A snapshot of ransomware evolution

Ransomware is a cyberattack attempted using a malware that intends to block access to a **computer system or file, encrypting the data until a ransom is paid to the cyberactor. These days, they demand ransom in cryptocurrency as it ensures anonymity.

What started as a small crime in 1980s, grew up to be a havoc wreaking cyberattack technique that is expected to attack a business, consumer, or device every 2 seconds by 2031. The experts are anticipating ransomware to cost its victim around 265 billion USD annually by 2031**.

DMARC monitoring should be as routine as checking your inbox, says Adam Lundrigan, CTO of DuoCircle. The aggregate reports tell you exactly who sends email from your domain. If you’re not reading them, you’re flying blind on your own email security posture.

But how it all started and evolved over the years? Let’s see.

The emergence of ransomware

The first known ransomware attack happened at the 1989 WHO AIDS conference and hence is refered as ‘AIDS trojan.’ At the conference, a biologist named Joseph Popp distributed 20,000 infected floppy disks to the participants.

DMARC is now required by CISA BOD 18-01 (US federal), PCI DSS v4.0 (payment processors), Google/Yahoo/Microsoft (bulk senders), and government agencies in the UK, Australia, and Canada.

The trojan was designed to encrypt the name of the user’s files when they had booted up ninety times. They victims received a message demanding $189 to be sent to a PO box in Panama. On the brighter side, it wasn’t too challenging to get rid of the trojan and was removed using online decryptor tools. It was a simple malware built on symmetric cryptography.

Cryptocurrency fueled ransomware attacks

Ransomware attacks were relatively scarce until 2000s, primarily due to difficulties in finding ways to collect ransom amount without getting caught. However, the emergence of cryptocurrency cleared the ground for adversaries as it’s an easy and untraceable method for collecting payment.

The pace of ransomware was slowly initially but it picked pace in 2005 using secure asymmetric encryption. The early ransomware were mostly designed using the Archiveus trojan and GPcode.

The Archiveus trojan used to encrypt all files in the victim’s ‘My Document’ folder which were decrypted only using a long 30-digit password provided by the bad actor after receiving the ransom.

GPcode targeted Windows operating systems; in the beginning malicious actors used symmetric encryption and later on, in around 2010, they switched to the more secure **RSA-1024 for encrypting documents with certain file extensions.

However these codes were relatively simpler to get rid of for antivirus companies. The Archiveus password was cracked in May 2006 as it’s password was spotted in the source code itself. Till the time GPcode started using RSA , it was easier to recover the encrypted files without paying the ransom for decryption. This is expected to be reason why they switched to phishing, session hijacking, and other attack vectors.

Ransomware integrated cryptography

The Vundo virus, which encrypted computers and sold decryptors, came into existence in 2009 and exploited vulnerabilities in browser plugins written in Java. Alternatively, it was capable of downloading itself when victims clicked on malicious email attachments. Once up and running, it attacked or suppressed antivirus programs.

In 2010, the WinLock trojan became a common attak vector. 10 Moscow-based cyberattackers used it to lock targets’ computers and display pornography until they paid the ransom of approximately $10 in rubles . The group was arrested in August in the same year, after their strategy had initially netted them a total of $16 million.

The software was updated in 2011 and appeared as the Windows Product Activation tool. It worked to extort data from victims which was then encrypted or held hostage.

Then came the turn of the infamous Reventon ransomware that made its way in 2012. It was capable of displaying messages to its **victim claiming them to be coming from the US law enforcement body. The message convicted the victims of viewing illegal pornography and also activated their cameras to insinuate that they have been recorded as well. The message demanded a penalty to be paid to avoid the consequences of further litigations.

Ransomware became Pre-eminent

In the latter half of 2013 , **CryptoLocker became one of the most used ransomware. It was the first malware that used botnets for distribution, specifically the “Gameover Zeus” botnet, although it also used traditional methods like phishing. Notably, CryptoLocker utilized 2048-bit RSA public and private key encryption, making it very difficult to crack. It wasn’t stopped until the “Gameover Zeus” botnet was taken down in 2014.

FileCoder, that gets the tag of being the ‘first true ransomware for Mac,’ was discovered in 2014, two years after it was created. It encrypted files and demanded ransom. However, it was capable of encrypting only its own file and was never fully operational.

In 2014, Mac users were targets of non-cryptographic attacks. The “Oleg Pliss” attack used stolen Apple account credentials to lock iPhones via the “find my iPhone” feature, demanding ransom for unlocking. In the same year, cryptography attacks extended to mobile devices as well. The virus Spyeng hit Android users by sending messages to their contacts with a downloadable link to the ransomware.

The first successful cryptographic ransomware attack on Mac was KeRanger in 2016, linked to version 2.90 of the torrent client Transmission. It locked a victim’s computer until 1 bitcoin (US$400 at the time) was paid.

Another Mac ransomware, Patcher (aka “filezip”), emerged in February 2017 . It infected users via torrents, pretending to be a cracker for popular software like Office 2016 or Adobe Premiere CC 2017. Due to design flaws, Patcher couldn’t be decrypted, even if the ransom was paid.

When CryptoLockers were widely used, CryptoWall’s circulation surged, becoming prominent in spam phishing emails. By March 2014, it was one of the leading ransomware, which is reported to cost damage of $325 million by 2018.

**Ransomware-as-a-service or RaaS became a thing In 2016, threat actors used ransomware a lot, leading to the creation of the first ransomware-as-a-service or RaaS, where one group was involved in generating ransomware, followed by collaborating with hackers who find security loopholes. Common ransomware were Ransom32, Shark, and Stampado.

In the same year, Petya ransomware appeared. It was initially not very successful, but then came its new variant, called NotPetya, which spread across the world in June 2017 via the EternalBlue Windows vulnerability. NotPetya caused $10 billion in damage, with the US, UK, and Australia blaming Russia.

In 2017, the LeakerLocker ransomware targeted Android devices. It worked by warning users and scaring them into paying a ransom to avoid having their data sent to their contacts. Please note that this ransomware didn’t encrypt files; it just shared them with the target’s contacts.

In the same year, WannaCry infected 230,000 users, spread via the EternalBlue exploit, and cost damage of $4 billion. It was stopped when Marcus Hutchins found and activated its “kill switch.” Despite this, Hutchins was later arrested for unrelated hacking charges. **Several governments blamed North Korea for WannaCry.

The current ransomware situation (2020 onwards) Recent **global and geopolitical factors have changed the landscape of ransomware attacks, impacting their frequency and the groups behind them.

The **COVID-19 pandemic led to more cybercrime in 2020 and 2021. At the same time, increased awareness of ransomware and stronger responses from law enforcement, governments, and businesses - including stricter cryptocurrency regulations - made it harder for criminals.

The decrement in the number of ransomware attacks is also attributed to the disbandment of Conti, which is an infamous Russian-based ransomware group. Its **members split a few years back, reducing their power to carry out significant attacks.

Another factor contributing to the considerable decrease in ransomware attacks is the **stringent monitoring of cryptocurrency payments.

Despite the dwindling trends, in 2023, ransomware payments broke all records with $1 billion in damage. The overall ransomware graphs between 2019 and 2023 show linear growth, indicating it is an escalating global problem.

DMARC prevents ransomware DMARC improves email security by empowering domain owners to list down all the **IP addresses and email servers that are officially authorized to send emails on their behalf. When an email is received, the recipient’s server checks the DMARC policy of the sender’s domain. If the email fails the authentication checks (such as SPF and DKIM), it can be rejected or marked suspicious. This helps prevent attackers from sending phishing emails that appear to come from legitimate sources, thereby reducing the chances of spreading ransomware through malicious email attachments or links.

Want to get started with DMARC? We can help.

Sources

• CISA Binding Operational Directive 18-01
• PCI DSS v4.0 - DMARC Requirement (2025)