History of Ransomware: Key Attacks and Evolution in the US

Ransomware has evolved from an experimental academic curiosity into one of the most consequential cyber threat categories facing US public and private sector organizations. This page traces the structural evolution of ransomware from its origins in the late 1980s through the emergence of ransomware-as-a-service ecosystems and double extortion models, documenting the named attacks, threat actor groups, and technical pivots that define each phase. Understanding this trajectory is foundational for security professionals, policy researchers, and organizations assessing exposure against the ransomware threat actor landscape and current ransomware statistics and trends.

Definition and Scope

Ransomware is formally defined by the Cybersecurity and Infrastructure Security Agency (CISA) as a form of malware that encrypts files on a device — rendering systems unusable — followed by a ransom demand for decryption. The FBI's Internet Crime Complaint Center (IC3) classifies ransomware as a subset of extortion-based cybercrime, a classification that has expanded as threat actors added data theft and public exposure threats to their extortion chain.

The scope of ransomware as a historical subject spans four structurally distinct eras:

1. Pre-internet ransomware (1989–2005): Physical media delivery, rudimentary encryption, limited scalability.
2. Early internet ransomware (2005–2012): Scareware and locker variants; no reliable encryption.
3. Crypto-ransomware maturation (2013–2017): Bitcoin payments, asymmetric encryption, mass-scale automated campaigns.
4. Ransomware-as-a-Service and double extortion (2018–present): Affiliate models, data leak sites, targeted enterprise attacks.

Each era is demarcated by a combination of payment infrastructure availability, encryption capability, and threat actor organizational sophistication.

How It Works

The mechanics of ransomware have shifted substantially across each historical period, but the fundamental attack chain has remained structurally consistent. CISA's ransomware guidance and the NIST Cybersecurity Framework both identify the core phases: initial access, persistence establishment, lateral movement, data staging, encryption execution, and ransom demand delivery.

Phase breakdown of the modern ransomware attack chain:

1. Initial access: Delivered via phishing email, exposed Remote Desktop Protocol (RDP) port, or supply chain compromise — see ransomware initial access vectors.
2. Reconnaissance and lateral movement: Threat actors spend days to weeks mapping the network, escalating privileges, and identifying high-value targets before encryption begins.
3. Data exfiltration (post-2019 standard): Files are staged and exfiltrated to attacker-controlled infrastructure to enable double extortion.
4. Encryption execution: Symmetric encryption (typically AES-256) is applied to files; the symmetric key is then encrypted with the attacker's RSA public key, making decryption without the private key computationally infeasible.
5. Ransom note delivery: Instructions specifying cryptocurrency wallet address and deadline are dropped to victim systems.
6. Negotiation and payment window: Threat actors operate customer service portals, sometimes with live chat, governing the ransomware negotiation process.

The 1989 AIDS Trojan, distributed by Joseph Popp via 20,000 floppy disks mailed to World Health Organization conference attendees, used symmetric key encryption stored locally — a critical vulnerability that allowed decryption without paying. Modern ransomware eliminated this flaw entirely through asymmetric key architecture.

CryptoLocker (2013) marked the first large-scale deployment of 2048-bit RSA asymmetric encryption paired with Bitcoin payment infrastructure. The FBI and Europol disrupted the Gameover ZeuS botnet that distributed CryptoLocker in 2014, but not before the campaign extorted an estimated $27 million (FBI, Operation Tovar documentation).

Common Scenarios

The historical record of US ransomware incidents reveals recurring target profiles and attack patterns. The following named incidents represent structural inflection points rather than isolated events.

WannaCry (May 2017): Exploited the EternalBlue vulnerability in Microsoft's SMBv1 protocol — a National Security Agency tool leaked by the Shadow Brokers group. WannaCry infected more than 200,000 systems across 150 countries within 72 hours (UK NCSC attribution statement, 2018). US healthcare systems including hospital networks experienced operational disruption. The US government attributed WannaCry to North Korea's Lazarus Group.

NotPetya (June 2017): Initially misclassified as ransomware, NotPetya was a destructive wiper deployed through the Ukrainian accounting software MeDoc. The US Department of Justice attributed NotPetya to the Russian GRU's Sandworm unit. Maersk, a global shipping company, reported approximately $300 million in damages (Maersk annual report, 2017).

Ryuk (2018–2021): A targeted ransomware strain linked to the Russian-speaking threat group WIZARD SPIDER, Ryuk was deployed exclusively against high-value targets — US hospitals, local governments, and media organizations — after extended dwell time averaging over two weeks. Ryuk demanded ransoms denominated in Bitcoin, with demands ranging from $100,000 to $12.5 million per incident, per FinCEN ransomware advisory (October 2020).

Colonial Pipeline (May 2021): The DarkSide ransomware group encrypted Colonial Pipeline's IT network, triggering a voluntary shutdown of pipeline operations supplying 45% of the US East Coast's fuel supply. The US Department of Justice recovered approximately $2.3 million of the $4.4 million Bitcoin ransom paid (DOJ press release, June 7, 2021). This incident directly catalyzed the formation of the CISA ransomware guidance expansion and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Kaseya VSA (July 2021): The REvil group exploited a zero-day vulnerability in Kaseya's VSA remote monitoring platform, deploying ransomware to approximately 1,500 downstream businesses through a single supply chain entry point. This incident exemplifies the ransomware supply chain attack model at scale.

The contrast between WannaCry and Ryuk is structurally significant: WannaCry was an automated worm seeking maximum spread with low per-victim demands; Ryuk was a precision, human-operated campaign demanding large ransoms from pre-selected high-value targets. This distinction defines the bifurcation between commodity ransomware and big-game hunting that characterizes the post-2018 threat landscape.

Decision Boundaries

The historical evolution of ransomware creates specific classification and response decision points that security professionals and organizations must distinguish.

Ransomware vs. wiper malware: NotPetya and similar tools are often misclassified as ransomware because they display ransom notes. The operative distinction is whether decryption is technically possible: wipers destroy master boot records or encryption keys, making recovery impossible regardless of payment. CISA's StopRansomware portal maintains guidance distinguishing these categories.

Locker ransomware vs. crypto-ransomware: Locker variants (dominant 2010–2013) restrict access to the operating system or device interface without encrypting files. Crypto-ransomware encrypts file content directly. The practical implication is that locker attacks are more readily recoverable — often through safe mode access or OS reinstallation — whereas crypto-ransomware requires either a decryption key or restoration from verified backups via a sound backup strategy.

Single extortion vs. double extortion (post-2019 threshold): Maze ransomware group introduced the double extortion model in late 2019, exfiltrating data before encrypting and threatening public release on dark web leak sites. The double extortion ransomware model renders traditional backup-only recovery strategies insufficient for full incident containment. Triple extortion ransomware extended this further by threatening victims' customers and partners directly.

Regulatory reporting thresholds: The historical shift toward attacks on critical infrastructure triggered mandatory reporting obligations. CIRCIA (42 U.S.C. § 665 et seq.) requires covered entities in critical infrastructure sectors to report ransomware payments within 24 hours and cyber incidents within 72 hours. HIPAA-covered entities face parallel obligations under 45 C.F.R. Part 164 when ransomware constitutes a breach — detailed at HIPAA ransomware compliance. Federal ransomware reporting requirements now apply across 16 designated critical infrastructure sectors as defined by Presidential Policy Directive 21.

The OFAC dimension adds a second decision boundary: paying ransomware actors designated under the Treasury Department's sanctions list carries civil penalties regardless of intent, per [