Key Takeaways
Introduction
Ransomware is a type of malware that blocks access to a victim’s system or network. Once the attack runs, it can encrypt selected files, lock systems, or disrupt access to business operations. Then, they demand a ransom in exchange for restoring access or providing a decryption key.
In many cases, ransomware encrypts files so the victim cannot use them. Some ransomware can also lock systems or disrupt access to business operations.
Historical Evolution
Ransomware dates back to 1989, when the world’s first known ransomware, called the AIDS Trojan, was created by Joseph Popp. He distributed 20,000 infected floppy disks to attendees of the World Health Organization’s AIDS conference.
The program worked in a simple way. It counted how many times the system booted. When the count reached 90, it hid directories and encrypted the names of files on the C drive. It then demanded a ransom of $189 from each victim to restore access. The AIDS Trojan was easier to overcome because it used symmetric encryption, and the key was stored in the malware itself.
The concept of asymmetric-key-based ransomware was demonstrated by Moti Yung and Adam Young at the IEEE Security & Privacy conference in 1996. It was called cryptoviral extortion at the time. In this method, the attacker generates a pair of asymmetric keys and stores the public key in the malware.
When the malware infects a system, it generates a random symmetric key and uses it to encrypt the victim’s data. It then encrypts that symmetric key with the public key. The attacker’s private key is never exposed. The victim must send the encrypted key to the attacker to receive the decryption key.
By the mid-2000s, ransomware began using stronger encryption, including RSA. For example, the Archiveus Trojan from 2006 was one of the early ransomware examples to use RSA encryption. It encrypted files in the My Documents folder. The attackers used an unusual ransom method by asking victims to buy products from specific e-commerce websites.
Bitcoin was introduced in 2008 and launched in 2009. Its later adoption gave ransomware attackers a new way to receive payments. Bitcoin transactions are pseudonymous, not fully anonymous. However, it is still difficult to connect a wallet address to a real person without additional evidence.
This helped attackers collect ransom payments at scale. It also made payments harder to connect to real-world identities without additional evidence.
Ransomware Growth After 2013
In 2013, CryptoLocker ransomware emerged as one of the most well-known ransomware attacks of that period. It spread through phishing emails that often appeared to be shipment notifications from courier services such as FedEx. CryptoLocker attacks reached a major scale, with attackers reportedly earning around 27 million US dollars.
In 2017, WannaCry became one of the most disruptive ransomware attacks in history. It was a ransomware worm that spread across networks by exploiting a vulnerability in Microsoft’s implementation of the SMB protocol. Attackers used the EternalBlue exploit, which was developed by the NSA and later leaked by the Shadow Brokers.
WannaCry infected around 200,000 systems across 150 countries in a single day. The scale of the attack led to a global response. The outbreak was controlled within a few days after researchers found a kill-switch domain in the malware. Microsoft also released an emergency security patch for older versions of Windows.
Variants of WannaCry and other ransomware, including NotPetya, also exploited the same vulnerability on unpatched systems.
New approach: RaaS (Ransomware as a Service)
Ransomware operators began offering ransomware-as-a-service. In this model, they create ransomware toolkits that can be used by less-skilled attackers. These toolkits are sold or leased through underground markets and dark web forums.
Operators may also provide technical guidance and step-by-step instructions for launching ransomware attacks through their services and platforms. In this franchise-like business model, operators often take a percentage of the ransom collected by affiliates after a successful attack.
Historical ransomware trends and statistics
The 2019 State of Malware Report from Malwarebytes showed that ransomware attacks against consumer or home users decreased by 12%. In contrast, ransomware attacks in business environments increased by 9% from the previous year.
The Kaspersky report showed that 174 ransomware attacks occurred against cities and municipalities in 2019. It also showed a 60% increase in ransomware attacks targeting municipalities compared to the previous year.
The Comparitech report showed that around 172 ransomware attacks targeting healthcare organizations were reported. These attacks affected around 1,446 clinics and hospitals. At least two healthcare providers had to permanently shut down.
Malwarebytes’ 2020 State of Malware Report showed that ransomware activity against organizations remained higher than the previous year. Ransomware families such as Ryuk, Phobos, and Sodinokibi were dominant strains targeting cities, schools, and hospitals. Ryuk detections increased by 543% over Q4 2018. Since its introduction in May 2019, Sodinokibi detections increased by 820%.
The Coveware report showed that ransomware payments doubled due to the spread of Ryuk and Sodinokibi. Coveware also found that 98% of companies that paid the ransom received a decryption tool. It also reported that 97% of those victims said the decrypter worked. This may have increased confidence among victims who considered paying the ransom.
Major ransomware attacks through the years
Marks & Spencer, 2025
Marks & Spencer faced a major cyberattack in April 2025. The attack disrupted online clothing orders and other business operations. The company later said the attack could cost about £300 million in lost operating profit.
The attack was linked to DragonForce. The attack affected online sales. It also disrupted logistics and customer service. For this reason, retailers need strong identity checks and secure help desk processes.
Change Healthcare, 2024
Change Healthcare was hit by a ransomware attack in February 2024. The attack caused payment and claims processing issues for hospitals and pharmacies across the U.S. The attack was attributed to BlackCat, also known as ALPHV. It became one of the major cyber incidents in the healthcare industry in recent years.
CDK Global, 2024
In June 2024, CDK Global faced a ransomware attack. The company shut down some systems while trying to recover from the attack. Many auto dealerships across the US were affected by this cyberattack. Some dealers had to handle sales and service work manually. The incident showed how one vendor outage can disrupt many businesses that depend on the same platform.
Conclusion
Ransomware has become more threatening today than ever before. It started as simple malware, but now it is a major business disruptor. Modern ransomware can do much more than just encrypt data. It can disrupt an organization's entire operations. As a result, victims are pressured to meet ransom demands.
To protect against ransomware attacks, businesses must maintain regular backups and promptly patch software. Apart from these, endpoint security, access control, and continuous monitoring play a crucial role in limiting the reach of ransomware attacks. Employee training is equally important, considering many attacks happen due to human error.
SafeAeon helps businesses prepare for ransomware before it spreads. Its team monitors security activity 24x7. When suspicious behavior appears, analysts review it and support the response. This gives internal teams more visibility. It also helps them respond more quickly during a ransomware event.
