6 min

In 2023, ransomware is still the most fear-inducing term for Internet users and organizations. After years of relative obscurity, the popularity of this collection of malicious software exploded between 2015 and 2017. Since then, revenues have grown, and the cybercrime market has professionalized. However, security experts and government agencies have been catching on to these threats, making innovation from threat actors a continuous necessity.

Ransomware has a drawn-out history, with the commonly shared origin story taking place in 1989. During a WHO AIDS conference, software was placed on thousands of computers via floppy disk that asked for $189 after users had gone through 90 boot cycles. It encrypted files, but was easily removed.

For broader historical perspective, we can turn to Trend Micro. The explosion of ransomware in recent years has two prominent predecessors within the Internet era. Where antivirus scams had their heyday between 2005 and 2010, locker software became popular in the following five years. This involved completely shutting off access to the end user, with a financial demand to have it fixed. What defines ransomware is the fact that it encrypts data, not the OS. In addition, in later years, they expanded the plan of attack to include additional threats, more on that later.

Escalation of Proceeds

The reason we can talk about an “evolution” of ransomware is that, as if it were a biological species, it had a competitive advantage over the competition as a form of malware. Where the yields for cybercriminals in antivirus scams fell between $20 and $100, locker malware proved to be a lot more lucrative with an average yield of $100. However, ransomware has enabled a huge escalation of these proceeds, with Trend Micro estimating that it falls between $100 and more than $1,000 per victim.

The driving force behind both locker malware and ransomware was undoubtedly the rise of cryptography, Flashpoint reports. As encryption of operating systems and data became possible, criminals were able to use more than deception to exact a penalty. One also now had a real threat tool in one’s hands, because those who did not have a backup and would not pay were almost always screwed.

From brief threat to ubiquitous

One of the best-known names among ransomware variants was CryptoLocker, which exploded in 2013. Flashpoint notes that this was the first variant to spread automatically thanks to a botnet going by the name Gameover Zeus. The downing of this botnet in 2014 collapsed the infrastructure for these cybercriminals, but not before collecting about $3 million in ransom payments.

In 2015, with the SamSam ransomware, the so-called GOLD LOWELL group managed to not only penetrate an organization, but was able to actually take control of it themselves via an Internet connection. This allowed them to do far more damage than an automated script that might sometimes hang around an IT infrastructure to no avail.

State actors

The real explosion of ransomware occurred in 2016-17, due to the threats Petya, NotPetya and WannaCry. Google Trends, at least, shows that the term “ransomware” gained prominence among a wider audience at this time. Petya spread through exploit kits, phishing emails and remote desktop protocol attacks. It prevented a desktop from booting up until it displayed a ransom note demanding payment in Bitcoin. Sometimes, however, the payment proved insufficient, and the data remained encrypted. The more powerful NotPetya variant caused much more damage in 2017, estimated at around $10 billion. Ukraine in particular suffered tremendously. It used the “EternalBlue” exploit in Windows, which was allegedly developed by the U.S. intelligence agency NSA. According to the US, the UK and Australia, Russia was behind the attack.

In May 2017, WannaCry appeared with a bang, but it was also disabled relatively quickly. It infected 230,000 systems in a very short time—the alleged perpetrator: the North Korean Lazarus Group. The series of attacks caused damages worth $4 billion. WannaCry also used EternalBlue and demanded to see payment in Bitcoin. Nowadays, crypto payment is common among virtually all ransomware variants.

So in both cases, state actors were suspected of the cyberattacks, while these types of parties are not always behind large-scale operations. On the contrary, ransomware also evolved toward democratization and commercialization during these years.


Until not too long ago, cybercrime was something for people who wanted to use their IT skills for malicious purposes. The profit motive became increasingly relevant, resulting in more interested parties. How could as many individuals who were not necessarily overly innovative get involved? The solution has been crystallized for some time now: ransomware-as-a-Service.

There are many components to cyber threats. For example, compromising personal data and login credentials is already marketable. In recent years, therefore, initial access brokers (IABs) have emerged. Until recently, for example, there was Genesis Market, which sold “digital fingerprints” that other parties used to get their hands on. They themselves no longer had to penetrate an IT environment to receive money.

Tip: Genesis Market: how did it operate and how was it taken down?

More “extortion” than you can keep track of

The cybercriminals who actually invade an IT environment have found more ways to make money. For example, they have increasingly started using extortion tactics. Where extortion initially involved encrypting data, it now makes more sense to use “double” or even “triple” or “quadruple” extortion. This is a combination of increasingly complex threat tools. In addition to encrypting data, it can be siphoned off with the threat of publishing it. It can also be threatened with further DDoS attacks or additional consequences if authorities are called in.

This development was already seen in 2018 with the appearance of Gandcrab, where the data was thus not only encrypted but also sluiced away. A year later, the cybercrime group Snatch came up with the idea of setting up a “leak site,” on which victims’ data were published. Meanwhile, LockBit 3.0 is an example that operates anno 2023 and tries to extort organizations in this way.

Read also: LockBit shuts down critical port: OT attacks have a huge impact

This methodology is now widespread and successful, but sometimes there are variations. For example, there are parties that disregard encrypting data, but only threaten to publish data. This can already be so damaging to a bank, hospital or government agency that paying the ransom looks attractive.

The future: more targeted and mixed in with traditional criminals

For now, ransomware has no logical successor in cybercrime land. However, security experts do expect that state interference in this will continue to increase. It is often difficult to determine with certainty where a perpetrator comes from, which protects states. Although targets are often a clue in this.

Trend Micro also expects ransomware gangs to be increasingly mixed with traditional criminal organizations, which are digitizing like the rest of society.

Fortunately, there are significant obstacles to future ransomware attackers. For example, crypto-regulation is increasingly ensuring better traceability of these groups. There are also more penalties for companies that (unwittingly or not) assist these criminals through their services. Finally, cybercriminals are also susceptible to data breaches, and authorities are increasingly gaining access to the internal networks of criminal gangs with infiltrations.

The real world can also cause problems for the digital underworld. For example, the potent Conti group broke up after a dispute and the conflict between Russia and Ukraine has caused a lot of politically motivated turmoil in cybercrime networks. They will eventually recover, especially since cybersecurity is still not in order at many organizations.

For more information on protecting against a ransomware attack, we have outlined how to do so in the article below.

Tip: Ransomware: how dangerous is it, and how to protect your company?