How Ransomware Has Evolved

Submitted by Erica Kastner on Fri, 09/ 27/ 19 - 12: 00 PM

Ransomware Timeline


Ransomware isn’t just a product of the past few years. Forms of ransomware have been around since the 1980’s and the threat has grown exponentially since then.

Over the years, ransomware has become harder to crack and more targeted towards businesses and government offices. Read the following timeline to see a detailed view of how ransomware has evolved over the years.


AIDS Trojan

The first of its kind, this ransomware spread when biologist Joseph Popp handed out 20,000 infected CD’s to attendees at the World Health Organization’s AIDS Conference.

When the CD was loaded into the computer, once the computer had been re-booted 90 times, the ransomware locked the victim’s files and demanded that they send $189 to a PO box in Panama.

Tools for overcoming the AIDS Trojan soon became available, but this attack sparked a movement that wouldn’t re-emerge for another 15 years.



Ransomware re-emerged from the darkness with the rise of GPCode in Russia. GPCode infected computers through email phishing schemes that tricked victims into thinking they were clicking on a job application.

The first wave of GPCode mostly affected businesses such as banks and advertising agencies. Luckily, the encryption code was relatively easy to crack, rendering GPCode easy to shut down.



Archievus encrypted the Documents folder on Windows-based computers and demanded for victims to make purchases from specified websites. This ransomware had a fatal flaw though – it used the same decryption key for all computers it infected. Once victims figured this out, Archievus was toast.

April- Troj/Ransom-A

A particularly vulgar ransomware, Troj/Ransom-A’s display message warning victims that their computers had been compromised included various pornographic images.

It then demanded payment of only $10.99 with Western Union, making it one of the most “affordable” ransomware attacks that one could be hit with.



Two years after the spread of GPCode in Russia, another variant called GPcode.AK emerged. The creators of this ransomware learned from GPCode easy-to-crack code by making the updated version much harder to decode.



Cryptolocker made headlines in late 2013 when it triggered a wave of attacks on Windows computers. Though the ransomware was relatively easy to remove, the process of un-encrypting files was tricky.

Cryptolocker continued to attack until around May of 2014, when a bot called Gameover ZeuS, which was used to distribute the ransomware, was shut down.

Cryptolocker Ransomware


February- Cryptodefense

Cryptodefense used email phishing campaigns to target victims. Once victims’ computers were infected, Tor and Bitcoin were used to siphon money from victims. However, this ransomware was quickly shut down, as the creators left the tool that allowed one to access the decryption key hidden in plain sight.

March- PowerWorm

PowerWorm takes the form of an infected Excel or Word document that, when opened, encrypts certain Excel and Word files. While the original PowerWorm targeted Excel and Word files, newer versions target a wider range of files.

A 2015 variant gained attention for its careless coding error that “threw away” the encryption key, effectively leaving a victim’s data permanently locked and the hacker ransom-less.

April- CryptoWall

This ransomware, an updated and more successful version of Cryptodefense, proved lucrative, as it stole an estimated $325 million collectively from its victims worldwide. This updated version of Cryptodefense proved much harder to decode.

History of Ransomware

June- CTB-Locker

The summer should be an innocent time of barbecues and swimming. The summer of 2014 took a dark turn when CTB-Locker started to ruin all the fun. It used a spam email campaign to catch its victims hook, line, and sinker.

CTB-Locker would lock a victim’s files and demand that he/she pay to access the decryption key within 4 days. The name CTB stands for Curve-Tor-Bitcoin, which alludes to the method this ransomware used to encrypt computers and get payments from victims.

June- SimplLocker

Around the same times that CTB-Locker was infecting computers, another ransomware called SimplLocker started to ruin the summer fun as well. It attacked Android users in mainly Eastern Europe, holding a victim’s phone documents such as photos and videos for ransom.

August- SynoLocker

Unlike other forms of ransomware that encrypt many files at once, SynoLocker was the epitome of the slow-but-steady bad guy cliché from horror movies – it encrypted files slowly, one by one. Payment was demanded in the form of 0.6 Bitcoins. This ransomware seemed to stem from Eastern Europe.


February- TeslaCrypt

In February of 2015, ransomware-based hackers set their sights on a new demographic- online gamers. TeslaCrypt mostly attacked gamers based in the US, UK, Germany, Spain, France, and Italy by infecting gaming files such as game saves and user profiles.

Once infected, victims would have to pay $500. Delay and the ransom would double.

TeslaCrypt Ransomware Targets Gamers

August- Hidden Tear

Hidden Tear was unique in that it served as the seemingly first open-source ransomware code. Originally created to be an educational tool to help further anti-malware research, it wasn’t long before some hackers used the code for nefarious purposes.

For years after the release of Hidden Tear, multiple edited versions of the code such as Black Feather and Dev-Nightmare were used to instigate cyber-attacks.

September- LockerPin

Android users might have thought they were safe after the summer of 2014, but a little over a year later, LockerPin emerged, attacking Android users’ lock screens. This more advanced form of an Android-based ransomware was harder to remove.

By attempting to gain Device Administrator privileges, LockerPin would thwart victims trying to deactivate it. Victims were sometimes forced to reset their phones to factory mode.

October- LowLevel04

This ransomware raised the caliber for ransom demands, seeing as it told victims to pay around 4 Bitcoins. LowLevel04 exploited weak passwords to gain access to victim’s computers and cause major disruption to servers.

October- Chimera

Discovered around the same time as LowLevel04, Chimera took the idea of threatening victims to a new level by saying its hackers would publish the victim’s stolen files online if he/she didn’t pay the ransom.

As if small businesses don’t have enough struggles, Chimera targeted many through email phishing attempts.

November- Encoder

Encoder was arguably the first ransomware of its kind to attack people using Linux-based web hosting systems such as Magento. This hard-to-detect ransomware exploited vulnerabilities in site plugins and third-party software on websites.

Like other previously mentioned ransomwares, Encoder demanded payment in the form of Bitcoin. However, a flaw in Encoder that exposed a decryption key was quickly discovered, rendering Encoder useless before it could cause much damage.


January- Ransom32

2016 proved to be the year when ransomware really took off. 2016 took off with a bang with the introduction of Ransom32, the first JavaScript malware.

Though other forms of ransomware are boasted about by hackers for their small, un-detectable size, Ransom32 blew other previous types of ransomware out of the water with its enormous file size. Though its file size was large, Ransom32 still managed to do some serious damage.

January- 7ev3n

7ev3n used an interesting previously seen tactic that made it hard to remove – its warning message took up the victim’s entire computer screen, making it hard to click on other programs or take other actions.

7ev3n’s disabling of various Windows function keys also made it difficult for victims to take actions to try to remove or stop it.

This ransomware demanded one of the highest recorded ransoms, at a staggering 13 Bitcoins, which is equivalent to around $5,000.

February- L0cky

L0cky cleverly hid itself in Word documents and then quickly could infect many computers in a given system, especially if it infects the computers of domain administrators.

L0cky gained media attention when it was used to attack the Hollywood Presbyterian Medical Center in Los Angeles. 2016 proved to be the year of L0cky, as it was the most widespread ransomware of the year.

L0cky Ransomware

February- Crysis

Crysis became one of the most notable ransomware attacks of 2016. Though it was discovered in many countries worldwide, Crysis mainly affected businesses in only 10 countries, including the US, Spain, Brazil, France, Russia, and the UK.

It was mainly distributed through spam emails and malicious URL’s. Crysis proved hard to remove partially because of how its makeup would allow the malware to run every time a user logged into the system.

March- Dharma

Dharma, a variant of the Crysis family, was released shortly after Crysis started wreaking havoc. Dharma spawned many copycat versions, with newer versions using email addresses to contact victims.

Since 2016, both Crysis as well as Dharma have been gaining widespread use. Recently, Dharma gained media attention when it attacked a Dubai-based contracting firm.

March- SamSam

SamSam turned heads with the accuracy with which it attacked systems as well as its devastating attack on the City of Atlanta in March of 2018. SamSam was unique in that instead of finding victims through email phishing campaigns, it used tools to find un-protected servers running a JBoss enterprise product.

SamSam largely targeted hospitals who were more likely to pay ransoms due to the private medical documents that they needed.

March- KeRanger

Continuing the March-cyber-attack trend, KeRanger came onto the scene around then too. KeRanger is credited by some as being the first Mac OS X ransomware.

KeRanger affected thousands of Mac computers by spreading via an infected version of an open-source BitTorrent application called Transmission.

Though KeRanger scared many Mac users with the thought of their computers becoming infected, the threat didn’t last long, as KeRanger was only briefly distributed.

March- Petya

Petya was first spotted in March of 2016 when it started attacking HR departments at various companies in Germany. Petya spread through cloud storage and spam emails pretending to be job applications.

Unlike other forms of ransomware who try to target specific types of valuable documents, Petya denied users access to the entire hard drive. A copycat version called NotPetya was released in 2017.

Petya Ransomware Attack

March- Cerber

Cerber is one of the most prominent examples of the Ransomware-as-a-Service model, which involves the attacker paying to use Cerber ransomware for an attack in exchange for giving its developer a cut of the profit.

This model allowed Cerber to be widespread. According to Helpnet Security, as of August 2016, “Cerber had been running 161 active campaigns, targeting 150,000 users in 201 countries in July alone”.

Additionally, Cerber was so advanced that it would creepily speak to its victims in one of 12 languages to deliver the ransom message.

March- Maktub

Maktub posed as a Word document with a fake “Updated Terms of Service” that, when opened, would serve as a distraction while the ransomware started encrypting files in the background.

Maktub was unique in that it could encrypt data offline, compressing files along the way to speed up the encryption process.

To some, it was known as the “polite ransomware” because it would allow victims to pick 2 files to be decrypted for free as a guarantee that the rest would be decrypted after payment of the ransom.

Maktub tricked many victims into thinking it was real by being advanced enough to use the victims’ real street addresses in the initial phishing email.

April- CryptoHost

This strain of ransomware demanded a relatively "low-cost" ransom of around $140, which was just low enough to entice some victims to pay up. Though CryptoHost’s ransom was small, its damage wasn’t – it encrypted all the files on a victim’s computer.

April- Jigsaw

The Jigsaw ransomware took a page from the popular movie franchise Saw with its creative ransom message and punishment for delayed ransom payment. The ransomware threatened to delete more files for every hour that the victim didn’t pay the ransom, which was demanded in the form of Bitcoin.

Jigsaw Ransomware

April- CryptXXX

Discovered shortly after Jigsaw, CryptXXX baffled researchers due to its measures that made it hard to find information on how it operated. CryptXXX was advanced enough to recognize when it was in a testing environment and then stop its processes.

June- ZCryptor

ZCryptor served as the first ransomware worm, spreading through spam emails and then entire business networks. ZCryptor was distinctive because it could spread to other computers by itself without using spam or an exploit kit.

From there, it demanded around $650 within 4 days or else the ransom would quadruple.

September- Mamba

Mamba gained notoriety at the end of 2016 when it was used to attack San Francisco’s Municipal Transportation Agency, holding the computers hostage for around $73,000.

Named after the dangerous mamba snake, this form of ransomware attacks computers like Petya by infecting entire hard drives. Mamba is sophisticated enough to alter its ransom based on the size of the system it infects.


February- Hermes

Hermes came onto the scene around February of 2017 but it really made headlines in October of that year when it was used to attack the Far Eastern International Bank in Taiwan.

Although Hermes caused quite a bit of trouble in its time, its “offspring” named Ryuk that started making waves in August of the next year arguably caused more damage. Hermes is a product of North Korea.

May- WannaCry

WannaCry was one of the fastest spreading and most damaging ransomware attacks in history. In four days, it had infected more than 250,000 devices worldwide by exploiting a leaked NSA hacking tool called EternalBlue.

Part of the reason it spread to so many devices is because it attacked large corporate networks. WannaCry demanded a $300 ransom that added up to an estimated $4 billion.

The ransomware was so devastating that an affected hospital in England was forced to temporarily cancel operations and re-route ambulances while they tried to regain use of their system.

WannaCry Ransomware Attack

July- Reyptson

Reyptson, a form of ransomware that attacked people in Spain, has an interesting way of spreading. After it hacks a victim’s computer, it accesses his/her contacts and then emails them spam while posing as the victim. The spam will seem like an invoice but in reality the link to the invoice contains the ransomware.

October- Bad Rabbit

Right around Halloween, Bad Rabbit began spreading across organizations mainly in the Ukraine and Russia. Some prominent victims included Russian news outlets and the Ukranian metro system.

Bad Rabbit’s tactic was to demand a small enough ransom of 0.5 Bitcoin that the victim wouldn’t hesitate to pay.


January- Gandcrab

Similar to the Cerber attacks of 2016, Gandcrab was another form of a Ransomware-as-a-Service. Since Gandcrab’s release, at least five other versions have been published. Gandcrab was the first ransomware to demand payment from the DASH cryptocurrency.

In May of this year, the creators of Gandcrab announced that they were shutting down after personally netting close to $150 million in the past year. The creators claim that hackers who used Gandcrab to carry out their attacks may have earned a collective $2 billion.

Gandcrab Ransomware

May- VPNFilter

This deadly form of ransomware caught the world’s attention when it infected over 500,000 routers worldwide. VPNFilter caused constant problems by its ability to stick around even after an infected computer was rebooted.

VPNFilter was advanced enough to spy on traffic coming through the infected device and could even permanently disable a device will a so-called “kill switch”.

August- Ryuk

Ryuk signaled a potential shift in who attackers target when it aimed to infect the computers of large corporations. With this “big game hunting” tactic, Ryuk has racked up an estimated $3 billion, and has continued to wreak havoc as recently as May of this year.

August- PooleZoor

PooleZoor ransomware appears to be related to the HiddenTear source code from 2015. Although Poolezoor seems to have Iranian origins, it has attacked computers worldwide. The hackers tend to demand 10 million Iranian rials (around $237) in order to unencrypt the victim’s computer.

September- Brrr

Though this ransomware’s name might not apply to the season in which it was discovered, its origins can be applied to Dharma. The hackers using Brrr scan the Internet for victims and then use brute force tactics to get the password to their computers.

September- Gamma

Another variant of Dharma, Gamma was discovered less than a week after Brrr started appearing. The creators of Gamma thought they would be helpful and educational while robbing their victims, seeing as they would help victims figure out how to pay with cryptocurrency by giving them instructions on how to create a cryptocurrency wallet.

October- Katyusha

Katyusha’s method for attack is through malicious email attachments. Once inside a computer, it pinpoints specific files to encrypt, making it a “ransomware on a mission”.

When finding files to infect, Katyusha was sophisticated enough to know if a file was already infected. Like a few other forms of ransomware, Katyusha demanded a relatively "cheap" ransom of only 0.5 Bitcoin.


March- LockerGoga

This form of ransomware made headlines when it attacked Norwegian aluminum manufacturing company Norsk Hydro in March of 2019. Similar to how the Ryuk ransomware targeted large corporations, LockerGoga seems to aim for large targets as well, specifically the industrial and manufacturing industries.

LockerGoga uses some similar tools to the Bad Rabbit ransomware from last year. Once inside a system, LockerGoga changes a victim’s passwords and tries to log off anybody currently logged into the system.

A History of Ransomware

May- RobbinHood

RobbinHood infects by attacking a victim’s hard drive, encrypting many files. RobbinHood gained media attention in May 2019 when it was used to attack the city of Baltimore, demanding payment in the form of around $100,000. If victims didn’t pay by a certain date, then the ransom would increase by $10,000 per day that the ransom continued to go unpaid.

November- Maze

According to the FBI, Maze uses multiple methods for network intrusion, including the creation of malicious websites and phishing campaigns impersonating government agencies and well-known security vendors.

Maze ransomware was behind the large-scale attack on Allied Universal, a large security staffing company that employs over 200,000 people, in November 2019. The hackers behind the attack demanded around $2.3 million for the safe return of the company's data.

However, after missing a deadline by which to pay the ransom, Allied had to face some tough consequences. Close to 700 MB worth of their stolen data and files were published online, and according to the hackers, this was only 10% of the total files stolen.

December- Ryuk

Ryuk continued to wreak havoc through all of 2019, making national headlines for its attacks on Riviera Beach, Florida and the Georgia court system in the summer and the city of New Orleans in December.

In the New Orleans attack, city mayor LaToya Cantrell was forced to declare a state of emergency. Additionally, to stop the spread of the attack, she instructed all city employees to power down their computers, unplug their devices, and disconnect from Wi-Fi.


January - Sodinokibi/REvil 

Hackers using this particular ransomware threaten the publishing of stolen files unless the ransom is paid.

The world's biggest currency exchange company, Travelex, was the victim of a Sodinokibi ransomware attack starting on New Year's Eve 2019. Their data was held hostage for $6 million, causing the company to go offline for weeks while they sorted out the situation. 

As of February, the creators of Sodinokibi have outlined plans to release a website that will be used to publish and distribute their victim's data. More lucrative data like social security numbers will be published on the dark web instead.

To further pressure their victims into paying the ransom, Sodinokibi's creators even went so far as to threaten to auto-email stock exchanges like NASDAQ about their victims' ransomware attacks to hurt their stock.

February - DoppelPaymer

DoppelPaymer, a strain of ransomware that began quietly making waves in mid-2019, caught the attention of the media in late February 2020 when it was used to attack Visser Precision, a parts manufacturer for companies like Tesla and SpaceX.

Similar to Sodinokibi, DoppelPaymer threatens to publish a victim's data online if they don't pay the ransom. DoppelPaymer's creators seemingly followed through on this promise, launching a website in early 2020 called Doppel Leaks on which they publish their victims' data.

Because DoppelPaymer targets large corporations and infects vast numbers of devices within an organization, those who deploy this ransomware can demand large sums of money.

March - Netwalker

Amidst the coronavirus pandemic of early 2020, a new ransomware emerged that used coronavirus phishing emails to target its victims. 

Netwalker, previously known as Mailto, gained steam when it began to attack corporations and government agencies, including the Champaign Urbana Public Health District (CHUPD) in Illinois.

The cyber criminals behind these attacks chose to strike at a smart time, seeing as many businesses were working remote during this time and might not have had as strict of cyber security measures in place for a remote office.

The Future of Ransomware

Ransomware attacks have ramped up significantly in recent years and show no signs of slowing down. Think of ransomware as a game of whack-a-mole – as one is shut down or rendered useless, another one will pop up to take its place.

This timeline highlights another growing trend in ransomware attacks: attacks on government agencies. Hackers are targeting government agencies more and more because they contain sensitive information in need of protecting and don't always have the budgeted resources for adequate cyber security. 

Although attacks on government agencies are increasing, according to a recent survey from IBM, only 38% of state and local government employees are trained on ransomware prevention. 

Hackers are growing more sophisticated by the day, which means that businesses cannot afford to stay unprotected from ransomware. If you are a business owner, consider looking into managed IT services as a way of holistically protecting your business from the threats of the Internet.

Here at Standard Office Systems, we use Sophos Intercept X to protect your network and monitor for threats. In the event that you are hacked, we use tools such as Datto to recover the environment.  

It’s increasingly becoming a matter of when, not if, your business is attacked by ransomware. Don't be stuck without a comprehensive cyber security plan.

Get Your Questions Answered Now

Posted by Erica Kastner


cybersecurity, ransomware and phishing