Ransomware feels like a product of the cryptocurrency era, but its story begins on a floppy disk in 1989. The arc from that first crude experiment to today’s industrialised double-extortion ecosystem is the story of two technologies, public-key cryptography and anonymous online payment, gradually meeting the right criminal imagination.
1989: The AIDS Trojan
The first recognised ransomware attack was the work of an evolutionary biologist named Joseph Popp. Popp distributed roughly 20,000 floppy disks labelled "AIDS Information, Introductory Diskettes" to delegates of an international AIDS conference. The disks contained a real questionnaire about HIV risk factors, and a payload. After the infected machine had been rebooted 90 times, the malware encrypted filenames on the C: drive and demanded $189 be sent to a P.O. Box in Panama.
Cryptographically the AIDS Trojan was weak, it used symmetric substitution and was reversed within months, but conceptually it was complete: encryption as leverage, an anonymous payment channel, a remote attacker. Popp was eventually arrested but never tried; he was declared mentally unfit. The genre then went quiet for nearly two decades.
1996–2005: The theoretical interlude
In 1996 Adam Young and Moti Yung published the paper "Cryptovirology: Extortion-Based Security Threats and Countermeasures," which laid out the theoretical blueprint for modern ransomware. They argued that asymmetric cryptography, RSA in particular, would let an attacker encrypt a victim’s files in such a way that only the attacker could decrypt them, even if the malware itself was fully reverse-engineered. The paper was largely ignored by criminals at the time, but every modern ransomware family is, fundamentally, an implementation of that idea.
2005–2012: Early commercial families
The first wave of "real" ransomware emerged in Russia and Eastern Europe in the mid-2000s. Families like GpCode, Krotten, Archiveus, and MayArchive encrypted user files and demanded payment via wire transfer, premium SMS, or pre-paid voucher systems like Ukash and Paysafecard. They were profitable but limited, payment channels were traceable, slow, and capped in size.
Around 2010 a parallel category appeared: "police lockers" such as Reveton and the FBI MoneyPak scam, which did not encrypt files but locked the screen with an official-looking law-enforcement notice accusing the user of viewing illegal content. Victims paid a few hundred dollars in vouchers to make the warning go away.
2013: CryptoLocker and the Bitcoin pivot
The modern era begins with CryptoLocker, which appeared in September 2013. Distributed by the Gameover Zeus botnet, CryptoLocker used 2048-bit RSA generated on a command-and-control server, encrypted a wide list of file extensions, and, crucially, demanded payment in Bitcoin. Cryptocurrency solved the laundering problem that had constrained earlier families. CryptoLocker is estimated to have extracted $3 million before Operation Tovar dismantled its infrastructure in 2014. Its success spawned a horde of imitators: CryptoWall, TorrentLocker, TeslaCrypt, and CTB-Locker.
2016–2017: Industrialisation and worms
By 2016 ransomware was a recognisable industry. Locky, Cerber, and others were distributed via massive spam campaigns and exploit kits. Cerber pioneered the affiliate model that would later define RaaS, paying distributors a cut of revenue.
Then came 2017, which broke the threat model. In May, WannaCry combined ransomware with EternalBlue, a leaked NSA exploit, and tore through unpatched Windows networks worldwide, including the UK’s National Health Service. A month later, NotPetya disguised itself as ransomware but was actually a destructive wiper deployed by Russian state actors against Ukraine; it spread globally through a hijacked accounting software update and caused an estimated $10 billion in damage. The two events showed both the latent destructive potential of self-propagating ransomware and the fact that nation-states were paying close attention.
2018–2020: Big-game hunting and double extortion
The next shift was strategic rather than technical. Operators of Ryuk, SamSam, BitPaymer, and Sodinokibi (REvil) abandoned mass spam in favour of "big-game hunting", handpicked enterprise targets with deep pockets and intolerance for downtime. Ransom demands jumped from thousands to millions of dollars.
In late 2019 the Maze group industrialised a tactic that changed everything: before encrypting, they exfiltrated data and threatened to publish it. The "leak site" was born, and within a year virtually every serious operator had adopted double extortion. The leverage was no longer just "you can’t access your data" but "your customers, regulators, and competitors are about to read your data."
2020–2022: Pandemic surge and the Conti era
Lockdowns expanded the attack surface dramatically, half-deployed VPNs, hastily exposed RDP, exhausted IT teams. Ransomware revenue exploded. Conti, REvil, DarkSide, and LockBit dominated the leak-site landscape. In May 2021 DarkSide hit Colonial Pipeline, triggering fuel shortages on the US East Coast and a White House response that put ransomware firmly on the geopolitical agenda. REvil hit JBS, the world’s largest meat processor, and then the Kaseya VSA supply chain. The Biden administration began openly threatening sanctions and offensive cyber action against operators and their hosts.
In early 2022, after the Conti gang publicly sided with Russia following the invasion of Ukraine, an insider leaked thousands of internal chats and source code. The "ContiLeaks" exposed the operation as a structured criminal enterprise with HR, payroll, R&D, and management, and accelerated its disintegration into successor brands such as Black Basta, BlackByte, and Royal.
2023–present: Mass exploitation, takedowns, and rebrands
The current era is defined by three tendencies. First, mass exploitation of file-transfer and edge appliances: Cl0p’s GoAnywhere and MOVEit campaigns hit hundreds of organisations through a single zero-day each. Second, sustained law-enforcement pressure: Hive was infiltrated and dismantled by the FBI in 2023; LockBit’s infrastructure was seized in Operation Cronos in early 2024; ALPHV/BlackCat collapsed in an apparent exit scam after the Change Healthcare breach. Third, fragmentation and rebranding, affiliates rotate between brands, and new entrants like Akira, Play, Medusa, and RansomHub have rapidly filled the vacuums.
The throughline of the entire history is simple. Every time the criminal economy gains a new affordance, Bitcoin, RaaS, leak sites, zero-day brokering, AI-assisted phishing, the bar for entry drops and the ceiling for damage rises. Understanding the history is not nostalgia; it is the only way to anticipate what comes next.