Ransomware Protection.org

Knowledge Base

History & Timeline of Ransomware

Last updated: February 2026 · 22 min read

Ransomware has evolved from a curiosity distributed on floppy disks to a multi-billion dollar criminal industry. Understanding this history is essential for appreciating how the threat reached its current state and where it may be heading.

Complete Timeline

1

1989

The AIDS Trojan (PC Cyborg)

Dr. Joseph Popp distributes 20,000 floppy disks at the WHO AIDS conference. The diskettes contain a trojan that, after 90 reboots, encrypts file names and demands $189 be sent to a PO box in Panama. This is widely considered the first ransomware attack in history. The encryption was symmetric and trivially breakable.

2

2005-2006

GPCoder and Archievus

The first ransomware to use real public-key cryptography (RSA) appears in the wild. GPCoder encrypts files with common business extensions and demands payment via e-gold. These early crypto-variants foreshadow the explosion to come.

3

2008-2012

The Rise of Locker Ransomware

Police-themed ransomware (Reveton and variants) locks users out of their computers, displaying fake law enforcement messages claiming the user has committed a crime. Victims are instructed to pay a 'fine' via prepaid vouchers. Millions of users are affected worldwide.

4

2013

CryptoLocker Changes Everything

CryptoLocker, distributed via the Gameover Zeus botnet, uses 2048-bit RSA encryption and demands Bitcoin payment. It earns an estimated $3 million in just four months. CryptoLocker proves that strong encryption combined with cryptocurrency creates a nearly perfect extortion mechanism. The FBI and international partners take down the Gameover Zeus botnet in June 2014.

5

2015-2016

Mass-Market Ransomware Explosion

TeslaCrypt, Locky, Cerber, and SamSam mark the era of industrialised ransomware distribution. Exploit kits (Angler, RIG) automate infection at scale. Ransom amounts range from hundreds to thousands of dollars. The No More Ransom initiative is founded by Europol, Dutch National Police, Kaspersky, and McAfee to provide free decryption tools.

6

2017

WannaCry and NotPetya: The Watershed Moment

In May, WannaCry exploits the NSA-developed EternalBlue vulnerability to spread worm-like across 150 countries, infecting 300,000+ systems in a single day. The NHS in the UK is severely disrupted. Six weeks later, NotPetya, disguised as ransomware but actually a wiper, causes an estimated $10 billion in global damages. MedDoc, a Ukrainian tax software company, is used as the supply-chain entry point. These attacks demonstrate that ransomware can cause nation-state-level damage.

7

2018-2019

Big Game Hunting Begins

Ransomware operators shift from mass-market spray-and-pray to targeted 'big game hunting' of high-value organisations. Ryuk, initially linked to North Korean actors and later to the Wizard Spider cybercrime group, targets enterprises with multi-million-dollar ransom demands. SamSam operators manually breach networks before deploying ransomware, a technique that becomes standard.

8

2019

Double Extortion Is Born

The Maze group pioneers double extortion: stealing data before encryption and threatening to publish it if the ransom is not paid. This eliminates the 'just restore from backups' defence and transforms ransomware from a data-availability attack into a data-confidentiality crisis. Nearly every major ransomware group adopts this model within a year.

9

2020-2021

The RaaS Golden Age

REvil, Conti, DarkSide, and others operate as sophisticated criminal enterprises with affiliate programmes, customer support, and professional negotiation teams. The Colonial Pipeline attack (DarkSide, May 2021) causes a five-day fuel supply disruption across the US Eastern Seaboard. The Kaseya supply-chain attack (REvil, July 2021) compromises over 1,500 businesses simultaneously. Global ransomware payments exceed $600 million in cryptocurrency in 2021.

10

2022-2023

Law Enforcement Strikes Back

Major law enforcement operations disrupt key ransomware infrastructure. The FBI infiltrates the Hive ransomware group for seven months, saving victims $130 million in ransoms. Conti dissolves after internal chats are leaked. However, new groups (BlackCat/ALPHV, Royal, Play, Akira, Black Basta) quickly fill the vacuum. Cl0p exploits the MOVEit Transfer vulnerability in a mass exploitation campaign affecting thousands of organisations.

11

2024-2026

The Current Landscape

Ransomware remains the dominant cybercrime threat despite international law enforcement efforts. LockBit, despite a major takedown operation in early 2024, attempts to reconstitute. AI-enhanced social engineering and vulnerability discovery begin to augment attacker capabilities. Triple extortion becomes more common. Nation-state actors increasingly use ransomware for geopolitical purposes. Global regulatory frameworks (NIS2, SEC rules, DORA) impose strict incident reporting and preparedness requirements.

Key Takeaways

  • Ransomware has evolved from simple screen lockers to sophisticated multi-extortion operations
  • Cryptocurrency (Bitcoin, Monero) was the catalyst that transformed ransomware from a nuisance into a global criminal industry
  • The RaaS model has democratised ransomware, enabling non-technical criminals to launch attacks
  • Law enforcement takedowns are impactful but have not eliminated the threat, as new groups consistently replace disrupted ones
  • Supply-chain attacks have dramatically amplified the scale of individual ransomware campaigns
  • Regulation is increasingly shaping how organisations prepare for and respond to ransomware

Continue reading

What Is Ransomware? Types of Ransomware