Cisco Talos, Cisco’s threat intelligence and research division, has published a new essay tracing the history, present state, and future of ransomware, highlighting its costly legacy. The story begins years before the internet became widely accessible.
In December 1989, someone mailed floppy disks to 20,000 recipients. As with many modern cyberattacks, the lure tied into a major news topic of the time — the disks claimed to contain software that could determine whether the user was at risk of developing AIDS.
Instead, the program locked the user’s computer and displayed a message demanding payment by check to a post office box in Panama.
The total sum extorted by the “AIDS Trojan” is not fully known, but the author was identified, arrested and imprisoned for several years; he has since died. Over the decades since, however, the legacy of that early work has generated enormous costs.
During 2023 alone, criminal groups and individuals reportedly collected more than ten billion Swedish kronor in ransom payments, according to a report from law firm Fisher Phillips. The financial impact on targeted organizations, however, extends far beyond the ransom amounts.
“Ransomware is not merely a financial crime. The true costs far exceed the ransom itself. Affected organizations face lost revenue, extensive recovery expenses and reputational damage that can be impossible to fully repair. For individuals, the consequences often include stress, anxiety and the loss of irreplaceable personal data and memories,” says Henrik Bergqvist, cybersecurity expert at Cisco Sweden.
Large-scale disruptions
While early attackers sometimes targeted individuals, contemporary ransomware operators focus overwhelmingly on companies and organizations where potential payouts are greater.
In recent years, large ransomware incidents have disrupted Swedish businesses, public services and citizens’ daily lives. In the summer of 2021 the Coop grocery chain was forced to close many stores for several days after an attack. In the winter of 2023 the Church of Sweden’s IT systems were down for weeks, forcing cancellations of funerals, and municipalities and regional authorities have been hit repeatedly.
In January this year, a ransomware attack targeted a major Nordic IT provider, disrupting services for many of the provider’s customers.
The first “modern” large-scale ransomware attack can be traced back about 20 years, to December 2004, when Russian recipients received an email presenting a supposed job offer that instead delivered malware which encrypted system files.
Although the criminal activity has professionalized — actors now operate more organized infrastructures and use cryptocurrencies to hide transactions — many of the tactics and lures remain similar to those used in the early days of ransomware.
“People are people, and cybercriminals have long been adept at tricking victims into clicking things they shouldn’t, exploiting world events, celebrities, fears and hopes. High-profile incidents often follow extensive reconnaissance, where attackers map individuals’ social media presence. The rapid progress of AI and deepfake technology makes it easier and faster to create highly convincing, personalized lures,” Bergqvist explains.
At the same time, defenses are evolving. New and improved security tools — increasingly AI-enhanced — shorten detection times, and more resilient IT architectures can limit damage so many attacks fail to achieve their goals.
Law enforcement, intelligence agencies and regulatory bodies maintain effective international cooperation to track and dismantle prominent cybercrime groups. Still, to prevent ransomware from remaining a persistent problem for decades to come, sustained effort across multiple fronts is required.
“There is no quick fix. You must work systematically across many areas to reduce ransomware’s appeal: patch vulnerable software faster, improve backup practices, and be more open and transparent after incidents. The underreporting of ransomware remains significant; the more information that’s shared, the better we can respond, raise awareness and increase overall resilience,” says Henrik Bergqvist.