A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time

Taking a look at the history of ransomware, the most damaging ransomware attacks, and the future for this threat.

Ransomware has been a prominent threat to enterprises, SMBs, and individuals alike since the mid-2000s. In fact, there were more than 7,600 ransomware attacks reported to the Internet Crime Complaint Center (IC3) between 2005 and March of last year, outnumbering the just over 6,000 data breaches reported during the same time period. In 2015, IC3 received 2,453 ransomware complaints that cost victims over $1.6 million.

Those figures, however, represent only the attacks reported to IC3; the actual number of ransomware attack victims and costs is likely much higher. While difficult to estimate with precise accuracy, Tom’s IT Pro reports on data from Kaspersky indicating that the number of corporate users who have fallen victim to crypto-ransomware (one form of ransomware commonly used today) between April 15 and March 2016 was 718,000, a six-fold increase over the previous 12 month total of 131,000. Most of these attacks were targeted to SMBs, although ransomware initially targeted primarily individuals – which still comprise the majority of attacks today.

In this article, we’ll examine the history of ransomware from its first documented attack in 1989 to the present day and discuss some of the most significant ransomware attacks and variants. Finally, we’ll take a look at where ransomware is headed in 2017 and beyond.

Table of Contents:

What is Ransomware?

Ransomware is a type of malicious software that blocks user access to files or systems, holding files or entire devices hostage using encryption until the victim pays a ransom in exchange for a decryption key, which allows the user to access the files or systems encrypted by the program.

CryptoWall 4 Bitcoin Payment Instructions
A CryptoWall 4 website provides instructions for purchasing bitcoins to pay ransoms. Screenshot via Business Insider.

While ransomware has been around for decades, ransomware varieties have grown increasingly advanced in their capabilities for spreading, evading detection, encrypting files, and coercing users into paying ransoms. “New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to easily and widely distribute new varieties as well as advanced development techniques such as using crypters to ensure reverse-engineering is extremely difficult,” explains Ryan Francis, managing editor of CSO and Network World. “Additionally, the use of offline encryption methods are becoming popular in which ransomware takes advantage of legitimate system features such as Microsoft’s CryptoAPI, eliminating the need for Command and Control (C2) communications.”

CryptoWall Payment Site
A CryptoWall website displays decryption instructions after a victim paid a ransom of over $500. Screenshot via Business Insider.

With ransomware holding steady as one of the most significant threats facing businesses and individuals today, it’s no surprise that attacks are becoming increasingly sophisticated, more challenging to prevent, and more damaging to their victims.

The First Ransomware Attack

While it has maintained prominence as one of the biggest threats since 2005, the first ransomware attacks occurred much earlier. According to Becker’s Hospital Review, the first known ransomware attack occurred in 1989 and targeted the healthcare industry. 28 years later, the healthcare industry remains a top target for ransomware attacks.

PC CYBORG (AIDS) Trojan Advisory
PC CYBORG advisory from 1989. Screenshot via Security Focus.

The first known attack was initiated in 1989 by Joseph Popp, PhD, an AIDS researcher, who carried out the attack by distributing 20,000 floppy disks to AIDS researchers spanning more than 90 countries, claiming that the disks contained a program that analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire. However, the disk also contained a malware program that initially remained dormant in computers, only activating after a computer was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and $378 for a software lease. This ransomware attack became known as the AIDS Trojan, or the PC Cyborg.

The Evolution of Ransomware

Of course, this first ransomware attack was rudimentary at best and reports indicate that it had flaws, but it did set the stage for the evolution of ransomware to the sophisticated attacks carried out today.

The evolution of ransomware, 2005-2015
A percentage breakdown of new ransomware varieties by type, 2005-2015. Image via L.A. Times/Symantec.

Early ransomware developers typically wrote their own encryption code, according to an article in Fast Company. Today’s attackers are increasingly relying on “off-the-shelf libraries that are significantly harder to crack,” and they’re also leveraging more sophisticated methods of delivery, such as spear-phishing campaigns rather than the traditional phishing email blasts, which are frequently filtered out by email spam filters today.

What’s more, some sophisticated attackers are developing toolkits that can be downloaded and deployed by attackers with less technical skill. Some of the most advanced cybercriminals are monetizing ransomware by offering ransomware-as-a-service programs, which has led to the rise in prominence of well-known ransomware like CryptoLocker, CryptoWall, Locky, and TeslaCrypt. CryptoWall alone has generated more than $320 million in revenue.

After the first documented ransomware attack in 1989, ransomware attacks remained uncommon until the mid-2000s, where attacks began utilizing more sophisticated and tougher-to-crack encryption algorithms such as RSA encryption. Popular during this time were Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive. In 2011, a ransomware worm that imitated the Windows Product Activation notice emerged on the scene, making it more difficult for users to decipher genuine notifications from threats.

Percentage distribution of ransomware, 2014-2015
Percentage distribution of ransomware variants observed by Kaspersky Labs, 2014-2015. Image via SecureList.

By 2015, multiple variants impacting multiple platforms were wreaking havoc on users around the world, and the landscape continues to evolve today. Kaspersky’s SecureList reports that from April 2014 to March 2015, the most prominent ransomware threats were CryptoWall, Cryakl, Scatter, Mor, CTB-Locker, TorrentLocker, Fury, Lortok, Aura, and Shade. “Between them they were able to attack 101,568 users around the world, accounting for 77.48% of all users attacked with crypto-ransomware during the period,” the report indicates. In just one year, the landscape shifted significantly. According to Kaspersky’s 2015-2016 research, “TeslaCrypt, together with CTB-Locker, Scatter and Cryakl were responsible for attacks against 79.21% of those who encountered any crypto-ransomware.”

Percentage distribution of ransomware, 2015-2016
Percentage distribution of ransomware variants observed by Kaspersky Labs, 2015-2016. Image via SecureList.

The Biggest Ransomware Attacks and Most Prominent Variants

Given the advancement of ransomware and attack campaigns, it’s not surprising that the biggest ransomware attacks have occurred in recent years. Ransom demands are also on the rise, with reports indicating average demands hovered around $300 in the mid-2000s, but are averaging around $500 today. Usually, a deadline is assigned for payment, and if the deadline passes, the ransom demand doubles or files are destroyed or permanently locked.

Ransomware ransom amounts chart
Ransom charges across 15 major ransomware families. Image via Northeastern University.

CryptoLocker was a prominent ransomware variant around 2013, and quite a profitable one at that. Between September and December 2013, CryptoLocker infected more than 250,000 systems. It earned more than $3 million for its creators before the Gameover ZeuS botnet, which was used to carry out the attacks, was taken offline in 2014 in an international operation.

Subsequently, its encryption model was analyzed, and there is now a tool available online to recover encrypted files compromised by CryptoLocker. Unfortunately, CryptoLocker’s demise only led to the emergence of several imitation ransomware variants, including the commonly known clones CryptoWall and TorrentLocker. Gameover ZeuS itself re-emerged in 2014 “in the form of an evolved campaign sending out malicious spam messages.” Since that time, there’s been a steady uprising in the number of variants and attacks, with primary high-value targets in the banking, healthcare, and even government sectors.

CryptoLocker ransom screen
A CryptoLocker ransom message. Image via Computer World.

From April 2014 through early 2016, CryptoWall was among the most commonly used ransomware varieties in the wild, with various forms of the ransomware targeting hundreds of thousands of individuals and businesses. By mid-2015, CryptoWall had extorted over $18 million from victims, prompting the FBI to release an advisory on the threat.

In 2015, a ransomware variety known as TeslaCrypt or Alpha Crypt hit 163 victims, netting $76,522 for the attackers behind it. TeslaCrypt demanded ransoms by Bitcoin, or in some cases PayPal or My Cash cards, in amounts ranging from $150 to as much as $1,000.

Also in 2015, a group known as the Armada Collective carried out a string of attacks against Greek banks. “By targeting these three Greek financial institutions and encrypting important files, they hope to persuade the banks into paying the sum of €7m each. It goes without saying that, being able to pull three different types of attack over the course of five days, is quite worrying regarding bank security,” reported Digital Money Times. The attackers demanded a ransom of 20,000 bitcoin (€7m) from each bank, but instead of paying up, the banks ramped up their defenses and avoided further disruptions in service, despite subsequent attempts by Armada.

For attacks against larger companies, ransom demands have been reported up to $50,000, though a ransomware attack last year against a Los Angeles hospital system, Hollywood Presbyterian Medical Center (HPMC), allegedly demanded a ransom of $3.4 million. The attack forced the hospital back into the pre-computing era, blocking access to the company’s network, email, and crucial patient data for ten days.

Ultimately, the company paid only $17,000 to regain access to its critical data after being blocked from essential computer systems and communications services. An update from HPMC indicates that the initial reports of a ransom demand of $3.4 million were inaccurate, and that the hospital paid up the requested $17,000 (or 40 Bitcoins) in order to quickly and efficiently restore operations. A little over one week later, the Los Angeles County Department of Health Services was infected with a program that blocked the organization’s access to its data. However, the Los Angeles Times reports that the agency successfully isolated infected devices and refused to pay up.

In March 2016, Ottawa Hospital was hit by ransomware that impacted more than 9,800 machines – but the hospital responded by wiping the drives. Thanks to diligent backup and recovery processes, the hospital was able to beat attackers at their own game and avoid paying ransom.

That same month, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital in California were hit by ransomware. “Kentucky Methodist Hospital information systems director Jamie Reid named the malware involved as Locky, a new bug that encrypts files, documents and images and renames them with the extension .locky,” reports BBC.com, noting that none of the hospitals impacted were believed to have paid the ransom – a figure not publicly disclosed. Discovered on March 18, 2016, most systems were restored by March 24, and no patient data was compromised. However, the attack did cause disruptions not only in the systems of directly impacted hospitals but at several others as shared systems were taken offline.

March 2016 also saw the appearance of the Petya ransomware variant. Petya is advanced ransomware that encrypts the victim computer’s master file table and replaces the master boot record with a ransom note, rendering the computer unusable unless the ransom is paid. By May it had further evolved to include direct file encryption capabilities as a failsafe. Petya was also among the first ransomware variants to be offered as part of a ransomware-as-a-service operation.

In a May 2016 article, ZDNet reported “According to detections by Kaspersky Lab researchers, the top three ransomware families during the first quarter of the year were: Teslacrypt (58.4 percent), CTB-Locker (23.5 percent), and Cryptowall (3.4 percent). All three of these mainly infected users through spam emails with malicious attachments or links to infected web pages.”

By mid-2016 Locky had cemented its place as one of the most commonly used ransomware varieties, with PhishMe research reporting that Locky use had outpaced CryptoWall as early as February 2016.

Ransomware variant distribution, January - September 2016
Breakdown of ransomware variants observed by PhishMe from January-September 2016. Image via PhishMe.

On Black Friday (November 25) of 2016 the San Francisco Municipal Transportation Agency fell victim to a ransomware attack that disrupted train ticketing and bus management systems. Attackers demanded a whopping 100 bitcoin ransom (equivalent to about $73,000 at the time), but thanks to speedy response and comprehensive backup processes, the SFMTA was able to restore systems within two days. Despite not having to pay the ransom, there were some costs borne by the SFMTA in the incident, as passengers were able to ride without paying fares for the two day period that systems were down. The ransomware used in the attack is believed to be Mamba or HDDCryptor.

A standout among the latest ransomware variants to emerge is Jigsaw, an evolved variant that has several distinct features. One noteworthy feature of Jigsaw is its use of dramatic effects for social engineering – the ransom screen features an image of a puppet, Billy, from the Saw film series, along with the directions for paying the ransom in bitcoin. But what really sets Jigsaw apart as an advanced ransomware variant is that rather than offering a timeline for paying the ransom, Jigsaw simply deletes more files every hour the ransom is not paid. “In fact, if you try to stop the process or restart the system, Jigsaw will delete 1,000 files, thus limiting the actions that the user can take to try to recover their data without paying the ransom,” explains We Live Security.

One of the first ransomware variants to target Apple OS X also emerged in 2016. KeRanger mostly impacted users utilizing the Transmission application but affected about 6,500 computers within a day and a half. Again with a prompt response, KeRanger was removed from Transmission the day following its discovery.

All in all, 2016 was a banner year for ransomware attacks, with reports from early 2017 estimating that ransomware netted cybercriminals a total of $1 billion for the year.

2017 started off with a familiar cadence of smaller ransomware infections, with healthcare remaining a prime target for attackers. That all changed on Friday, May 12, however, when the WannaCry ransomware emerged in what is likely the largest ransomware campaign ever. In the course of a weekend the WannaCry ransomware spread to over 200,000 computers in 150 countries, crippling operations at hospitals, telecom providers, utility companies, and other businesses around the globe. The initial wave of WannaCry attacks subsided when a researcher unintentionally activated the malware's killswitch, but at least two new variants have been detected since and follow-on attacks continue.

The Future of Ransomware

These incidents are catapulting ransomware into a new era, one in which cybercriminals are realizing that smaller attacks can be replicated easily and carried out against much larger corporations while demanding larger ransom sums. While some victims are able to mitigate attacks and restore files or systems without paying ransoms, all it takes is a small percentage of attacks succeeding to produce substantial revenue – and incentive – for cybercriminals.

Ransomware ransom amounts graph
A breakdown of ransom amounts demanded by attackers. Image via Osterman Research/Network World.

Even paying a ransom doesn’t guarantee that you’ll be granted access to your files. The CryptoLocker ransomware “extorted $3 million from users but didn't decrypt the files of everyone who paid,” CNET reports, based on findings from an article in the Security Ledger. A survey from Datto found attackers neglected to unlock victims’ data in one out of every four incidents where ransoms were paid.

Ransomware operations continue to get more creative in monetizing their efforts, with Petya and the Cerber ransomware pioneering ransomware-as-a-service schemes last year. The authors of Cerber were especially opportunistic, offering their ransomware operations as a service in return for a 40% cut of the profits earned from paid ransoms. According to Check Point researchers, Cerber infected 150,000 victims in July 2016 alone, earning an estimated $195,000 – of which $78,000 went to the ransomware’s authors.

The potential for profit for ransomware authors and operators also drives rapid innovation – and cutthroat competition – amongst cybercriminals. Earlier this month ZDNet reported on the PetrWrap ransomware, which is built with using cracked code lifted from Petya, according to Kaspersky Lab. For victims, the source of the code doesn’t really matter – whether you’re infected with Petya or PetrWrap, the end result is the same: your files are encrypted with an algorithm so strong that no decryption tools currently exist.

What’s next for ransomware? A new report from the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA), as reported in a ZDNet article, warns of developing threats such as ransomware-as-a-service and mobile ransomware while predicting that 2017 will see ransomware attacks pivot to target connected devices such as smart TVs and fitness trackers. The rate at which the Internet of Things is growing combined with the widely-reported insecurity of IoT devices provides a whole new frontier for ransomware operators. Worse yet, best practices for ransomware protection like regular backups and keeping software up-to-date don’t apply to many connected devices, and many IoT manufacturers are sluggish or simply negligent when it comes to releasing software patches.

Critical infrastructure poses another troubling target for future ransomware attacks, with DHS enterprise performance management office director Neil Jenkins warning at the 2017 RSA Conference that water utilities and similar infrastructure could make for viable, high-value targets for attackers. Jenkins referenced a January 2017 ransomware attack that temporarily disabled components of an Austrian hotel’s keycard system as a potential predecessor for more significant attacks on infrastructure to come.

Protecting Against Ransomware Attacks

There are a few steps that end users and enterprises alike can take to reduce their risk of falling victim to ransomware significantly. As referenced above, following fundamental cybersecurity best practices – in particular, backing up data regularly, keeping software up-to-date, and staying on top of the common tactics used to spread ransomware – will go a long way in fending off ransomware infections.

Ransomware infographic
An infographic on ransomware concerns from KnowBe4 aims to highlight the need for end user education in ransomware protection.

Despite these best practices being fairly well known, many individuals fail to regularly backup their data, and even some enterprises do so only within their own networks, meaning that duplicate backups too can be compromised by a single ransomware attack.

Effective ransomware defense ultimately hinges on education. Users and businesses should take time to learn about their best options for automated data backups and software updates, and education on the telltale signs of ransomware distribution tactics – such as phishing attacks, drive-by downloads, and spoofed websites – should be a top priority for anyone using an internet-connected device today.

Further Reading on Ransomware and Ransomware Attacks:

Nate Lord


Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Nate Lord

Nate Lord is editor of Data Insider.

Free Trial 2017 Gartner DLP MQ Contact Us