The history of Ransomware: A supervillain 30 years in the making

Ransomware: a supervillain 30 years in the making

Unlike other supervillains, Ransomware had no defining life event which set him on a path of evil and criminality. On the contrary, Ransomware was a bad actor from the very moment he was conceived… 

The early years

Harvard-educated evolutionary biologist Dr. Joseph Popp was an eccentric figure whose varied career included a 15-year stint studying hamadryas baboons in East Africa, creating a butterfly sanctuary in upstate New York and self-publishing Popular Evolution, a controversial book that argued humanity’s only purpose is “maximizing reproductive success”. But above and beyond these accomplishments, Dr. Popp is best known as the father of ransomware.

Ransomware was born in December 1989. Excited to introduce the world to his son, Dr. Popp sent Ransomware, via 20,000 infected floppy disks, to delegates who had attended the World Health Organization’s international AIDS conference in Stockholm. The disks contained malicious code that hid file directories, locked file names and demanded victims send $189 to a PO Box in Panama if they wished to restore access to their data.

Less than two weeks after the attack, Dr. Popp attracted the attention of authorities during an incident at Schiphol airport, Amsterdam. Shortly after, the father of Ransomware was arrested at his parents’ home in Ohio and extradited to Britain, where he faced 10 charges of blackmail and criminal damage.

Dr. Popp exhibited increasingly strange behavior while awaiting trial. He took to wearing condoms on his nose and putting curlers in his beard to ward off radiation. In November 1991, Judge Geoffrey Rivlin deemed Popp unfit to stand trial and the case was thrown out.

After a tumultuous start to life, Ransomware lived out the rest of his childhood in relative peace. He had been born with symmetric cryptography that could easily be decrypted, which meant he didn’t pose a serious threat and was able to stay out of trouble.

However, storm clouds were on the horizon. In 1996, two cryptographers, Adam L. Young and Moti M. Yung, warned the world that Ransomware would one day grow up and learn of asymmetric cryptography, which would inevitably transform his natural file-locking abilities into world-changing superpowers. Ransomware’s fate had been written. It was only a matter of time.

A destructive teenager

Almost two decades later, Ransomware emerged more powerful than anyone could have anticipated.

In 2006, Ransomware assumed the name Archiveus and carried out sophisticated attacks on PCs around the world. Archiveus encrypted all files in the “My Documents” folder and instructed victims to make purchases on specific websites if they wanted to receive the decryption password.

Emboldened by his success, Ransomware carried out a string of attacks under various monikers, including GPcode, Krotten, Cryzip and many others. Just as Young and Yung had predicted, Ransomware had harnessed the power of RSA encryption, a form of public-key cryptography that was, at the time, extremely difficult to crack.

The arrival of Bitcoin in 2008 added fuel to the fire. The decentralized cryptocurrency provided a whole new system for transferring money – and a new way for Ransomware to extort people. The widespread adoption and pseudo-anonymity of Bitcoin enabled Ransomware to roll out larger attacks and quickly launder his ill-gotten gains, which got even easier in the years ahead as more cryptocurrencies hit the scene. But Ransomware would soon meet a worthy opponent…

Ransomware meets his match

In 2012, caped slippered crusader Fabian Wosar came face to face with Ransomware for the first time while helping victims of the ACCDFISA virus recover their encrypted files. Wosar, a fiercely private man with a penchant for polar bears, quickly became obsessed with Ransomware and began working tirelessly to create decryption tools that would help the victims of Ransomware retrieve their files for free. Little did Wosar know that he would go on to become one of Earth’s greatest hopes in the battle against Ransomware.

Fabian Wosar Emsisoft

A few years later, another unexpected ally entered the fray. Michael Gillespie, a self-effacing technician working at a computer repair store, encountered Ransomware while helping a customer who had been hit with TeslaCrypt. Like Wosar, Gillespie became infatuated with Ransomware and began learning everything he could about the notorious supervillain. Computer repair technician by day, crime-fighting superhero by night, Gillespie would become the world’s most prolific creator of Ransomware decryptors and later receive recognition from the FBI for his efforts.

A global supervillain

Despite the best efforts of Wosar, Gillespie, the No More Ransom project and all the other people fighting on the side of good, Ransomware continued to terrorize the people of Earth as he evolved into a global supervillain. Schools, universities, hospitals, police departments, government agencies and everyday citizens – no one was safe.

In 2016, Ransomware donned the mask of SamSam and stole $6 million from unsuspecting victims across the globe. A year later, Ransomware’s focus shifted from profiteering to wanton destruction when he assumed the form of NotPetya, an explosive strain that was unable to reverse its own encryption and simply destroyed the data on the infected machine. According to the White House, NotPetya caused more than $10 billion in total damages.

In 2017, Ransomware went by the name of WannaCry, infecting more than 230,000 computers in 150 countries around the world. The attack was eventually stopped by the actions of another slipper-wearing superhero, British researcher Marcus Hutchins.

By 2019, Ransomware was already rich beyond his wildest dreams, but his greed knew no bounds. In the pursuit of ever-larger payloads, Ransomware grew more brazen and began going after bigger and bigger targets. Businesses, MSPs and government agencies across the United States fell one after the other as Ransomware assumed the personas of Ryuk, RobbinHood, STOP, Sodinokibi and others.

Ransomware’s 30th birthday

December 2019 marks Ransomware’s 30th birthday, but few will be celebrating the occasion. Instead, as Ransomware blows out the candles on his cake, alone in his lair, many will be pondering what the supervillain is plotting next.

Protect your device with Emsisoft Anti-Malware.

Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Start free trial

Experts predict that Ransomware will continue to grow his arsenal, arming himself with tools – keyloggers, backdoors, droppers – to expand his functionality. At the same time, it’s expected that Ransomware will become increasingly pickier about his victims, eschewing small-time marks in favor of bigger, juicier targets. And as daily life becomes increasingly connected through the IoT, organizations will have to work hard to prevent Ransomware weaseling his way into their systems.



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next