Ransomware has been around for 35 years, with the first known case involving the AIDS Trojan. This malware was spread using physical disks, pretending to be software to assess people’s risk of developing AIDS.
Since then, ransomware has become a major cyber threat, with up to 150 attacks reported each year in the Netherlands, according to Cyberveilig Nederland’s Ransomware Year in Review.
Considering geopolitical developments, Jan Heijdra, field chief technology officer: security at Cisco, predicts an increase in ransomware incidents.
The Evolution of Ransomware Over the Years
In the pre-internet era, spreading malware like the AIDS Trojan and collecting payments proved challenging. Today, networked computers have made ransomware a significant criminal enterprise.
Key developments include:
- 1989: The first ransomware attack occurred with the AIDS Trojan, distributed via disks.
- 1996: Researchers at Columbia University simulated “cryptovirus extortion,” introducing mechanisms for paying ransoms to unlock files. This also sparked the development of antivirus software and system backups.
- 2004: The first criminal ransomware, GPCode, was shared via email disguised as a job application. It scanned victims’ computers and encrypted files. At the time, attackers struggled to collect ransoms without revealing their identities.
- 2013: The advent of cryptocurrencies like Bitcoin provided criminals with an anonymous payment method. CryptoLocker ransomware was one of the first successful examples, marking the beginning of a professional criminal ecosystem with specialised ransomware providers.
- 2016: SamSam introduced targeted attacks demanding larger sums. Combining hacking techniques with ransomware changed the cybercrime landscape. Criminals began prioritising specific sectors like healthcare, government, and industry.
- 2019: Maze pioneered “double extortion,” combining data encryption with data theft. Victims paid not only for a decryption key but also to prevent public disclosure of sensitive information.
Triple Extortion and the Current Landscape
The IT landscape in 2025 is far more advanced than in 1989 or 2004. Groups like Conti now operate as professional businesses, complete with support services, help desks, and “customer service” for victims.
According to Heijdra, organisations are now extorted in three ways:
- Decryption Keys: Paying to regain access to locked files.
- Data Threats: Paying to prevent stolen data from being leaked.
- Compliance Threats: Paying to stop attackers from reporting breaches to regulatory authorities.
“Reports from Cyberveilig Nederland and the NCSC indicate that approximately 150 organisations fell victim to ransomware in 2023. Criminals now even threaten to report data breaches to compliance auditors,” explains Heijdra. “This adds pressure on companies to pay, but doing so funds future attacks.”
The Shift to Mobile Ransomware
Fortunately, organisations have better tools to defend against attacks, leveraging AI to mitigate vulnerabilities. Improved software engineering and patching make it harder for ransomware to infect systems. However, humans remain the weakest link in cybersecurity.
“Our reliance on devices makes disruption easier to cause. I foresee a rise in mobile ransomware, as smartphones are often under protected,” warns Heijdra. “Still, we’re not powerless. Defences and enforcement are improving. Last year, with the Dutch police, we dismantled the Babuk ransomware network. Cisco Talos’ threat intelligence enabled the police to take down the gang.”
Looking Ahead: Collaboration and Hope
Heijdra believes ransomware is unlikely to disappear, given its lucrative business model. New techniques will emerge to improve criminal operations and evade detection. However, collaboration offers hope. Initiatives like Europol’s No More Ransom Project and partnerships between security companies make it increasingly difficult for ransomware gangs to operate.
For example, Cisco and Cohesity strengthen data protection and help organisations recover quickly after attacks, minimising damage. Through faster detection, better patching, and advanced forensic tools, security firms can stay ahead of criminals.