History of Ransomware: Timeline and How It Starts
The transformation of ransomware from a minor cyber offense into a lucrative source of revenue for global criminal networks clearly illustrates why businesses must take the threat seriously. While its explosive growth over the past few years may make it seem otherwise, ransomware did not emerge suddenly.
Although often considered a newer threat—rightly so, given its fast-rising dominance in the cybercrime landscape, ransomware is not a recent innovation in the ongoing cyber war. Its origins stretch back decades, to the early days of the internet, email, and even floppy disks.
To better understand how ransomware continues to dominate cybercrime, it is important to examine its historical trajectory and how it has evolved into the present. The history of ransomware has certainly been an interesting journey. The following sections provide a comprehensive overview of how cyberattacks have developed over the years.
What was the First Ransomware Attack in History?
The early days of ransomware were sparse and primitive. Ransomware has been present since the 1980s, with the first documented case reported in 1989. This initial incident, known as the AIDS Trojan, was distributed through floppy disks during the World Health Organization’s AIDS Conference and is considered one of the earliest instances of organized cyber crime. Once the user inserted the disk, a lock screen appeared. If the system was rebooted, the malware would count the number of reboots, and after 90 restarts, it would encrypt files and demand payment for the decryption key. It concealed file directories on the victim’s computer and demanded a payment of USD 189 to restore access. Because this malware encrypted file names rather than the files themselves, users could easily reverse the damage without paying a ransom.
Although this attack was notable, it was an isolated incident. Ransomware in the 1980s and 1990s lacked widespread execution or success due to several factors, including limited interconnectivity of technology in businesses and the inability of threat actors to easily extract payment.
When Did Ransomware Start?
Even though ransomware has dominated headlines consistently over the past eight years, the concept of taking user files or computers hostage—by encrypting files, hindering system access, or using other methods and subsequently demanding a ransom—dates back much further.
-
1989: In the late 1980s, criminals were already holding encrypted files hostage in exchange for cash sent through the postal service. One of the first documented ransomware attacks was the AIDS Trojan (also known as the PC Cyborg Virus), distributed via floppy disk in 1989. Victims were directed to mail $189 to a P.O. box in Panama in order to restore access to their systems. Although rudimentary in its design, this incident marked the emergence of the ransomware model.
-
In 1996, while examining the AIDS Trojan, computer scientists Adam L. Young and Moti Yung cautioned that future malware could employ advanced cryptographic techniques to extort victims by encrypting sensitive data.
-
2005: After relatively few ransomware incidents in the early 2000s, a significant uptick of infections began, particularly in Russia and Eastern Europe. The first variants employing asymmetric encryption appeared. As these new forms of ransomware provided more effective extortion methods, more cybercriminals adopted and spread them globally.
-
2009: The emergence of cryptocurrency, particularly Bitcoin, provided cybercriminals with an untraceable method of payment, fueling the next surge in ransomware activity.
-
2013: The modern era of ransomware began with CryptoLocker, which inaugurated a wave of sophisticated encryption-based ransomware attacks demanding payment in cryptocurrency.
-
2015: The Tox ransomware variant introduced the ransomware-as-a-service (RaaS) model, allowing individuals with limited technical skills to launch ransomware campaigns.
-
2017: WannaCry, the first widely deployed self-replicating cryptoworm, appeared and spread across hundreds of thousands of systems globally.
-
2017: A variant of Petya, known as NotPetya, made international headlines as it was employed to target Ukraine, as well as Ukraine-allied countries such as France, the United Kingdom, and the United States, during the ongoing conflict between Russia and Ukraine. The NotPetya attacks have been attributed to Russia by numerous experts.
-
2018: Ryuk popularized the practice of “big game hunting,” targeting large organizations and demanding multimillion-dollar ransoms.
-
2019: Double-extortion and triple-extortion ransomware attacks became increasingly common. Almost every ransomware incident that the IBM Security® X-Force® Incident Response team has responded to since 2019 has involved double extortion.
-
2022: Thread hijacking—where cybercriminals infiltrate legitimate online conversations to distribute malware—emerged as a prominent ransomware vector.
-
2023: As defenses against ransomware improved, many gangs expanded their arsenals and adopted new extortion tactics. Groups such as LockBit and remnants of Conti began deploying infostealer malware, enabling them to steal sensitive data and hold it hostage without encrypting victims’ systems.
Who Created the First Ransomware?
The first ransomware attack took place in 1989 and was orchestrated by evolutionary biologist Dr. Joseph L. Popp. Approximately 20,000 individuals received floppy disks through the mail, accompanied by an informational leaflet. The materials appeared to originate from an organization called “PC Cyborg Corp.”, which was fictitious.
Dr. Popp, having recently been denied a position at the World Health Organization, sought revenge by targeting attendees of the WHO AIDS Conference. The leaflet claimed that the disk contained an interactive program discussing AIDS.
The disk, however, contained two files, one of which was malicious. When inserted, the malware modified the autoexec.bat file (responsible for launching Windows). The ransomware then encrypted file extensions, rendering them inaccessible. Victims were presented with a ransom demand instructing them to pay an annual fee of $189 or a permanent fee of $378 for decryption.
Modern researchers later revealed numerous flaws in Popp’s ransomware. Nevertheless, the attack was devastating, particularly because many victims were medical researchers. The loss of valuable data had catastrophic consequences for the scientific community, with lingering impacts in the medical field. Popp did not profit from the attack, as victims refused to pay and instead opted to wipe their systems, which tragically resulted in permanent data loss.
How Did Ransomware Evolve in the 2000s?
Despite its long history, ransomware attacks were still not widespread well into the 2000s—likely due to difficulties associated with payment collection. However, the emergence of cryptocurrencies, such as Bitcoin in 2010, fundamentally altered this situation. By providing an efficient and untraceable method for receiving payments from victims, virtual currencies created the opportunity for ransomware to become a highly lucrative criminal enterprise.
After relatively few ransomware attacks during the early 2000s, an uptick of infections began, particularly in Russia and Eastern Europe. The first variants employing asymmetric encryption appeared. As these new ransomware strains offered more effective mechanisms of extortion, cybercriminals increasingly adopted and spread ransomware worldwide.
In 2000, Onel de Guzman, a young Filipino computer science student, attempted to steal internet access by creating an infamous computer worm that spread rapidly and harvested passwords. These stolen credentials allowed him to gain access to the internet for his own use.
When unsuspecting recipients opened the infected email, the malicious script overwrote files, stole passwords, and propagated itself by sending copies to all contacts in the victim’s email list. This attack, known as the “ILOVEYOU” virus or “Love Bug”, became one of the earliest and most notorious large-scale malware attacks in cyber history.
The virus spread on a global scale, infecting millions of systems and causing widespread disruption. Beyond data loss and information theft, its estimated financial damage ranged from USD 5.5 to 8.7 billion.
Remarkably, Onel de Guzman was not prosecuted. At the time, the Philippines had no laws addressing cybercrime. Nevertheless, the attack spurred significant legislative change, leading to the enactment of the E-Commerce Act of 2000, which included provisions targeting computer-related crimes.
By 2006, the first ransomware strain to use advanced RSA encryption, known as Archievus, appeared. Distributed through compromised websites and spam emails, Archievus introduced a more sophisticated extortion method. It employed asymmetric encryption, requiring victims to obtain an RSA key for data recovery. However, the group behind the attack made a critical error: all victims were provided with the same decryption code, drastically reducing its effectiveness and limiting its operational lifespan.
The introduction of cryptocurrency, particularly Bitcoin in 2009, marked another turning point. It provided cybercriminals with a truly untraceable payment mechanism, which fueled the next surge in ransomware activity.
By the 2020s, the ransomware ecosystem had become significantly more sophisticated. In 2020, the concept of triple extortion expanded: beyond encrypting and exfiltrating data, attackers also threatened individuals whose data had been stolen or launched secondary attacks such as distributed denial-of-service (DDoS) campaigns if the ransom was not paid.
From 2021 to 2022, Initial Access Brokers (IABs) became increasingly important. These actors infiltrated corporate networks and then sold access to ransomware operators, facilitating the expansion of Ransomware-as-a-Service (RaaS). This model lowered the barrier to entry for less skilled cybercriminals and streamlined operations for advanced groups by outsourcing network access, ultimately driving the surge in ransomware incidents globally.
What Role Did CryptoLocker Play in the Evolution of Ransomware?
CryptoLocker was the first ransomware to be distributed via both botnets and social engineering, demonstrating to both cybercriminals and the cybersecurity community how effectively ransomware could spread and compromise systems.
Propagated through malicious email attachments distributed by a botnet, CryptoLocker spread rapidly across the internet. By December 2013, the group behind it had reportedly collected over USD 20 million in Bitcoin.
CryptoLocker used 2048-bit RSA key pairs, generated by a command-and-control server, to encrypt victim files. This strong encryption ensured that victims had no viable means of recovering their data without paying the ransom, typically around USD 300.
The Gameover Zeus banking Trojan became a primary delivery mechanism for CryptoLocker. The actors behind this botnet were among the first to realize ransomware’s immense profitability, shifting their focus beyond traditional banking fraud, such as Automated Clearing House (ACH) and wire fraud schemes. CryptoLocker’s financial success marked the beginning of ransomware’s “gold rush” era.
Although CryptoLocker was dismantled in 2014 through an international law enforcement operation, it managed to extort an estimated USD 3 million in less than a year. Despite its short operational span, it served as a proof of concept to the broader cybercrime community, demonstrating ransomware’s extraordinary financial potential. This event is widely regarded as a critical inflection point in the exponential growth of ransomware.
CryptoLocker’s success spawned countless imitators and paved the way for major ransomware variants such as WannaCry, Ryuk, and Petya. From this point onward, organized cybercrime groups increasingly redirected resources from older schemes, such as fake antivirus programs, toward ransomware development. Cybercriminal operators dedicated themselves to improving ransomware code, creating exploit kits, and flooding Dark Web marketplaces with ready-to-use malicious tools.
How Did Ransomware-as-a-Service (RaaS) Transform Cybercrime?
Ransomware-as-a-Service (RaaS) is a criminal business model in which developers build and maintain ransomware toolkits and lease them to affiliates who then launch attacks. In exchange, affiliates pay subscription fees or share a percentage of ransom payments.
RaaS operators actively recruit affiliates, who may possess varying levels of technical expertise. Upon registration, affiliates gain access to ransomware payloads, payment portals, and detailed deployment instructions. They may customize parameters such as ransom amounts, accepted cryptocurrencies (e.g., Bitcoin or Monero), encryption settings, and distribution vectors—including phishing emails, malicious websites, or software exploitations.
Moreover, many RaaS providers offer technical support, frequent updates to evade security systems, and even customer service forums where affiliates can troubleshoot issues. Some platforms provide step-by-step guides, enabling individuals with limited technical backgrounds to successfully execute ransomware attacks.
This model significantly expanded ransomware’s reach by eliminating the need for attackers to write malicious code themselves. Essentially, anyone with minimal technical knowledge could become an active participant in ransomware campaigns simply by subscribing to a RaaS platform.
Once deployed, the ransomware encrypts victim systems, rendering them unusable, and demands payment via ransom notes. For affiliates encountering technical difficulties, many RaaS providers even offer 24/7 “customer support” to ensure attacks proceed smoothly.
The adoption of RaaS has profoundly transformed cybercrime. Several factors explain its success:
-
Division of labor allows for an increased volume of attacks.
-
Lower barriers to entry enable inexperienced actors to purchase advanced ransomware kits.
-
Organizations, particularly those with low tolerance for downtime, are often compelled to pay ransoms.
-
Data exfiltration has become a core component of ransomware, allowing criminals to sell stolen information on the Dark Web if ransoms remain unpaid.
-
The organized crime model underlying RaaS ensures adaptability and resilience, even in the face of major law enforcement crackdowns.
As a result, RaaS has established itself as one of the most significant innovations in the ransomware ecosystem, contributing to its rise as a global cyber threat.
Why Did Ransomware Become a Global Cyber Threat in the 2010s?
Two key innovations accelerated the growth of ransomware during the 2010s: email and cryptocurrency.
One early form of this malware, known as screen-locking ransomware, restricted access to computers or handheld devices by locking the screen, thereby preventing users from operating their systems. Victims were then typically instructed to pay a small ransom, often amounting to only a few hundred pounds.
As the frequency of screen-locking ransomware attacks increased, the cybersecurity industry began to adapt by developing countermeasures and improving its defensive capabilities. This included ensuring that devices were regularly updated with the latest security patches in order to stay ahead of cybercriminals.
At the same time, eCrime—a broad category of malicious activity encompassing malware, banking trojans, ransomware, cryptojacking, and other forms of crimeware—capitalized on the monetization opportunity created by Bitcoin. The emergence of cryptocurrency resulted in a significant proliferation of ransomware beginning in 2012.
As Bitcoin gained mainstream appeal, ransomware developers recognized it as the ideal method of financial extraction they had long sought. Cryptocurrency exchanges enabled adversaries to receive instant payments while maintaining anonymity, all conducted outside the oversight of traditional financial institutions.
In 2016, Petya emerged as the first ransomware variant capable of overwriting the master boot record (MBR) and encrypting the master file table (MFT), effectively locking victims out of their entire hard drives with greater speed and efficiency.
In 2017, the WannaCry ransomware attack became one of the most widespread ransomware incidents in history. Infecting hundreds of thousands of devices across more than 150 countries, the attack began in Asia through phishing but spread globally within hours, demonstrating the rapid propagation capability of ransomware.
By 2018, ransomware had further evolved to incorporate data exfiltration techniques. The GandCrab Ransomware-as-a-Service (RaaS) strain, for example, integrated file-stealing malware to exfiltrate sensitive data, including credentials, documents, and even screenshots.
In 2019, leak sites began to appear on the dark web. These platforms exposed stolen data, causing additional financial and reputational harm to victims while also enabling stolen credentials and personally identifiable information (PII) to be leveraged in future attacks. While such leak sites amplified the risks for victims, they also provided valuable intelligence for cybersecurity researchers, allowing them to identify active ransomware groups and their targeted organizations. This intelligence has since become a crucial component in the development of modern defensive strategies.
What are the Most Famous Ransomware Attacks in History?
The most famous ransomware attacks in history have targeted individuals, private businesses, government agencies, and critical infrastructure. While some incidents remained hidden due to victims’ attempts to conceal successful breaches, others received worldwide attention and significantly altered the way cybersecurity professionals operate.
AIDS Trojan (1989)
The first ransomware attack in history dates back to 1989, long before cyber attackers began using the internet to spread malware. Known as the AIDS Trojan, or PC Cyborg, it spread via floppy disks distributed to the subscriber list of a World Health Organization AIDS conference. When victims accessed the disk, the malware encrypted their files.
The attacker demanded payments ranging from $189 to $378 to restore access. Although the attack had limited economic consequences, it served as an early warning of the dangers of malware.
CryptoLocker (2013–2014)
The CryptoLocker ransomware marked the beginning of the modern ransomware era. Active between 2013 and 2014, it extorted nearly $3 million from victims. Cyber attackers distributed it through phishing campaigns that delivered infected email attachments. Once executed, the malware encrypted files and demanded ransom payments in Bitcoin. This was among the first ransomware variants to employ cryptocurrency for ransom, a practice still prevalent today.
WannaCry Ransomware Attack (2017)
In May 2017, the WannaCry ransomware spread rapidly, infecting more than 200,000 systems across 150 countries within days. It exploited a Microsoft Windows vulnerability known as EternalBlue, originally developed by the U.S. National Security Agency (NSA) and leaked by the hacking group Shadow Brokers.
Among the most notable victims was the United Kingdom’s National Health Service (NHS), where the attack disrupted hospital operations, rerouted ambulances, and forced the cancellation of thousands of medical appointments. The financial impact exceeded $4 billion worldwide, including both recovery costs and lost productivity. This attack highlighted the catastrophic consequences of unpatched systems and emphasized the necessity of timely software updates.
NotPetya (2017)
In June 2017, another ransomware-like attack—later dubbed NotPetya—struck organizations globally. Initially resembling Petya ransomware, NotPetya had critical differences. Unlike traditional ransomware, it functioned as a wiper, rendering data irrecoverable even if victims paid the ransom.
NotPetya targeted Ukraine’s government, financial institutions, and energy sector before spreading internationally, infecting companies such as Maersk, Merck, and FedEx. The attack caused over $10 billion in damages, making it the most destructive cyber incident in history. Though it demanded payment, its true purpose appeared to be disruption rather than profit, positioning it within the broader context of cyber warfare.
REvil (2019–2021)
Emerging in 2019, REvil (also known as Sodinokibi) pioneered the Ransomware-as-a-Service (RaaS) model. Rather than executing attacks themselves, its developers provided ransomware to affiliates in exchange for a share of the profits.
In 2021, REvil targeted the remote IT management company Kaseya, infecting over one thousand businesses worldwide. The group extorted millions of dollars, consolidating its reputation as one of the most dangerous ransomware operators.
Colonial Pipeline (2021)
In 2021, a ransomware attack forced Colonial Pipeline, which supplies 45% of the East Coast’s fuel, to shut down operations for nearly a week. This disruption caused gasoline shortages and prompted a state of emergency in 17 U.S. states. The company paid a ransom of $4.4 million, some of which was later recovered by the FBI. The event demonstrated the vulnerability of critical infrastructure and underscored ransomware’s significance as a national security threat.
Costa Rican Government (2022)
In 2022, the Costa Rican government suffered a severe ransomware attack that led the nation to declare a state of emergency. The attackers demanded a $20 million ransom and threatened to overthrow the government through cyberattacks. The incident emphasized ransomware’s potential as a tool for political and national destabilization.
British Library (2023)
In October 2023, the British Library suffered a ransomware attack by the Rhysida group, which employed a double extortion technique—encrypting files while simultaneously stealing sensitive data and threatening to sell it online. The attack disabled the library’s website for months and highlighted the increasing sophistication of ransomware groups targeting public institutions.
How did WannaCry and NotPetya Become Turning Points in Ransomware History?
Both WannaCry and NotPetya became pivotal moments in ransomware history due to their unprecedented scale, sophistication, and global impact.
-
Use of State-Sponsored Exploits: Both attacks exploited EternalBlue, a tool created by the NSA and later leaked by Shadow Brokers, demonstrating how state-developed cyberweapons could be repurposed for mass attacks.
-
Worm-Like Propagation: Unlike earlier ransomware, they spread automatically across networks, without requiring phishing or user interaction, significantly amplifying their destructive potential.
-
Shift from Profit to Disruption: WannaCry inflicted billions in damages but earned minimal ransom payments. NotPetya functioned primarily as a wiper, designed to destroy rather than extort, highlighting a shift from financial motives to geopolitical disruption.
-
Impact on Critical Infrastructure: WannaCry disrupted healthcare, transportation, and communication systems. NotPetya crippled multinational corporations such as Maersk and Merck.
-
Catalyst for Cybersecurity Policy: These incidents accelerated global efforts in patch management, cyber defense strategies, and government policies for protecting critical infrastructure.
What are the Most Recent High-Profile Ransomware Attacks?
1. Medusa Ransomware Attacks on Critical Infrastructure (March 2025)
In March 2025, the Medusa ransomware group launched widespread attacks on over 300 organizations, targeting sectors including healthcare, education, manufacturing, and insurance. Medusa typically gains access through phishing emails and unpatched software vulnerabilities before encrypting data and demanding ransom. The group employs double extortion tactics, threatening to leak sensitive information if demands are not met. These attacks reflect the growing trend of ransomware operators targeting essential services, thereby increasing pressure on victims to pay quickly to minimize operational disruptions.
2. Rackspace Alleged Data Breach (March 2025)
The Cl0p ransomware gang claimed responsibility for a breach at cloud service provider Rackspace, alleging the exfiltration of sensitive company data and its subsequent upload to the dark web. Cl0p stated that Rackspace refused to negotiate, leading to the public release of stolen data. However, Rackspace denied the claims, asserting that their investigations found no evidence of compromise. While the full details remain uncertain, this case highlights the increasing strategic focus on cloud service providers as high-value ransomware targets.
3. DragonForce Ransomware Targets Saudi-Based Organizations (February 2025)
DragonForce, a ransomware-as-a-service (RaaS) group, targeted real estate and construction firms in Saudi Arabia. The attackers set a ransom deadline for February 27—one day before the beginning of Ramadan—indicating deliberate strategic planning. When the deadline passed, DragonForce published 6TB of stolen data on a dedicated leak site separate from its primary platform.
4. Ascension Health Ransomware Attack (Discovered December 2024)
Ascension, one of the largest healthcare providers in the United States, fell victim to a ransomware attack attributed to the Black Basta group. The attack compromised the personal and medical records of approximately 5.6 million individuals. Given the critical nature of patient data, healthcare organizations are particularly vulnerable to ransomware. This incident underscores the urgent need for robust cybersecurity defenses in the healthcare sector.
5. Salt Typhoon Attacks on U.S. Telecommunications (Late 2024)
Salt Typhoon, a state-sponsored hacking group, infiltrated nine major U.S. telecommunications providers, including Verizon, AT&T, and T-Mobile. The attackers targeted critical infrastructure systems used for court-ordered wiretaps, compromising call and text metadata of more than one million users, particularly in the Washington, D.C. area. Unlike financially motivated ransomware campaigns, this attack focused on espionage, demonstrating how nation-state actors are adopting ransomware-style tactics to achieve strategic objectives.
6. Trinity Ransomware Attack on Spain’s Tax Agency (December 2024)
The Trinity ransomware group claimed responsibility for an attack on Spain’s Agencia Tributaria, asserting that they had stolen 560GB of sensitive data. They demanded a ransom of $38 million, threatening to release the information if payment was not made. The Spanish tax authority, however, reported no evidence of a security breach. This case highlights the increasing trend of ransomware groups targeting government institutions, which often hold vast amounts of sensitive citizen data.
How have Ransomware Demands and Tactics Changed Over Time?
Ransomware headlines continue to dominate global news, with individuals, corporations, and governments falling victim to attacks. Although ransomware has existed since the 1980s, its strategies and demands have evolved significantly.
The earliest known case, the AIDS Trojan (1989), encrypted file systems and demanded $180 sent via postal mail to a P.O. box in Panama. From the 2000s onward, organizations sought to mitigate ransomware threats through early detection, regular data backups, and patch management. These defensive measures forced attackers to adapt.
By the late 2010s, double extortion emerged: in addition to encrypting data, attackers threatened to leak stolen information on the dark web or sell it to the highest bidder. This evolution remains prevalent today. In some cases, ransomware groups do not encrypt data at all but instead exfiltrate it, using threats of exposure as leverage.
The rise of RaaS further lowered barriers to entry, enabling even less technically skilled affiliates to conduct sophisticated attacks. As a result, both the frequency and diversity of ransomware incidents have increased.
Overall, ransomware tactics have shifted from targeting individuals to focusing on large organizations, where the potential payoff is higher and the operational impact more severe.
What Role did Bitcoin and Cryptocurrency Play in Ransomware Growth?
Bitcoin, the world’s first widely adopted cryptocurrency, enables secure peer-to-peer transactions recorded on a decentralized digital ledger known as the blockchain. Its pseudonymous nature allows users to obscure their identities, making it attractive for cybercriminals seeking to evade law enforcement.
Beginning in the early 2010s, ransomware operators increasingly demanded Bitcoin payments, leveraging its global reach, speed, and relative anonymity. This allowed attackers to extort large sums from hospitals, corporations, and government agencies.
A notable case was the Colonial Pipeline attack (2021), in which attackers demanded and received a $4.4 million ransom in Bitcoin. Shortly afterward, the U.S. Department of Justice announced it had recovered 63.7 Bitcoins, demonstrating that while Bitcoin transactions are difficult to trace to individuals, they are not entirely untraceable. By analyzing the blockchain, investigators can sometimes identify and seize digital wallets linked to criminal activity.
In short, cryptocurrency—particularly Bitcoin—has played a central role in ransomware’s global rise, facilitating large-scale extortion schemes while complicating law enforcement efforts.
How has Law Enforcement Responded to Ransomware Attacks?
Over the past few years, there have been notable law enforcement actions and takedowns of ransomware groups, which demonstrate that cybercriminals cannot remain complacent regarding the level of anonymity provided by the dark web.
LockBit (Operation Cronos)
In a significant breakthrough in the fight against cybercrime, law enforcement authorities from ten countries disrupted the criminal operations of the LockBit ransomware group at every level, severely damaging its capability and credibility. LockBit is widely recognized as the world’s most prolific and harmful ransomware, responsible for billions of euros worth of damage.
This international operation followed a complex investigation led by the United Kingdom’s National Crime Agency within the framework of an international taskforce known as Operation Cronos, coordinated at the European level by Europol and Eurojust. The months-long operation resulted in the compromise of LockBit’s primary platform and other critical infrastructure that supported its criminal enterprise. This included the takedown of 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
Authorities also froze more than 200 cryptocurrency accounts linked to the organization, underscoring their commitment to disrupting the financial incentives driving ransomware attacks. The UK’s National Crime Agency has taken control of the technical infrastructure enabling LockBit’s operations, including its dark web leak site where stolen victim data had previously been published. A vast amount of data collected during the investigation is now in law enforcement’s possession and will be used to support ongoing international operations targeting the group’s leaders, developers, affiliates, infrastructure, and associated criminal assets.
Radar/Dispossessor
In August 2024, the FBI announced a major success against the Radar/Dispossessor ransomware group. Like other ransomware operations, Radar/Dispossessor was notorious for targeting businesses and government organizations worldwide. Since its emergence in August 2023, the group focused on small to mid-sized businesses and organizations in sectors such as education, healthcare, financial services, and transportation, aiming to maximize disruption in critical industries.
Although it initially targeted entities in the United States, the FBI’s investigation revealed 43 victim companies spanning multiple countries, including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. During its inquiry, the FBI identified numerous websites linked to the group.
The investigation and joint takedown were conducted in collaboration with the UK’s National Crime Agency, the Bamberg Public Prosecutor’s Office, the Bavarian State Criminal Police Office (BLKA), and the U.S. Attorney’s Office for the Northern District of Ohio. Similar to the LockBit case, this operation highlights how international cooperation and intelligence sharing are essential in addressing ransomware gangs that operate across multiple jurisdictions. Without such collaboration, Radar/Dispossessor might never have been dismantled.
Hive
In January 2023, the FBI announced the successful takedown of the Hive ransomware group, which had extorted hundreds of millions of dollars from victims and executed more than 80 attacks on critical infrastructure organizations in 2022, according to the FBI’s 2022 Internet Crime Report.
Hive targeted more than 1,500 victims across over 80 countries, including hospitals, school districts, financial institutions, and critical infrastructure providers. Its attacks caused severe disruptions worldwide, including to healthcare systems responding to the COVID-19 pandemic. For example, one hospital forced offline by Hive ransomware had to revert to analog methods of patient care and was temporarily unable to admit new patients.
The FBI revealed that it had infiltrated Hive’s networks in July 2022, secretly captured decryption keys, and distributed them to victims globally, preventing ransom payments totaling approximately $130 million. Since infiltrating Hive, the FBI has provided over 300 decryption keys to current victims and distributed more than 1,000 additional keys to previous victims. In cooperation with German law enforcement (the Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands’ National High Tech Crime Unit, the FBI subsequently seized Hive’s servers and websites, crippling the group’s ability to coordinate attacks.
This operation illustrates the effectiveness of law enforcement interventions. It has likely forced ransomware groups to strengthen their operational security or alter their methods, thereby creating greater burdens on their workflow and potentially leading to their decline.
The Role of Dark Web Monitoring
Dark web monitoring has emerged as a crucial tool for law enforcement in combating ransomware. By surveilling forums, leak sites, and criminal marketplaces, agencies can gather intelligence on ransomware operations, identify threat actors, and track supporting tools and infrastructure. This intelligence enables targeted disruption, early detection of emerging threats, and long-term dismantling of ransomware networks. Persistent monitoring and analysis are therefore key to achieving critical breakthroughs in the global fight against ransomware.
How has Ransomware Evolved Into Today’s Cyber Threat Landscape?
With the internet making it simpler to deliver ransomware without relying on the postal service, the spread of ransomware has become far easier over the years. However, it was almost twenty years after Joseph Popp’s floppy disks before ransomware began to attract widespread attention again.
In the 2000s, cybersecurity specialists argued that one of the main reasons for the sharp increase in cybercrime was global digitalization, as the number of internet users grew from 39.14 million in 1995 to 2 billion in 2010. At that time, many hackers used custom decryption keys, meaning that attacks were still “crackable” and often regarded merely as “side gigs” or a way for hackers to earn extra cash.
As cyber threats continually evolved, the late 2000s marked an important shift. Hackers began to employ RSA encryption in their malicious code, significantly strengthening their attacks. This development became evident when GPcode resurfaced with RSA-1024 encryption in 2010.
Another key advancement was the emergence of “locker” ransomware around 2007. Unlike earlier variants that focused solely on encrypting documents, locker attacks targeted essential system files, effectively locking victims out of their entire machines and, in some cases, disabling the use of the keyboard and mouse altogether.
The watershed moment came in 2013 with the emergence of CryptoLocker, considered the first large-scale modern ransomware campaign. CryptoLocker introduced stronger encryption and untraceable payments via Bitcoin, making it a formidable threat. By the end of 2015, the FBI estimated that CryptoLocker had generated approximately $27 million in ransom payments for its operators.
This period also saw the rise of RaaS, which allowed individuals with little or no technical expertise to launch ransomware attacks by purchasing pre-developed tools from ransomware creators. This business model dramatically lowered the barrier to entry, leading to a sharp increase in attacks and ransom payments. By 2020, the global cost of ransomware had reached $20 billion, representing a 57-fold increase since 2015.
As ransomware became more profitable, cybercriminals realized they could monetize Popp’s original idea on a far broader scale. By 2020, a significant evolution occurred: threat actors increasingly combined encryption with data exfiltration and extortion tactics. Under this “double extortion” method, attackers not only encrypted victims’ systems but also exfiltrated sensitive data, threatening to leak it publicly unless the ransom was paid.
Moreover, eCrime groups became more sophisticated in their extortion methods. Rather than releasing stolen data all at once, they began leaking it gradually, saving the most sensitive information for last in order to increase psychological and financial pressure on victims. In some cases, adversaries even used stolen credentials to infiltrate a victim’s email system, sending threatening emails to employees, or went further by directly calling and harassing staff to coerce payment.
What Lessons Can Be Learned from the History of Ransomware?
Understanding past incidents is crucial for preparing against future cyber threats. Reviewing some of the most impactful ransomware and cyberattacks in recent history provides invaluable lessons for organizations and security leaders in fortifying their defenses.
-
Critical Infrastructure Awareness: Attacks have raised heightened awareness across industries regarding the vulnerability of critical infrastructure to ransomware. These incidents catalyzed initiatives to strengthen cybersecurity protocols, emphasizing proactive defense measures and comprehensive contingency planning.
-
Supply Chain Security: Breaches necessitated a reassessment of cybersecurity practices, particularly in software development and supply chains. They highlighted the importance of monitoring network behavior, rigorous code auditing, and strict validation processes. Advanced behavioral detection mechanisms—capable of recognizing malicious activity even in “trusted” processes—became increasingly vital.
-
Data Protection as a Societal Imperative: Major breaches underscored that protecting personal data is not only a corporate duty but also a societal obligation. These events accelerated regulatory reforms, encouraged the adoption of stricter data protection frameworks, and emphasized the necessity of encryption, regular audits, and stronger identity security measures.
-
Cyberattacks as Political Weapons: Certain high-profile breaches highlighted the weaponization of cyberattacks for political purposes. They underscored the vulnerability of industries such as entertainment and media to state-sponsored threats, forcing a reevaluation of the balance between cybersecurity, freedom of expression, and resilience against advanced persistent threats.
What does the Future of Ransomware Look Like?
The continued escalation of ransomware attacks—and the increasing costs associated with responding to these incidents—shows no indication of slowing in the near future. As long as victims remain willing to pay ransoms in order to restore operations, mitigate disruption, and prevent the disclosure of sensitive information, cybercriminals will continue to exploit them.
However, the techniques and strategies employed by ransomware actors are expected to evolve significantly as new technologies emerge. For example, the United Kingdom’s National Cyber Security Centre (NCSC) has warned that one of the most significant ransomware threats in the coming years will likely be driven by advances in artificial intelligence (AI).
AI is poised to impact ransomware in several critical ways. First, it will enable attackers to conduct reconnaissance on targets more efficiently, allowing them to identify vulnerabilities with greater accuracy. Second, generative AI has the potential to enhance social engineering campaigns, making phishing and other forms of deception far more convincing. Third, AI-driven analytics will allow cybercriminals to process exfiltrated data more quickly and effectively, maximizing the value extracted from compromised information. Finally, AI may lower the barrier to entry for aspiring cybercriminals, enabling individuals with limited technical expertise to launch sophisticated attacks.
In parallel, eCrime adversaries specializing in Big Game Hunting (BGH) ransomware—campaigns targeting large organizations with high-value extortion demands—are expected to continue advancing at an accelerated pace. Their primary objective remains unchanged: to exert maximum pressure on organizations in order to compel increasingly large ransom payments.
Future developments are likely to include the refinement of data-leak extortion tactics. Threat actors will expand their use of sophisticated exfiltration tools, enabling the automated identification and theft of sensitive information based on keywords and classifications. These tools will not only streamline the exfiltration process but also allow ransomware groups to scale operations more effectively.
Additionally, changes in working patterns will create new avenues of exploitation. The growing prevalence of remote and hybrid work, alongside the reliance on mobile devices, provides cybercriminals with fresh opportunities to compromise security. According to the World Economic Forum, mobile devices often operate with weaker security controls and are frequently connected to insecure public Wi-Fi networks, making them particularly attractive ransomware targets. The widespread adoption of 5G technology will further enhance the feasibility of mobile ransomware attacks by enabling the rapid exfiltration of large data volumes.
The future of ransomware will be characterized by increasing sophistication, driven by technological innovation and the evolving digital ecosystem. AI, mobile exploitation, and advanced exfiltration tools will define the next phase of ransomware, placing unprecedented pressure on organizations to strengthen defenses, adopt proactive detection strategies, and enhance resilience against data-leak extortion schemes. Unless there is a paradigm shift in victim behavior—namely, a collective refusal to pay ransoms—the financial incentives that sustain ransomware operations will persist, ensuring that the threat remains a dominant feature of the global cyber landscape.