History of Ransomware: Key Attacks and Evolution in the US

Ransomware has evolved from a niche experimental malware concept into one of the most consequential categories of cybercrime targeting US infrastructure, institutions, and private enterprise. This page traces the documented progression of ransomware from its earliest known deployments through the emergence of sophisticated criminal enterprises, covering key attack milestones, technical evolution, and the regulatory responses those events generated. The trajectory matters because each generational shift in ransomware capability has redefined what preparedness, response, and liability look like for US organizations.

Definition and scope

Ransomware is formally defined by the Cybersecurity and Infrastructure Security Agency (CISA) as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom demand is satisfied. Within the historical context of this page, the scope encompasses three distinct generations of the threat:

1. Early-stage ransomware — pre-cryptocurrency extortion relying on physical mail, prepaid cards, or bank transfers (1989–2012)
2. Commodity ransomware — Bitcoin-enabled mass-distribution campaigns targeting individuals and small organizations (2013–2017)
3. Enterprise ransomware — targeted, human-operated campaigns against high-value institutions with double-extortion mechanics (2018–present)

The FBI's Internet Crime Complaint Center (IC3) classifies ransomware as a subset of extortion-based cybercrime. The IC3 received 2,825 ransomware complaints in 2023 alone (IC3 2023 Internet Crime Report), a figure acknowledged to underrepresent actual volume due to chronic underreporting. Understanding where the threat came from is foundational to understanding why the ransomware service sector exists in its current form.

How it works

The operational mechanics of ransomware have grown more structured with each generation, but the core sequence has remained consistent across documented attacks:

1. Initial access — Attackers gain entry through phishing, exposed Remote Desktop Protocol (RDP) ports, unpatched vulnerabilities, or compromised credentials. The 2021 Colonial Pipeline attack, for example, was traced to a compromised VPN credential with no multi-factor authentication, according to CISA and FBI joint advisory AA21-131A.
2. Lateral movement and reconnaissance — Operators map the network, escalate privileges, and identify backup infrastructure before deploying encryption.
3. Exfiltration (post-2019) — In double-extortion campaigns, data is copied to attacker-controlled infrastructure before encryption begins.
4. Encryption and ransom demand — File encryption is executed across targeted systems; a ransom note specifies payment terms, typically in cryptocurrency.
5. Negotiation or restoration — Victims either pay, restore from backups, or engage law enforcement. The US Department of Justice recovered approximately $2.3 million of the 75 Bitcoin ransom paid in the Colonial Pipeline attack (DOJ Press Release, June 7, 2021).

The shift from automated spray-and-pray campaigns to manual "big game hunting" operations — a term used in CISA's Stop Ransomware guidance — marks the most significant mechanical evolution in the threat's history.

Common scenarios

1989 — AIDS Trojan (PC Cyborg)
The first documented ransomware instance, distributed via 20,000 floppy disks mailed to AIDS research conference attendees. The malware encrypted file names and demanded $189 payment to a Panama PO Box. It used symmetric encryption trivially reversible by researchers, but established the extortion template.

2013 — CryptoLocker
CryptoLocker introduced Bitcoin payment infrastructure to ransomware, making transactions difficult to trace or reverse. It infected an estimated 250,000 machines and collected ransoms totaling roughly $3 million before the Gameover ZeuS botnet carrying it was dismantled by Operation Tovar in 2014, a joint effort coordinated by the FBI, Europol, and private sector partners (FBI Operation Tovar).

2017 — WannaCry
WannaCry exploited the EternalBlue vulnerability in Microsoft's SMB protocol — a tool attributed to the NSA and leaked by Shadow Brokers — and spread to an estimated 200,000 systems across 150 countries within 72 hours (CISA Alert TA17-132A). The UK's National Health Service suffered significant operational disruption, a precedent that elevated critical infrastructure ransomware risk to a national security classification in the US.

2019 — Ryuk and the enterprise pivot
Ryuk, attributed by the FBI and CISA to the threat group tracked as Wizard Spider, marked the formalization of targeted enterprise ransomware. Ryuk campaigns pre-staged access via TrickBot malware, conducted extended reconnaissance, and demanded ransoms in the range of hundreds of thousands to millions of dollars per victim — a model described in CISA Advisory AA20-302A.

2021 — Colonial Pipeline and Kaseya
The DarkSide attack on Colonial Pipeline caused a six-day shutdown of 5,500 miles of fuel pipeline serving the US East Coast and prompted President Biden to sign Executive Order 14028 on Improving the Nation's Cybersecurity. The Kaseya VSA supply chain attack the same year compromised an estimated 1,500 downstream businesses through a single managed service provider, demonstrating the multiplier risk in interconnected IT environments (CISA Advisory AA21-200A).

2023 — MOVEit and Cl0p
The Cl0p ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit Transfer product, affecting more than 2,000 organizations and exposing data belonging to over 60 million individuals, according to figures cited in CISA's MOVEit advisory. Unlike earlier campaigns, Cl0p focused primarily on data theft and extortion without deploying file encryption in all cases — a structural evolution toward pure extortion.

Decision boundaries

The ransomware resource landscape today is organized around a set of critical classification distinctions that determine both investigative jurisdiction and regulatory obligation.

Ransomware vs. data extortion without encryption
Cl0p's MOVEit campaigns illustrate that not all ransomware incidents involve file encryption. CISA and the FBI treat data theft extortion as a related but distinct threat class when no encryption component is present. Regulatory notification obligations under the Health Insurance Portability and Accountability Act (HIPAA), administered by the HHS Office for Civil Rights, attach to unauthorized access and acquisition regardless of whether encryption occurred.

Ransomware-as-a-Service (RaaS) vs. closed criminal groups
Pre-2016 ransomware was predominantly operated by closed developer groups. The RaaS model — in which a core developer leases the ransomware payload and infrastructure to affiliate operators in exchange for a percentage of proceeds — now dominates the threat landscape. LockBit, the most prolific ransomware group by victim count through 2023 per the FBI's LockBit disruption advisory AA24-060A, operated as a RaaS platform with affiliates responsible for initial access and deployment.

Federal jurisdiction boundaries
Ransomware incidents trigger overlapping federal jurisdiction. The FBI holds primary criminal investigative authority. CISA holds the coordination mandate under the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278). The Treasury Department's Office of Foreign Assets Control (OFAC) imposes sanctions implications when payments flow to designated entities — a regulatory layer formalized in OFAC's 2020 ransomware advisory. Organizations navigating these boundaries may consult the ransomware resources available through this provider network to identify applicable professional service categories.