How Ransomware Went from a Floppy Disk Scam to a Billion-Dollar Industry

Ransomware in the Spotlight

Ransomware has dominated the cybersecurity landscape for over a decade, but its roots trace back much further than most realize. While the term “malware” entered mainstream vocabulary more than 35 years ago, ransomware’s origins date back to 1989, when the AIDS Trojan demonstrated just how disruptive data encryption could be.

That first ransomware attack was primitive by today’s standards—it spread via floppy disks and demanded payment via cashier’s check. But it laid the foundation for what would become one of the most lucrative forms of cybercrime, now generating billions of dollars annually for cybercriminals.

So, how did ransomware evolve from an early experiment into one of the biggest threats facing organizations today?

The First Ransomware Attack: The AIDS Trojan

The first known ransomware attack came in 1989 with the AIDS Trojan. It spread via physical floppy disks mailed to unsuspecting victims. Once installed, it encrypted file names and demanded a $378 payment to a PO Box in Panama for decryption.

Despite its disruptive nature, this early attack didn’t take off. Why?

• Poor cryptography: Security researchers quickly cracked the encryption.
• No anonymous payments: Victims had to mail a check, making it easy to track.
• The attacker was caught quickly due to their reliance on physical mail.

For nearly two decades, ransomware remained a theoretical threat rather than a widespread concern.

The Rise of Modern Ransomware

Ransomware resurfaced in the late 2000s with GPCode, which used stronger encryption, but it wasn’t until CryptoLocker in 2013 that ransomware truly exploded. CryptoLocker introduced several game-changing elements:

• Military-grade encryption: Victims had no way to recover their data without paying.
• Bitcoin payments: Providing criminals with an anonymous, untraceable way to collect ransoms.
• A countdown timer: Adding pressure to pay before files were permanently lost.

CryptoLocker proved that ransomware was a viable criminal enterprise—and cybercriminals took note.

The Ransomware Boom

Following CryptoLocker’s success, ransomware gangs began industrializing their operations:

• Attackers started targeting entire organizations instead of individuals.
• The rise of Ransomware-as-a-Service (RaaS) made it possible for criminals with no coding skills to launch attacks.
• Double extortion tactics emerged, where attackers steal data before encrypting it, adding an extra layer of blackmail.

Ransomware has evolved from a crude scam to a sophisticated criminal business model. And as we’ll explore in an upcoming post, it’s more dangerous today than ever before.

For deeper insights into the evolving cyber threat landscape, read Ontinue’s 2H 2024 Threat Intelligence Report from our Advanced Threat Operations team.