As we discussed in Ransomware, a timeline of destruction Part I, while ransomware has its origins in the late 1980’s it didn’t become cyber criminals attack method of choice until the mid-2000s. In the process the variants, costs, and people impacts grow from a small group of disgruntled victims to a seemingly endless global network of individuals, businesses, and governments all extorted with reckless disregard.Below we’ll place some of the most impactful ransomware events on the timeline and illustrate how this rise categorically altered how the IT community manages the threat of ransomware attacks.

2006 and the new era of ransomware
Bringing encryption into the attack game the Archiveus Trojan used its asymmetrical RSA encryption to rain terror down on users’ entire My document directory eventually demanding they purchase a 30 number passcode from a ‘legitimate’ online pharmacy. With this, the wave began in earnest. In the coming years, ransomware evolved into diverse variants to effectively extort the most loss from every victim.

2011-2014: Ransomware reaches a boiling point
In 2011, the extent and complexities of ransomware attacks reached a boiling point. With nearly 60,000 new variants detected in the third quarter alone, trends were becoming facts on the ground. By the next year over 200,000 new ransomware forms were reported, by 2014 that number was closer to 500,000.No longer could ransomware be grouped as an undetermined cyber threat. After 2012, ransomware spread worldwide began infecting systems and transforming into more sophisticated attacks. By the early 2010s ransomware had become a certifiable epidemic, impacting individuals, businesses, and assets on a global scale.By the end of 2012, ransomware attacks generated a black market value of $5 million. But this just skims the surface. From the rise of cryptocurrencies to even more new variants, by 2012 ransomware’s rise to the top of cyber threats had taken on new urgency.

2015: Crypto Wall, Cryakl, Scatter, Mor, CTB-Locker, and the list continues
According to Kaspersky’s SecureList, the destruction imparted by 7 core ransomware types in 2015 accounted for 77.48% of all users attacked with crypto-ransomware during the period. While the total quantity and financial cost of ransomware had significantly risen during this period, we find that most of the losses were focused on a few, highly complex and broadly distributed variants. Specifically, CTB-Locker, Scatter, and Cryakl caused 79.21% of crypto-ransomware requests over this period.Even more impactful than the elevation of these new attack verticals, late in 2015, and saw the rise of GPCoder, widely considered to be the first modern ransomware spread via email attachments.

2016: Municipalities under attack
Extorting maximum payout against vulnerable institutions and municipalities highlighted the tact of ransomware attacks in 2016. In November the San Francisco transportation system faced a massive server and workstation-focused attack which infected over 2,000 computers, mitigated ride fees for days, and pushed for a then lofty demand of 100 Bitcoins (oh those were the good old days). By seizing data and crippling internal payment systems, cybercriminals “used freeware and open source tools to encrypt hard drives and network-shared files, and overwrite the master boot record (MBR) on infected computers.”

2017: WannaCry and the Petya Family of Attacks
In May of 2017 the WannaCry attack, which targeted Windows operating systems, encrypting data, and demanding bitcoin payment infected upwards of 200,000 computers across over 140 countries in mere days. The resulting losses for enterprise and government customers exceeded $1 billion. Just around the same time the Petya family of ransomware variants also began their onslaught against international financial institutions with infections reported in Russia, Ukraine, France, Germany, Italy, Poland, the UK, and the US.

2018: SamSam
Identified by the US Cybersecurity Awareness System in December of 2018, the SamSam ransomware attack had been hijacking data and extorting victims across the United States since at least 2016. By exploiting Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. SamSam’s elegance lied in its ability to “escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization.”Where in the past, a ransomware attack required a victim to click a link and activate the process, SamSam allowed malicious cyber actors to infect victims with minimal detection.
2019: Hospitals enter the Crosshairs
According to a report from CBS News, 2019 saw 621 hospitals and local institutions targeted, costing an estimated $186 million in downtime. To put a more personal touch on the data loss, the attacks on hospitals also resulted in countless canceled operations and private data seized at will. From the city of Albany giving in to nearly $300,000 in ransom demands to health centers in Alabama refusing new clients, the impact of ransomware on medical institutions came into its own in 2019.

2020: $20 billion in global costs linked to ransomware attacks
If 2006 was the year ransomware became a threat the cyber community began taking seriously, 2020 was the year when the rest of the world took notice. In cost alone, 2020 saw a rise to US$20 billion, a notable increase from $11.5 billion in 2019 and $8 billion in 2018. More than any individual event, 2020 saw a 485% increase in ransomware attacks worldwide.Ranging from SMBs and enterprise customers to multinational institutions and governments ransomware in 2020 hit the big time on a scale and scope never previously imagined. No sector was safe and, with the range of variants and vulnerabilities attacked the threat of ransomware in 2020 shadowed the covid epidemic in its whole scale destruction.“According to the H2 2020 Fortinet Global Threat Landscape Report, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day. Moreover, ransomware revenue in 2020 grew by 311% from 2019 to reach an estimated $350 million, according to a Chain analysis report.”
Courtesy of Fitch Rating

2021: Critical infrastructure
On May 7 the Colonial Pipeline Company announced it was the victim of a ransomware attack that immobilized its pipeline, responsible for moving 2.5 million barrels a day of gasoline, diesel, heating oil across nearly 5,500 miles of pipe across the United States. While this attack, for many, reflected a newfound focus and vulnerability to critical infrastructure, its direct impact could be felt at the pump less than a week later.According to ReCode “Five days after the hack was announced, the national average price for a gallon of regular gas had pushed past $3 for the first time since 2014.” For Colonial, who paid the ransom, the costs were also very stepped, $4.4 million worth of bitcoin.Key Takeaways
- Ransomware demands have grown from a mere $189 per victim to an estimated $20 billion total cost by 2020
- 2020 saw a 485% increase in ransomware attacks
- Ransomware attacks attack diverse industries with a significant focus on healthcare, municipalities, and professional services
- Attackers are increasingly using off-the-shelf and Ransomware-as-a-Service products increasing the scale and scope of potential attacks.
To learn more about the risk of ransomware, check out our recent article “Three Things That Amplify The Threat Of Ransomware And How To Combat Them.”