**2. A brief history of ransomware**

This section details a brief history on ransomware from its inception as a petty cybercriminal act into what is now a billion-dollar cyber-crime industry.

The first known ransomware attack occurred in 1989 and targeted the healthcare industry. An individual known as Joseph Popp, an AIDS researcher, carried out the attack by mailing 20,000 floppy disks to the WHO AIDS conference event attendees [5]. The attacker employed social engineering to trick the victims by claiming that the disks contained a questionnaire to determine an individual's risk of acquiring AIDS. However, the disk also contained a malware that was dubbed as the AIDS Trojan that encrypted files on the victim's machine and displayed a message demanding a payment of \$189 to a P.O. box in Panama in exchange for access to their files [5]. AIDS Trojan used a simple symmetric encryptor to encrypt file names and a decryption key was soon available to decrypt them [6].

**Figure 1** highlights the timeline on ransomware since the launch of AIDS Trojan in 1989 to Hive in 2022.

The first modern ransomware, GPCode, was launched in 2004 and infected systems via phishing emails [6]. GPCode also known as GPCoder used symmetric encryption to encrypt files and requested \$20 for a decryption key [5]. The Year 2006 saw the launch of Archievus that employed strong encryption for the first time and used an advanced 1024-bit RSA encryption [5]. Reveton emerged in 2012 as a ransomware locker, a variant that displayed fraudulent law enforcement messages accusing victims of committing a crime. The attackers threatened victims with jail time if the ransom was not paid [5]. The year 2013 saw the emergence of a ransomware strain known as CryptoLocker that was delivered via phishing emails. CryptoLocker

**Figure 1.** *Ransomware timeline.*

## *Perspective Chapter: Ransomware DOI: http://dx.doi.org/10.5772/intechopen.108433*

used strong 2048 RSA encryption and was both a locker and a crypto variant [5]. CryptoWall gained notoriety after the downfall of the infamous CryptoLocker in 2014 and was widely distributed using various exploit kits and spam campaigns. TeslaCrypt gained notoriety in 2015 and targeted computer gamers. After a successful infection, the malicious program demands a \$500 ransom for the decryption key; if the victim delays, the ransom doubles.

Petya emerged in 2016 as the first ransomware variant to not encrypt individual files but overwrite the master boot record and encrypt the master file table. These locked victims out of their entire hard drive more quickly than other ransomware techniques [5]. The infamous WannaCry shocked the world in 2017 and hit hundreds of thousands of machines across more than 150 countries. WannaCry spread via the Eternal Blue vulnerability, an exploit leaked from the National Security Agency [5]. A major cyberattack began targeting Ukraine in June 2017 using a new variant on Petya known as NotPetya. NotPetya soon spread and impacted organizations globally. In 2018, a sophisticated ransomware variant known as Ryuk was released and became one of the most successful ransomware campaigns of its time. Ryuk attacks were targeted, and ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between \$100,000 and \$500,000 [7]. REvil, also known as Sodinokibi, first appeared in April 2019 and immediately became immensely successful [8]. Another ransomware variant by the name Maze was discovered in 2019 and introduced the tactic of double extortion wherein data are exfiltrated before ransomware deployment. Shortly after Maze disbanded in 2020, the Egregor RaaS double extortion variant appeared. 2020 saw the emergence of a Conti and Darkside that were responsible for major cyber incidents globally. LockBit 2.0, a new variant of Lockbit with advanced capabilities appeared in 2021. LockBit 3.0, the current version, was discovered in June 2022 and has added a Big Bounty Program (BBP) to its arsenal [9]. The year 2022 saw the fall of a notorious ransomware group known as Conti and

#### **Figure 2.**

*Significant ransomware incidents.*

the emergence of new groups such as Blackbasta, Hive, and Quantum that continue to drive the ransomware threat landscape [10].

**Figure 2** highlights significant ransomware incidents that have occurred over the last 5 years.

**Figure 3** shows the various stages involved in a ransomware attack.
