A Brief History of Ransomware

ByW. Curtis Preston
FacebookX

If you want to understand a history of ransomware, you need to know this: what started as a prank delivered on floppy disks in 1989 has evolved into a billion-dollar criminal enterprise that targets your backups before it touches your production systems. And that shift—from tape to disk backups—is one of the key reasons we’re in this mess today.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/brief-history-ransomware.

I had a conversation recently with Dr. Mike Saylor, my co-author on “Learning Ransomware Response and Recovery,” about how we got here. My first memory of ransomware was when my dad called me about his business partner’s computer getting encrypted. The attackers wanted one Bitcoin—back when that was under $500. And of course, I asked the question: did he have backups? You know the answer. He didn’t. That conversation plays out thousands of times a day now, and it’s killing us.

A History of Ransomware: The AIDS Trojan Started It All

Most people point to the AIDS Trojan in 1989 as the first ransomware attack. Dr. Joseph Popp distributed infected floppy disks—we’re talking 1.5 megabytes per disk here—to attendees of a WHO AIDS conference. When you think about a history of ransomware, this attack shows you how primitive it was. No internet. No cryptocurrency. Just physical media and snail mail for collecting payment. It didn’t scale at all, which is why ransomware stayed relatively quiet for years.

But here’s what matters: the concept was proven. You could encrypt someone’s data and demand payment to give it back. That idea didn’t go away—it just waited for technology to catch up.

The Late 1990s Wild West and Why We’re Paying for It Now

The late 1990s were the wild west from a security perspective. Those of us in IT were so focused on building and maintaining systems that we didn’t really understand how bad guys were attacking us. There was no end user training. You signed an acceptable use policy when you started your job that said you wouldn’t use computers for evil, and that was it. People still did evil things.

Then Y2K happened. Organizations spent massive budgets making sure their systems wouldn’t fail when the calendar rolled over to 2000. After that crisis passed, budgets got slashed. Security investments dried up. We went into what I call the “post-Y2K hangover,” where IT departments were trying to do more with less.

And here’s the kicker: right around this time, we started moving from tape backups to disk-based backups. That transition created vulnerabilities that we’re still dealing with today.

How the Shift to Disk Backups Made Things a Bit Worse

When backups lived on tape, you had to physically mount that tape to access it. It was slow and clunky, but it had an accidental security feature: physical separation. When we moved to disk-based backups, we got speed and convenience, but we lost that separation. And nobody built security hardening into those disk backup architectures from the start.

This is critical to understanding a history of ransomware. Modern ransomware attacks target your backups first. They know that if they can delete your backups, you have no choice but to pay the ransom or go out of business. And because disk-based backups are network-accessible, they’re vulnerable to the same attacks that compromise your production systems.

The architecture wasn’t designed with security in mind. It was designed for speed and ease of management. Ransomware attackers exploited that oversight, and they continue to exploit it today.

Cryptocurrency Changed Everything

Fast forward to 2013 and Cryptolocker. This was the attack that showed criminals how profitable ransomware could be. Why? Bitcoin. Cryptocurrency gave attackers a way to collect payment anonymously. Before that, collecting ransom was risky—you had to expose yourself financially. With Bitcoin, that risk disappeared.

Suddenly, ransomware became a viable business model. And when criminals smell profit, they don’t just adopt the model—they industrialize it.

Ransomware-as-a-Service: Democratizing Cybercrime

The next evolution in a history of ransomware was ransomware-as-a-service. Instead of needing technical skills to create your own ransomware, criminals could simply rent the tools from developers. The developers got a cut of every ransom paid, and the “affiliates” doing the attacks got the rest.

This democratized cybercrime. You didn’t need to be a skilled hacker anymore. You just needed to be lazy and willing to attack people. And attackers are lazy—that’s one of the key points Mike and I discuss. They’re not going to invest a lot of time breaking strong encryption or bypassing good defenses. They’ll just move on to the next victim.

That’s why having immutable backups matters so much. If attackers can’t delete your backups, they’ll often just give up and attack someone else.

Double Extortion: Why Good Backups Still Matter

The most recent evolution is double extortion. Attackers now steal your data before encrypting it. Then they threaten to publish that data if you don’t pay. Some people look at this and think, “What’s the point of having backups if they’re going to publish our data anyway?”

But that’s the wrong way to think about it. If you don’t have good backups and you get hit with ransomware, you can’t continue your business operations—regardless of whether they stole your data or not. There are solid statistics showing how many businesses fail because they can’t recover from ransomware. And it’s not just about recovering your operations. It’s about recovering from the legal fallout, regulatory issues, and contract violations.

You’ve got to do your own risk analysis. But the reality is this: ransomware attacks are literally one of the reasons why you need a backup and DR system. All the other reasons are still there. We just need to add cyber attacks to the list of things we’re protecting against.

Defending Your Backups in Today’s Threat Environment

Here’s the good news: defending your backup system is actually easier than defending your primary systems. Really, all we have to do is make sure attackers can’t delete your backups. There are other things we want to do—modern authentication, restricted remote access, role-based access controls—but the thing we must do is make backups immutable.

Cyber attacks are making us do the things we were supposed to do all along. It’s like when COVID happened and people started washing their hands more. You were supposed to be doing that anyway. Ransomware is forcing us to build security into our backup systems that should have been there from the start.

The shift from tape to disk created vulnerabilities. The rise of cryptocurrency made ransomware profitable. Ransomware-as-a-service made it accessible to anyone. And double extortion changed the calculus of whether to pay. But through all of that evolution, one thing remains constant: if you have good, immutable backups, you can recover. And recovery is what turns a potential disaster into an annoying but survivable incident.

That’s the lesson from a history of ransomware. It’s going to happen. Plan for how you’re going to respond when it does.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data

Related Posts

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.