History of Ransomware: From Floppy Disk to RaaS

In 1989 a Harvard-trained biologist mailed 20,000 floppy disks to attendees of a World Health Organization AIDS conference. The disks were labeled "AIDS Information Introductory Diskettes." Insert one, and after the 90th reboot it hid your directories, scrambled the file names on your C drive, and printed a demand: send $189 to a PO box in Panama to get them back. That program, the AIDS Trojan, is the first ransomware on record. The extortion model it introduced, lock the victim's data and charge to release it, has not changed in over three decades. Almost everything else has.

The history of ransomware is the story of that one idea getting steadily more dangerous as three things fell into place: strong cryptography that victims could not break, anonymous payment that operators could not be traced through, and a criminal supply chain that let anyone rent the capability. This guide walks the timeline era by era, from the floppy disk to the ransomware-as-a-service economy, and pulls out what each shift actually changed for defenders.

The origin: the AIDS Trojan (1989)

The AIDS Trojan, written by Dr. Joseph Popp and also called the PC Cyborg Trojan, set the template. It demanded payment to restore access to files it had locked. But it was a proof of concept hampered by its era.

Its encryption was weak. The Trojan used simple symmetric cryptography, meaning the key that locked the files also unlocked them, and that key was recoverable from the malware itself. Analysts built decryption tools quickly, so most victims never had to pay. Its distribution was physical: floppy disks through the postal mail, not a network. And its payment channel was a traceable PO box, which is part of how authorities connected the scheme to Popp, who was arrested and charged.

Every weakness in the AIDS Trojan maps to a problem the next thirty years of ransomware would solve. Breakable crypto, slow physical delivery, and a payment trail that leads back to a person. Fix those three, and you have the modern threat.

The encryption era: ransomware learns real cryptography (2004 to 2012)

For about fifteen years after the AIDS Trojan, ransomware was a fringe curiosity. It returned in force in the mid-2000s, and this time it brought cryptography that defenders could not simply reverse.

GpCode, which appeared around 2004 to 2005, spread through email and encrypted victims' files with a custom algorithm. The early versions used weak crypto that analysts cracked, but later GpCode variants moved to RSA keys of 1024 bits and beyond, putting recovery out of reach without the operator's private key. In 2006 the Archiveus Trojan became one of the first to use RSA encryption, locking everything in the victim's documents folder.

This era also split ransomware into the two shapes still used today:

• Crypto ransomware encrypts the victim's files and demands payment for the decryption key. The data stays on the machine but is unreadable.
• Locker ransomware locks the victim out of the device or operating system entirely, blocking access without necessarily encrypting individual files.

A widespread locker example arrived with Reveton around 2012. Delivered by drive-by download, Reveton froze the screen with a fake notice impersonating the FBI or local police, accusing the victim of a crime and demanding a "fine." It was scareware extortion at scale, and it normalized the idea of malware that holds a whole machine hostage rather than just its files.

What changed in this era: ransomware became technically unrecoverable. Once RSA-grade encryption was standard, the victim's only paths were a clean backup or the operator's key. That single shift is what turned ransomware from a nuisance into a business.

The crypto-payment era: CryptoLocker and untraceable money (2013 to 2016)

Strong encryption made ransomware effective. Anonymous payment made it scalable. The pivot point was CryptoLocker in 2013.

CryptoLocker spread through malicious email attachments and compromised websites, encrypted local and connected drives with a 2048-bit RSA key pair, and crucially demanded payment in Bitcoin. Cryptocurrency gave operators what the AIDS Trojan's Panama PO box never could: a payment channel that was fast, global, and far harder to trace back to a person than a bank transfer or a mailed check. The traceable payment problem was solved.

CryptoLocker was lucrative enough to spawn a wave of imitators and successors through the mid-2010s, including families like CryptoWall and TeslaCrypt. The combination was now complete: unbreakable encryption plus anonymous payment plus mass email distribution. Ransomware was a repeatable, profitable crime, and the volume climbed accordingly. Most of these campaigns were still opportunistic, spray-and-pray operations that encrypted whatever single machine clicked the malware attachment.

The worm era: WannaCry and NotPetya (2017)

2017 showed what happened when ransomware stopped needing a human to spread.

In May 2017, WannaCry tore through more than 200,000 machines across roughly 150 countries in days. It did not rely on tricking each user. It carried a self-propagating worm component built on EternalBlue, an exploit for a Windows SMB vulnerability that had been leaked from the NSA. WannaCry hit a machine, then scanned for and infected other unpatched systems on its own. Among the hardest-hit was the UK's National Health Service, where the outage disrupted hospital operations. A patch for the underlying flaw existed before the outbreak; the carnage came from unpatched systems.

A month later, in June 2017, NotPetya used the same EternalBlue exploit but was not really ransomware at all. It demanded a ransom, but it permanently destroyed the systems it hit by overwriting the master boot record and master file table, with no real path to recovery. NotPetya was a wiper wearing a ransom note, a destructive attack disguised as extortion, and it caused billions of dollars in global damage.

What changed in this era: ransomware proved it could self-propagate at internet scale and that the line between extortion and pure destruction was thin. It also delivered the clearest patching lesson in the field's history, since a single available update would have stopped the worm.

The big-game era: targeted attacks and double extortion (2019 to 2020)

The next shift was strategic, not technical. Operators stopped spraying random victims and started hunting specific organizations that could pay large ransoms, an approach the industry calls big-game hunting. Instead of encrypting one laptop, an intruder would gain a foothold, move through the network, and detonate ransomware across the entire enterprise at once for maximum leverage.

Then came the tactic that reshaped the whole crime: double extortion. The Maze group is widely credited with pioneering it in late 2019. Before encrypting, the attackers exfiltrated the victim's sensitive data, then threatened to publish it on a public leak site if the ransom went unpaid.

Double extortion broke the one defense that had always worked. A solid backup meant you could restore your files and refuse to pay. But a backup does nothing about stolen data already in the attacker's hands. The threat became a data breach on top of an outage, with regulatory fines, lawsuits, and public exposure stacked on the cost of recovery. Maze's leak-site model was copied across the ecosystem within months and is now standard practice.

What changed in this era: ransomware became a targeted, hands-on-keyboard intrusion ending in data theft, not just file encryption. That moved the defensive fight earlier, to detecting the lateral movement and data staging that happen before any file is locked.

The RaaS era: ransomware as a business (2020 to today)

The final piece was industrialization. Ransomware-as-a-service (RaaS) turned the crime into a rentable product and is the model behind most major attacks today.

In RaaS, a core development group builds and maintains the ransomware, the leak site, and the payment infrastructure, then rents the whole kit to affiliates. The affiliates carry out the actual intrusions and split the proceeds with the developers. The developer no longer has to break into anyone, and the affiliate no longer has to write malware. This division of labor widened the pool of attackers dramatically, because deploying ransomware no longer required the skill to build it.

The consequences became impossible to ignore in 2021. In May 2021, an affiliate of the DarkSide RaaS operation compromised Colonial Pipeline, the largest fuel pipeline in the United States. The company shut down operations, fuel shortages spread across the US East Coast, and Colonial reportedly paid roughly $4.4 million. A single criminal affiliate, renting someone else's ransomware, triggered a national infrastructure crisis. Other RaaS brands such as REvil and LockBit drove a steady stream of high-impact attacks across the same period.

What changed in this era: ransomware became a scalable industry with specialization, branding, and affiliate programs. The barrier to entry collapsed, the volume of attacks rose, and any organization, not just the technically interesting target, became a candidate.

The evolution at a glance

What the history tells defenders

The timeline is not trivia. Each era left a control that still matters, because old techniques never fully disappear.

The encryption era is why isolated, immutable backups are non-negotiable. Once crypto became unbreakable, a clean backup the attacker cannot reach is the difference between an outage and a payment.

The worm era is why patching is a survival control, not hygiene. WannaCry and NotPetya both spread through a flaw with an available patch. Self-propagation feeds on unpatched systems.

The double-extortion era is why backups alone are no longer enough. When the threat is publication of stolen data, recovery does not remove the leverage. Stopping the intrusion before exfiltration, by detecting lateral movement and unusual data staging, is now the real fight.

The RaaS era is why any organization is a target. When the crime is rented and the operator pool is large, attackers are no longer selective. Volume, not interest, decides who gets hit.

The bottom line

Ransomware started in 1989 as a single biologist's floppy-disk experiment with breakable encryption and a traceable PO box. Its history is the story of attackers closing each of those gaps: unbreakable RSA encryption in the 2000s, anonymous Bitcoin payment with CryptoLocker in 2013, internet-scale self-propagation with WannaCry in 2017, backup-proof double extortion with Maze in 2019, and a rentable criminal industry with the rise of RaaS. The core extortion idea is unchanged after more than thirty years. What changed is that it now works at scale, against anyone, and survives the backups that used to be the answer. For defenders, the response follows the same timeline: isolated backups, aggressive patching, and early detection of the intrusion before encryption ever fires.

Frequently Asked Questions

What was the first ransomware?

The first ransomware on record is the AIDS Trojan, also called the PC Cyborg Trojan, released in 1989 by Dr. Joseph Popp. It was distributed on roughly 20,000 floppy disks mailed to attendees of a World Health Organization AIDS conference, and it demanded $189 sent to a PO box in Panama to restore access to the files it had locked.

When did ransomware become a major threat?

Ransomware became a serious, scalable threat in 2013 with CryptoLocker. It combined strong 2048-bit RSA encryption that victims could not break with Bitcoin payment that operators could not easily be traced through. That pairing of unbreakable encryption and anonymous money is what turned ransomware from an occasional nuisance into a repeatable, profitable crime.

What was the WannaCry ransomware attack?

WannaCry was a ransomware worm that spread to more than 200,000 machines across roughly 150 countries in May 2017. It used EternalBlue, a leaked exploit for a Windows SMB vulnerability, to self-propagate to unpatched systems without any user interaction. A patch for the flaw existed before the outbreak, so the damage came largely from systems that had not been updated.

What is double extortion in ransomware?

Double extortion is a tactic, pioneered by the Maze group in late 2019, where attackers steal a victim's sensitive data before encrypting it and threaten to publish it on a public leak site if the ransom is not paid. It defeats the backup defense, because restoring files does nothing about data the attacker has already exfiltrated.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service is a business model in which a core group develops the ransomware, leak site, and payment infrastructure and rents the kit to affiliates, who carry out the intrusions and split the profits. It removed the need to write malware to deploy it, which widened the pool of attackers and drove the surge in ransomware attacks from around 2020 onward.

How has ransomware changed since 1989?

The core extortion model, lock the data and charge to release it, has stayed the same since the AIDS Trojan in 1989. What changed is everything that made it scale: encryption went from breakable to unbreakable, payment went from a traceable PO box to anonymous cryptocurrency, distribution went from mailed disks to email, worms, and network intrusion, and the crime itself became a rentable service that anyone can operate.