From Floppy Disks to RaaS: The Evolution of Ransomware

In December 1989, Joseph Popp, an evolutionary biologist with a doctorate from Harvard, orchestrated the first large-scale ransomware cyberattack in history. The perpetrator distributed 20,000 infected floppy disks to attendees of the World Health Organization’s AIDS conference in Stockholm, spanning 90 countries worldwide.

The malware, later known as the AIDS Trojan or Aids Info Disk, manipulated the AUTOEXEC.BAT file upon installation and began counting the number of system reboots. After the 90th reboot, the system locked itself, demanding the user purchase a license to regain access.

Scotland Yard took charge of investigating this unprecedented attack and issued an arrest warrant for the virus’s creator. This incident marked a turning point in the history of cybersecurity, paving the way for a new breed of digital threats that hackers continue to refine to this day.

According to Kevin Curran, professor of cybersecurity at Ulster University and senior IEEE member, the tactics employed by cybercriminals have evolved significantly over the decades. However, their primary motives—monetary gain and disruption of systems—remain unchanged.

Modern malware variants have grown increasingly aggressive. While early victims primarily suffered from downtime and inaccessible data, today’s hackers employ double or even triple extortion tactics, threatening not only data encryption but also the public release of sensitive information.

The 2021 attack on the Colonial Pipeline in the United States starkly demonstrated the devastating potential of cybercriminals to disrupt critical infrastructure. The incident crippled a system responsible for supplying 50% of North America’s fuel, leading to a temporary fuel crisis in several states.

Cybercrime has transformed into a fully-fledged industry. Hacker groups have adopted organizational models mimicking legitimate businesses, complete with partner networks, resellers, suppliers, and even call centers to liaise with attack victims. These representatives guide victims through ransom payments and data recovery processes.

The emergence of the “Ransomware-as-a-Service” (RaaS) model has further revolutionized the landscape. Within this framework, hackers offer ready-to-deploy malware under subscription plans, complete with training on its use. This democratization of advanced tools has broadened the pool of potential cybercriminals, making such resources accessible even to novices.

By 2024, the average ransom demand had surged to $2 million—several times higher than in previous years. Projections from Cybersecurity Ventures indicate that by 2031, the annual global damage from ransomware attacks could reach an astronomical $265 billion.

Prominent groups shaping the current cyber threat landscape include Black Cat, LockBit, Cl0p, Revil, and Conti. Each specializes in specific attack vectors and economic sectors. Notably, the Cl0p group gained infamy for its breach of the popular file transfer system Moveit, impacting numerous major organizations.

In 2022, Russian authorities announced the dismantling of the Revil group, once considered among the most dangerous in cyberspace. More recently, reports surfaced of law enforcement agencies seizing the dark web site of the ALPHV/BlackCat cartel. However, suspicions arose that the group may have staged its own takedown to evade scrutiny.