algorithm for file encryption rather than RSA-2048. Ransom is paid by purchasing bitcoins from specific Australian bitcoin websites.


Early 2015 — CryptoWall takes off and replaces CryptoLocker as the leading ransomware infection.

April 2015 — CryptoLocker is now being localized for Asian countries. There are attacks in Korea, Malaysia, and Japan. 

May 2015 — Criminal ransomware-as-a-service arrives. In short, you can now go to a Tor website "for criminals by criminals," roll your own ransomware for free, and gove the site a 20 percent kickback for every bitcoin ransom payment you receive. Also in May, a new strain shows up. Called Locker, it has been infecting employees' workstations but sat on them silently until midnight of May 25, 2015. Locker then starts to wreak havoc in a massive way.

May 2015 — New, Breaking Bad-themed ransomware gets spotted in the wild. Apart from the theme, CryptoLocker.S is pretty generic ransomware. It's notable as well that, whereas in 2013 and 2014 every new ransomware strain was page-one news, stories about new strain are now buried inside newspapers. This version grabs a wide range of data files and encrypts it using a random AES key, which then is encrypted using a public key.

June 2015 — The SANS InfoSec forum notes that a new version of CryptoWall 3.0 is in the wild, using résumés of young women as a social engineering lure: "résumé ransomware."

June 2015 — The FBI's IC3 releases an alert on June 23 stating that between April 2014 and June 2015, it received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. Ransomware gives cybercriminals an almost 1,500 percent return on their money.

July 2015 — KnowBe4 releases the first version of its Ransomware Hostage Rescue Manual. This 20-page manual is packed with actionable information for preventing infections, as well as advice on what to do when hit by ransomware. It includes a Ransomware Attack Response Checklist and Prevention Checklist.

July 2015 — An Eastern European cybercrime gang starts a new TorrentLocker ransomware campaign in which entire websites belonging to energy companies, government organizations, and large enterprises are scraped and rebuilt from scratch to spread ransomware using Google Drive and Yandex Disk.

July 2015 — Security researcher Fedor Sinitsyn reports on the new TeslaCrypt V2.0. This family of ransomware is relatively new, having been first detected in February 2015. It's been called the "curse of computer gamers" because it targets many game-related file types.

September 2015 — An aggressive Android ransomware strain is spreading in North America. Security researchers at ESET discover the first malware that can reset the PIN of your phone to permanently lock you out of your own device, dubbing it LockerPin. The ransom payment is $500.

September 2015 — The criminal gangs that live off ransomware infections are targeting small and medium-size businesses (SMB) instead of consumers, a new Trend Micro Analysis shows. SMBs are attractive targets because they generally do not have the defenses that large enterprises can deploy but are able to afford a $500 to $700 payment to regain access to their files. 

September 2015 — The Miami County Communication Center’s administrative computer network system is compromised with a CryptoWall 3.0 ransomware infection that locks down its 911 emergency center. The county pays a $700 bitcoin ransom to unlock the files.

October 2015 — A new ransomware strain spreads using remote desktop and terminal services attacks. The ransomware, called LowLevel04, encrypts data using RSA-2048, and the ransom is twice the normal $500, at four bitcoins. Especially nasty is how it gets installed: brute-force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords.

October 2015 — The nation’s top law enforcement agency warns companies that, unless they pay the ransom, they may not be able to get their data back from cybercriminals who use CryptLlocker, CryptoWall, and other malware. “The ransomware is that good,” says Joseph Bonavolonta, the assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program. “To be honest, we often advise people just to pay the ransom.”

October 2015 — A report from the Cyber Threat Alliance tallies the damage caused by a single criminal gang of the Eastern European cyber-mafia at $325 million. The CTA, an industry group with big-name members such as Intel, Palo Alto Networks, Fortinet, and Symantec, was created in 2014 to warn about emerging cyberthreats.

November 2015 — CryptoWall v4.0 is released and displays a redesigned ransom note and new filenames, and it encrypts a file's name along with its data. In summary, the new v4.0 release now encrypts filenames to make it more difficult to determine important files, and has a new HTML ransom note that is even more arrogant than the last one. It also gets delivered with the Nuclear Exploit Kit, which causes drive-by infections without the user having to click a link or open an "attackment," as malware-bearing attachments are now dubbed.

November 2015 — A ransomware news roundup reports a new strain with a very short, 24-hour deadline; researchers crack the Linix.Encover strain; and computers of the British Parliament are infected with ransomware.

December 2015 — Kaspersky reports that ransomware is doubling year over year, and Symantec reports that TeslaCrypt attacks moved from 200 to 1,800 a day


January 2016 — The first JavaScript-only ransomware-as-a-service (RaaS) is discovered. In 2015, RaaS such as TOX, Fakben, and Radamant had appeared. A new strain called Ransom32 has a twist, having been fully developed in JavaScript, HTML, and CSS, which potentially allows for multiplatform infections after repackaging for Linux and Mac OS X. Using JavaScript brings us one step closer to the "write-once-infect-all" threat.

January 2016 — A damaging new ransomware strain called 7ev3n encrypts your data and demands 13 bitcoins (almost $5,000) to decrypt your files. Besides having the largest ransom ever seen for this type of infection, the 7ev3n crypto-ransom malware also trashes the Windows system that it was installed on. 

January 2016 — DarkReading reports on a "Big Week for Ransomware."

February 2016 — Ransomware criminals infect thousands of machines with a weird WordPress hack. An unexpectedly large number of WordPress websites are mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end users. Antivirus is not catching this yet.

February 2016 — New ransomware is hidden In infected Word files. Though it is somewhat amateurishly called "Locky," it is professional-grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment that has malicious macros in it, making it hard to filter out. Over 400,000 workstations are infected in just a few hours, data from Palo Alto Networks showsBehind Locky is the deadly Dridex gang, the 800-pound gorilla in the banking Trojan racket.

March 2016 — MedStar receives a massive ransomware demand. The MedStar Hospital Chain is hit with ransomware and receives a digital ransom note, according to a Baltimore Sun reporter who sees it: "The deal is this: Send 3 bitcoins—$1,250 at current exchange rates—for the digital key to unlock a single infected computer, or 45 bitcoins—about $18,500—for keys to all of them."

April 2016 — News comes out about a new type of ransomware that does not encrypt files but makes the whole hard disk inaccessible. As if encrypting files and holding them hostage were not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and posting their ransom notes at system startup—before the operating system loads. Called Petya, it is clearly Russian.

April 2016 — New ransomware knows where you live. Victims get a phishing email that includes their correct street address and that claims they owe a lot of money to businesses and charities when they do not. 

April 2016 — A new ransomware strain called CryptoHost claims that it encrypts your data and then demands a ransom of 0.33 bitcoins (about $140 at the then-current exchange rate) to get your files back. The cybercriminals took a shortcut, though; your files are not encrypted but copied into a password-protected RAR archive .

April 2016 — Researchers at Cisco's Talos Labs take a look into the future and describe how ransomware will evolve. They created a sophisticated framework for next-gen ransomware that will scare the pants off you. Also, a new strain of ransomware called Jigsaw starts deleting files if you do not pay the ransom.

April 2016 — CNN Money reports on new estimates from the FBI that show that the costs from ransomware have reached an all-time high. Cybercriminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion crime this year.

Talking strategy, assessing risk

There's no turning back before 2013, when ransomware became the criminal enterprise that it is today. And it is set to flourish. But there are ways to protect yourself from ransomware

Has your organization been attacked? Share your strategy for defense. 

Image credit: Flickr

Keep learning

Read more articles about: SecurityInformation Security