Rise and evolution of ransomware attacks

evolution ransomware attacksRansomware, malware that encrypts systems and then asks for a ransom to decrypt files and systems, has become more prevalent in recent years. In fact, two of 2017’s major cyberattacks were malware: WannaCry in May, followed by Petya in July. CryptoLocker and CryptoWall were the most prominent malware for PCs before WannaCry and Petya, and together, they generated around $21 million dollars between 2013 and 2015.

While enterprises are just now preparing themselves to fight these threats, ransomware is not new. Malware has been around since 1989, when Joseph Popp first orchestrated his AIDS trojan. Though this attack was similar to encryption and asked for a payment to decrypt files, it had loopholes that allowed victims to escape paying the ransom.

The very first successful ransomware was invented by Moti Yung and Adam Young at Columbia University in 1996. This malware was called cryptoviral extortion, and it followed this basic format:

1. Attacker creates a pair of keys, embeds this key pair into the malware and releases it into the web.
2. Victim’s system is encrypted with the newly generated key, and the malware displays a message on the victim’s screen asking for a ransom.
3. When the victim sends the payment virtually, the attacker deciphers the key and sends the final key to the victim to decrypt the files.

Certain ransomware actually encrypt, while some are just scareware (malware that claims to have encrypted your files to scare you into paying ransom, but hasn’t actually done so). Ransomware can be widely classified into five types:

1. Encrypting ransomware
2. Non-encrypting ransomware
3. Leakware
4. Mobile ransomware
5. Wiper.

Encrypting ransomware

This type of ransomware is similar to WannaCry and Petya. The first of its kind hit computers in mid-2006 as variants of a trojan called GPCode. Many more failed ransomware attacks followed, but it wasn’t until 2013 that ransomware returned with a bang, when CryptoLocker procured around $27 million from infected users.

Non-encrypting ransomware

Instead of encrypting files, this type of ransomware prevents the normal operation of a computer. WinLock, initially released in 2010, is the first name that comes to mind for many people when non-encrypting ransomware is brought up. Unlike earlier encryption types, WinLock ransomware did not encrypt but rather prohibited users from accessing their systems and displayed a pornographic image on their screens.

To resolve this, users had to send a premium SMS as payment. WinLock generated $16 million, and traces of WinLock were found in Virginia and the UK as recently as 2013.


When ransomware encrypts your system and threatens to release data on the web, it’s called leakware. This is just an upgraded version of encryption ransomware, leaking highly confidential information like military details and nuclear codes. This type of ransomware is more dangerous than encryption ransomware because it can cause an organization financial loss and data loss as well as expose trade details and source codes. This type of ransomware was first discovered in 2003 and is generally referred to as a cryptovirology attack.

Mobile ransomware

Ransomware is no longer constrained to PCs, and recently, ransomware was unleashed on Android devices — since Android allows applications to be installed from third-party sources. Payloads for mobile devices are usually distributed through APK files. With iOS, different procedures have been employed to encrypt devices; one attack exploited iCloud accounts and then used Find My iPhone to lock users’ access to their devices.


Wiper, the newest form of ransomware, encrypts victims’ systems and completely deletes data without displaying any alert or warning messages. Though its motive is to erase data, it gets introduced initially as ransomware, displaying a pop-up that asks for a ransom. NotPetya, which hit world networks in July of 2017, was of the wiper variety.

The future of ransomware

For now, we only have to worry about attacks on computers and mobile devices, but in the future, it’s possible that a device could become infected with ransomware and someone may receive a pop-up in their car saying, “Your car’s engine has been disabled; pay $200 to enable it,” or a message on their phone that says “Pay $100 to adjust your thermostat.” From refrigerators to smart washing machines, soon everything will be connected to a computer at the back end, and we can only imagine what would happen if these IoT devices were encrypted.

Now that you know the evolution of ransomware and its different types, you know how threatening ransomware has the chance of becoming in the future. In my next article, I will be discussing the prominent ransomware that have infiltrated networks across the world, and how each of these ransomware exploited vulnerabilities to gain access to enterprise networks.

Don't miss