How ransomware has evolved (with examples)

From humble beginnings to board-level priority, ransomware costs businesses millions per incident. Use this guide to ransomware’s evolution to stay a step ahead.
by Egress
Published on 16th Feb 2023

Ransomware has plagued businesses and individuals since 1989 when the AIDS Trojan arrived on diskettes in the mail. The virus encrypted data on victims’ computers and demanded payment—via money order to a Panamanian post office box—in exchange for decryption keys.

Since then, ransomware has continued to grow in sophistication. State actors and criminal organizations now deploy malware through phishing attacks that deliver infected attachments and malicious links in legitimate-seeming emails. After encrypting or otherwise compromising data, attackers demand payment in difficult-to-trace cryptocurrencies.

In its Cost of a Data Breach Report 2022, IBM puts the average cost of a ransomware attack at $4.5m, with security incidents from ransomware growing 41% between 2021 and 2022. That includes not only ransoms paid by victims but the cost of downtime due to compromised IT systems.

However, knowing exactly what you’re up against can protect your data and help keep your money out of the hands of criminals. To that end, this guide to ransomware attacks can help you stay a step ahead of this threat. (Need a ransomware refresher before you get started on this article? Check out this post on ‘What is ransomware?’.)

Examples of ransomware attacks

AIDS Trojan

In 1989, Harvard University-trained evolutionary biologist Joseph Popp mailed tens of thousands of 5.25-inch floppy diskettes to scientists worldwide. Claiming to contain a legitimate AIDS research survey, the disks’ actual purpose was to deliver the first known ransomware.

After encrypting filenames on the victim’s PC, the AIDS Trojan displayed a message that announced, “It is time to pay for your software license from PC Cyborg Corporation”.

Fortunately, the ransomware’s symmetric cryptography scheme allowed people to decrypt the scrambled file names without paying the extortion money. The key was embedded in the ransomware’s code.


In 2012, attackers shifted tactics with Reveton, a scareware package. Scareware works by displaying fake alerts to scare victims into taking action.

After infection via hacked websites, Reveton claimed to lock victims out of their computers. It then displayed a law enforcement agency logo along with a demand to pay a ‘fine’ to unlock the computer and avoid being reported for supposedly possessing illicit material.

“To unlock your computer and to avoid other legal consequences,” the warning read, “you are obligated to pay a release fine of $200”. The money was to be delivered via prepaid debit card.

Restoring the computer from a backup allowed it to function normally again.


By 2013, with the emergence of CryptoLocker, extortionists had upped their game with asymmetric, public-key cryptography. Here, the keys to unlock encrypted data remain on remote servers, out of reach of victims, thus making recovery much more difficult.

The delivery method had changed, too. CryptoLocker, like many modern ransomware packages, spreads via infected email attachments.

Global law enforcement agents and security experts took down the botnet responsible for spreading CryptoLocker and recovered the encryption keys in 2014.


The year 2014 saw the emergence of a new type of ransomware that attacked mobile devices instead of laptops and PCs.

SimpleLocker infected Android devices, scrambling files on attached memory cards and demanding payment for decryption. The ransom note targeted Russian speakers and instructed them to transfer funds through a Ukrainian cash payment system.


The Petya ransomware package did Reveton one better in 2016. It actually did disable victims’ computers by encrypting the file tables needed to boot up a PC. It also demanded payment in harder-to-trace Bitcoin. Infection occurred via malicious attachments on phishing emails.


The North Korean agents behind the WannaCry ransomware turned to heavy guns to conduct their attacks in 2017. WannaCry leveraged an exploit stolen from the U.S. National Security Agency to hit hundreds of thousands of computers worldwide and caused up to $4bn in damage before security experts stopped it.


LockBit is among a new breed of ransomware-as-a-service (RaaS) software. RaaS turns extortion into a turnkey business, with low-level criminals renting ransomware from developers on the black market. Providers get a percentage of ransom payments.

Recent ransomware attack scenario examples

In May 2021, a ransomware attack by the Eastern European criminal group DarkSide shut down the Colonial Pipeline, which supplies 45% of the gasoline and other fuels consumed on the East Coast. The Colonial Pipeline Company paid out $4.3m in Bitcoin to get fuel flowing again as quickly as possible.

But paying the ransom was no quick fix; decryption took so long that the company managed to return to normal operations faster by restoring systems from backups. And the U.S. Department of Justice eventually managed to recover $2.3m of the ransom money.

In August 2022, the criminals behind a LockBit attack on Center Hospitalier Sud Francilien (CHSF), a French hospital, released sensitive patient data after administrators refused to pay a $10m ransom.

Ransomware attack example scenario

As we’ve seen in the above real-world attacks, ransomware can be delivered through various methods and can have significant impacts on the organizations involved. Like other cyberattacks, ransomware attacks follow the traditional seven-step kill chain:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and control
  7. Actions on objective

In the reconnaissance stage, the attacker will research their targets and try to find out as much about their security systems and processes as possible. In a ransomware attack, this could include understanding the individual victim(s) they want to target (for example, their role within the organization and place within the hierarchy) (read this article for more information about reconnaissance in phishing attacks).

Next, the cybercriminal weaponizes their attack. This includes creating or obtaining the ransomware payload, as well as taking technical steps to maximize the successful delivery of the attack using insights from their reconnaissance. For example, if the cybercriminal is attaching the ransomware payload to a phishing email, they might research the email security in place at their target organizations and take technical steps to try to evade detection, for example by using a new type of ransomware that can get through the signature-based detection used by Microsoft 365 and secure email gateways (SEGs). (This article has more information about how hackers evade email email security.) The cybercriminal might also use their research to impersonate a known contact of their target, such as a well-known brand, supply chain organization, or even someone senior from the target organization. Then they send the phishing email as part of the delivery stage.

In a ransomware attack scenario, exploitation can take the form of data exfiltration prior to deploying the ransomware. This can then be used to extort payment from the organization – who not only want to restore access to their systems, but will also want to prevent data being dumped on the internet, sold to other cybercriminals, or used to extort their customers. It has to be noted that paying a ransom does not guarantee that the cybercriminals won’t take these steps anyway to obtain further payments or to continue wreaking havoc on their targets.

In steps five and six, the ransomware is installed and deployed, with employees locked out of infected systems. Finally, the cybercriminals carry out their final aims, which for ransomware attacks, involved extorting at least one payment.

It’s also worth thinking about how organizations can respond in ransomware attack scenarios. In a talk at the 2022 Human Activated Risk Summit, Lisa Forte, Partner at Red Goat Cyber Security LLP, walked delegates through a ransomware attack scenario. During her presentation, Lisa explained how the leadership and team members within an organization can work together to prepare for and respond to ransomware attacks. Lisa highlighted the importance of a crisis management team, which must have a single person acting as its chair, and prepare for any future attacks through comprehensive checklists, simulation exercises, and boilerplate communications that can be quickly tailored in the event of a ransomware attack.

Lisa also explained how to manage the wider impacts that a ransomware attack can have on employees within organizations, including advice on how to handle angry clients, support for people managing corporate social media accounts, how IT and Security teams should operate, and communicating with the entire employee-base via town halls. Lisa also stressed the significance of a no-blame culture where people can own up to mistakes to promote faster responses.

Killing the kill chain: Stopping ransomware attacks

There are numerous steps organizations can take to increase their resilience against ransomware attacks. Good measures include ensuring data is saved to a secure back up as the Colonial Pipeline Company did. Since ransomware often targets backups, that means immutable backups that are isolated from company networks.

Additionally, organizations can ensuring that all computers and endpoints receive security patches as soon as possible also helps prevent attacks exploiting known software and operating system vulnerabilities.

However, increasingly ransomware is delivered as a phishing payload, so organizations need to neutralizing the threat at delivery by using intelligent technologies to detect advanced phishing attacks.

As an integrated cloud email security solution, Egress Defend uses AI and machine learning modals to detect the attacks that get through signature-based detection to stop the delivery of ransomware.

Find out more about how Egress’ solution detects ransomware attacks contained in phishing email.