Cisco Talos: Tracking Ransomware’s 35 Year Evolution

Global ransomware attacks surged by 85% in 2023, with ransomware revenue exceeding US$1bn for the first time, marking a dramatic evolution from its origins as a niche cybercrime tactic to a sophisticated criminal enterprise. These attacks, where criminals encrypt an organisation's data and demand payment for its release, have become more targeted and complex, disrupting critical infrastructure from healthcare systems to energy networks.

Now, Cisco Talos, the threat intelligence unit of networking technology company Cisco Systems, has traced this transformation from 1989 to the present day, revealing how technological advances and criminal innovation have shaped modern cybercrime.

The research shows how ransomware operators have shifted from targeting individuals for small payments to orchestrating complex attacks against large organisations, enabled by cryptocurrency payments and professional criminal networks.

The first ransomware attack in December 1989 involved floppy disks containing malicious code purporting to assist with AIDS risk assessment, according to the research.

Martin Lee, Technical Lead for Security Research - EMEA at Cisco Talos, explains that the AIDS Trojan, as it became known, would activate after 90 system reboots, encrypting file names and demanding payment via cashier's cheque to a Panama post office box to restore access.

“The difficulty in distributing the malware and collecting payment in a pre-internet world meant that the attempt was unsuccessful,” he says.

From GPCode attacks to CryptoLocker's digital payment innovation

The emergence of criminal ransomware – malicious software that encrypts files and demands payment for their release – began in December 2004 with GPCode, which targeted Russian users through email attachments disguised as job applications. Early versions used basic encryption that security teams could bypass, before attackers adopted more sophisticated public-key encryption methods.

Payment collection posed an obstacle for attackers, who experimented with premium rate phone numbers and online pharmacy purchases as alternatives to traceable bank transfers. Virtual currencies and gold trading platforms offered temporary solutions until regulatory authorities intervened.

The arrival of cryptocurrencies like Bitcoin provided criminals with anonymous payment capabilities outside traditional financial systems. CryptoLocker ransomware in 2013 was among the first to integrate cryptocurrency payments, marking a shift in how attackers monetised their operations.

This evolution led to professionalisation within the ransomware ecosystem, with specialists emerging to handle different aspects of attacks. Ransomware developers created portals for partners to track campaign performance and access new attack tools.

SamSam signals move to targeted enterprise attacks

In 2016, the SamSam ransomware variant introduced a new approach focused on specific organisations rather than mass distribution. This targeting allowed criminals to demand larger ransoms by disrupting entire corporate networks rather than individual devices.

Healthcare organisations became frequent targets due to operational disruption risks. In 2019, the Maze ransomware group introduced “double extortion” tactics – combining data theft with encryption to pressure victims through both operational disruption and threatened data leaks.

The research identifies several notable variants that emerged during this period. WannaCry, a self-propagating malware from May 2017, used common Bitcoin wallets that made it impossible to verify which victims had paid. NotPetya, appearing in June 2017, displayed ransom demands but actually destroyed data permanently.

Martin explains that ransomware continues to evolve beyond pure financial crime: “It impacts those who are affected by the disruption to essential services. People unable to access vital data or work are left feeling anxious and stressed, while IT departments working to resolve the situation suffer additional stress and risk burnout.”

The research highlights how improved software security has pushed attackers to target human vulnerabilities through password breaches and social engineering rather than technical exploits. Despite advances in endpoint protection – software that monitors devices for malicious activity – offline data backups remain a critical defence.

Law enforcement has made progress against ransomware operations, with arrests, charges and sanctions against operators. Authorities have seized infrastructure used to coordinate attacks and cryptocurrency wallets linked to ransoms.

“The success of ransomware over the past 35 years is also the story of the failure of widespread adoption of back-up devices to restore files,” says Martin.

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. ​​​​​​​

Cyber Magazine is a BizClik brand