From floppy discs to Claude Mythos, how ransomware grew into a multibillion-dollar industry

When evolutionary biologist Joseph Popp coded the first documented piece of ransomware in 1989, he had little idea it would become a major criminal business model capable of bringing economies to their knees.

Popp, who worked for the World Health Organization at the time, wanted to warn people about the dangers of ignoring health warnings, poor sexual hygiene and (human) virus transmission.

He sent out 20,0000 floppy discs that, when loaded, flashed up a demand for money to regain files that had supposedly been encrypted (in fact, it was just their file names). He was later arrested and charged with 11 counts of blackmail, but declared mentally unfit to stand trial.

In 1996, two Columbia University computer scientists published a paper explaining how criminals could use more sophisticated versions of Popp’s scheme to mount large-scale extortion operations. At the heart of this was malicious software that could be used to encrypt, block access to or steal a person or organisation’s files and data.

However, two preconditions still had to be met for ransomware to become a feasible criminal business: communication channels that were difficult to monitor, and a payments process outside financial regulation.

The Tor protocol, released by US intelligence services to protect their covert communications, solved the first problem in 2004. Cryptocurrencies solved the second – in particular, when bitcoin cash machines started appearing in North American cities from 2013.

Today, artifical intelligence makes malware coding and crafting convincing phishing-emails in any language simple. And the latest model in Anthropic’s AI system, Claude Mythos, recently proved more effective at hacking into computer systems than humans.

As an expert in extortive crime, I am increasingly concerned about public and political apathy to the threats posed by ransomware. To better understand these, it’s worth tracing its evolution over the past two decades – and how improvements in computer security and law enforcement, plus changes in data regulation, have led to new criminal strategies each time.

Cut out the middlemen

The first generation, which came to global attention in the mid-2010s, was known as “commodity ransomware”. A pioneering example, Cryptolocker, was developed by Russia-based hackers who infiltrated hundreds of thousands of computers, seeking to cut out the middlemen previously needed to commit financial fraud. They proved that a large majority of their victims would happily pay a small ransom to restore data that had been locked by their malware.

As both competent and incompetent hackers piled into this new market, victims shared information about rogue operators and put them out of business. This led to the second generation of ransomware such as Ryuk, which emerged in 2018.

In this phase, criminals abandoned the indiscriminate “spray-and-pray” approach in favour of targeting individual cash-rich businesses. They would set an individual ransom, negotiate with the company, and even offer to help with decryption if paid. Fast-rising ransoms more than compensated for this increased administrative effort.

In response, many companies began investing in multi-factor authentication, better threat monitoring, advance warning systems and software patches for known vulnerabilities.

However, these security benefits were soon offset by the impact of COVID on work practices across the world. The pandemic led to widespread remote working, with many people using unsecured devices and connections that were vulnerable to cyber-attack.

A multibillion-dollar industry

The next ransomware innovation was driven by the emergence of back-up systems that enabled companies to restore encrypted files without the criminals’ help. This was coupled with the emergence of tighter data privacy regulation such as GDPR in Europe and the UK.

Invented in 2019, third-generation ransomware weaponised these regulations, which threatened firms with massive fines if confidential data about clients or staff was revealed. The criminal gangs now sought out and exfiltrated an organisation’s most sensitive files, then threatened to publicise them through dedicated dark web leak sites.

This so-called double-extortion model – encrypting an organisation’s data while threatening to make it public – brought many businesses back to the negotiation table.

Ransomware had become a multibillion-dollar industry – with the Conti gang, sheltered by Russia and employing hundreds of people, among the key players setting new records for ransomware demands. Its attacks on critical infrastructure and hospitals saw it sanctioned by the UK government in 2023.

This new approach forced many governments to row back on imposing hefty fines for data breaches, since many were the result of criminal attacks. Meanwhile, new initiatives by law enforcement – supported by the private sector – targeted and broke up the largest and most egregious ransomware gangs.

Today’s fourth generation of ransomware, building on the latest AI technology, looks nimbler and slimmed-down in comparison. Anyone who gains access to a network can lease weapons-grade malware on the dark web without forming long-term ties with a particular gang.

Advanced AI-based hacking tools make ransomware accessible to many more criminals and politically motivated hacktivists. And around one-quarter of breaches still result in ransom payments. For criminals sheltered by their governments, only the digital infrastructure is at risk of being taken down by western law enforcement.

Lessons not learned

While coverage of Claude Mythos suggests even the most sophisticated cyber defences could now be vulnerable, the troubling reality is that many individuals and organisations are still using out-of date, unpatched or only partially upgraded software. This means even early-generation ransomware techniques are still lucrative.

While Popp sent out his floppy discs to promote better sexual hygiene, today’s poor cyberhygiene is leaving many public and private networks open to malware attacks. The intended lesson of his original ransomware caper – be vigilant and properly heed health warnings – has still only been partially learnt in the digital world.

Many western societies appear to have grown accepting of criminals leaching on business conducted on the internet. Not even a steady stream of human fatalities, caused by attacks on hospitals and medical providers, has generated the level of response required to stamp out this dangerous threat.

The hope that governments sheltering cybercriminals can be encouraged (or forced) to stop them targeting critical national infrastructure appears increasingly fragile amid current geopolitical tensions. At all levels of society, we need to get smarter about cyber defence.

Anja Shortland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment. Anja's latest book, We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware, is published by Profile Books.