The Evolution of Ransomware – Key Moments

The year was 1989. There was no cloud, no cryptocurrency, and no global cybercrime economy—just a malicious program quietly waiting to lock its victim out of their own system. 

More than three decades later, the technology, attack methods, and scalability of ransomware have changed dramatically. What began as a crude experiment has evolved into one of the most lucrative and disruptive forms of cybercrime worldwide.
Yet the core idea remains the same: deny access, demand payment, and exploit urgency and fear.

As defenses improve and digital environments grow more complex, ransomware continues to adapt—driven by profit, automation, and an ever-expanding attack surface. 

To understand how ransomware became the dominant threat it is today, it’s worth going back to the very beginning.

The First Ransomware

The first known ransomware attack is commonly referred to as the AIDS Trojan, or PC Cyborg virus. Distributed in 1989 by mail, the malware was hidden on floppy disks sent to more than 20,000 attendees of the World Health Organization’s AIDS conference, disguised as a legitimate health questionnaire to assess AIDS risk.

Once installed, the program lay dormant until the system had been rebooted a certain number of times. It then encrypted file names on the hard drive and displayed a message demanding a payment of $189—to be sent by mail to a post office box in Panama—to restore access. 

The attack was created by Dr. Joseph Popp, an AIDS researcher who was later arrested and charged in connection with the incident. While the malware itself was primitive by modern standards and relatively easy to reverse, Popp’s experiment introduced a dangerous new concept: using encryption and system lockout as leverage for extortion. For this reason, he is often referred to as the “father of ransomware,” having laid the conceptual groundwork for a cybercrime model that would resurface years later—far more refined, automated, and devastating. 

• Late 1980s–early 2000s: Experimental ransomware

• 2005–2012: Screen lockers and scareware

• 2013–2016: Crypto-ransomware emerges

• 2017–present: Enterprise ransomware and extortion

We discussed this evolution in detail on a recent episode of the Bitdefender podcast CYBERCRIME: From the Frontline.

Watch the episode above, or listen if you're on the go. 

Now, let's explore key moments in Ransomware’s evolution.

Screen Lockers: Ransomware’s First Iteration 

Screen Locker v1.0 

The earliest forms of ransomware relied on a simple tactic: blocking access to the system itself. Known as screen lockers, these attacks prevented users from interacting with their computers and displayed a message explaining that access had been restricted until a fee was paid. 

In practice, these early attempts offered attackers very little leverage. The data itself remained intact, and for most organizations, a quick call to IT was enough to remove the malware and restore access. Victims quickly realized that the threat was more of an inconvenience than a crisis—and without real pressure, there was little incentive to pay. 

Screen Locker v2.0: “Police Locker” Attacks 

To increase their odds of success, attackers shifted from technical obstruction to psychological manipulation. The next evolution—often referred to as Police Locker ransomware—displayed messages impersonating law enforcement agencies. Victims were accused of illegal or socially taboo activity and warned of fines or even jail time unless payment was made immediately. 

This approach proved more effective, not because the malware was harder to remove, but because it discouraged victims from seeking help. Fear, embarrassment, and urgency became tools of extortion. Still, once security teams and vendors developed reliable removal tools, these attacks lost their effectiveness—forcing threat actors to pursue a far more powerful form of leverage. 

The next shift marked the true turning point in ransomware’s evolution. 

The Encryption Era: When Ransomware Became a Business 

From Lockout to Encryption 

Attackers soon realized that denying access to data—not just the screen—created far more pressure. By encrypting files using readily available cryptographic libraries, ransomware authors could render documents, databases, and entire systems unusable. Recovery was no longer a simple cleanup task; without a working decryption key, organizations faced prolonged downtime, data loss, and operational paralysis. Paying the ransom increasingly appeared to be the fastest path back to business continuity. 

At the same time, a critical enabler emerged: cryptocurrency. Pseudonymous and privacy-enhancing cryptocurrencies—beginning with Bitcoin—made it possible for attackers to demand payment at scale, across borders, with far less risk of identification.

This combination—strong encryption paired with anonymous, frictionless payments—fundamentally changed what ransomware could be. What had once been an experimental nuisance became a viable, repeatable, and highly profitable criminal business model. 

From Consumers to Enterprises

Early ransomware campaigns largely targeted individuals, encrypting personal files such as photos or documents in exchange for relatively small payments. But attackers quickly recognized a far more lucrative opportunity. Organizations—with mission-critical systems, customer databases, intellectual property, and revenue-generating operations—had far more at stake. 

A single successful attack against an enterprise could yield a payout larger than the combined value of hundreds or even thousands of consumer infections. As a result, ransomware evolved from opportunistic mass campaigns into targeted, carefully planned intrusions against corporate environments. As ransomware moved into the enterprise, it became more deliberate—and more profitable.  

This also incentivized the rapid development of the RaaS (Ransomware-as-a-Service) business model.  

Cryptocurrency and Ransomware-as-a-Service (RaaS) 

The combination of trace-resistant cryptocurrency payments and the emergence of Ransomware-as-a-Service (RaaS) transformed ransomware from isolated campaigns into a full-fledged criminal ecosystem.

Cryptocurrency removed many of the traditional risks associated with extortion payments, while RaaS platforms lowered the technical barrier to entry. Skilled developers focused on building and maintaining ransomware tools, while affiliates—often with little technical expertise—handled distribution and intrusion in exchange for a share of the profits. 

This model enabled rapid scaling. Ransomware operators could launch global campaigns, iterate quickly, and replace disrupted affiliates with ease. In effect, ransomware adopted the same principles as legitimate software businesses: modular development, revenue sharing, and continuous improvement. The result was an explosion in both the volume and sophistication of attacks—setting the stage for the multi-layered extortion tactics that would soon follow. 

Once ransomware scaled through the RaaS model, defenders responded at scale as well. Organizations began investing heavily in backup and recovery strategies, and cybersecurity companies like Bitdefender released a growing number of free decryptors that allowed victims to recover data without paying. 

Once again, attackers were forced to adapt. They hardened their encryption to make it more resistant to analysis and decryption—and introduced entirely new forms of leverage to increase the odds that victims felt compelled to pay. 

Escalating Leverage: Double, Triple, and Beyond 

Double Extortion 

As organizations improved backup and recovery practices, attackers needed new ways to maintain leverage. The response was double extortion. Before encrypting systems, threat actors began exfiltrating sensitive data. Most of today’s ransomware victims now face two pressure points: pay to restore access, and pay to prevent stolen data from being leaked publicly.  

Triple and Quadruple Extortion 

In some cases, extortion has expanded further, to multiple pressure points: 

• Some attackers target a business's customers, partners, or employees directly, threatening to release their data unless the organization pays the ransom.

• Some ransomware groups now threaten to contact regulators or media to “announce the breach” and are even beginning to cite regulatory penalties—to emphasize how it would be cheaper to pay the ransom and keep the breach quiet.

• Other groups have layered in DDoS attacks to disrupt services during negotiations.

What began as ransomware increasingly resembles a multi-pronged coercion campaign.

AI and Ransomware: How Artificial Intelligence Is Changing the Game 

As ransomware continues to evolve, artificial intelligence has begun to play a more visible role—not just in defense, but in offense. A striking example of this trend is FunkSec, a relatively new ransomware-as-a-service (RaaS) group that surfaced in late 2024. 

FunkSec’s operators used generative AI to assist in generating their ransomware code, allowing individuals with limited coding expertise to build, refine, and deploy functional malware more rapidly than they otherwise could.  

The group’s AI-assisted code generation enabled it to produce ransomware capable of performing core functions such as encryption, system reconnaissance, and defense evasion—capabilities that would typically require more advanced programming knowledge. This highlights a troubling trend: where once only experienced developers could produce malware, now less-skilled actors can leverage AI to accelerate development and experimentation within the RaaS ecosystem. 

While AI does not eliminate the need for initial access brokers, infrastructure, or operational discipline, it significantly lowers the barrier to entry—allowing less-experienced actors to participate meaningfully in ransomware operations. 

The Future: From Ransomware to Extortionware 

Today, some ransomware groups are experimenting with skipping encryption entirely. If data exfiltration alone is enough to force payment, why risk detection by deploying an encryptor? Some campaigns now are akin to fast “smash-and-grab” operations—stealing data and exiting as soon as they are discovered, taking whatever they have time to get. 

At the same time, ransomware itself continues to evolve in numerous ways:

• Faster encryption as attackers partially encrypt files rather than entire datasets

• Hybrid cryptography, as threat actors combine symmetric and asymmetric encryption

• Cross-platform development, where ransomware developers use languages like Rust

• Early experimentation with post-quantum cryptography as threat actors look to design what might resist future decryption capabilities

Looking back, the evolution of ransomware is not simply a story of advancing technology—it is a story of leverage. Each major shift, from screen lockers to encryption, from cryptocurrency payments to RaaS, from data theft to AI-assisted development, reflects threat actors responding to defensive progress. When one pressure point weakens, another is introduced.

The tactics change, but the objective remains constant: force victims into a decision under urgency, uncertainty, and risk. As long as attackers can reliably create that leverage, ransomware—and its successors—will continue to evolve. 

Final Thoughts on the Evolution of Ransomware

The future of ransomware looks less like traditional ransomware and more like extortionware—a flexible, adaptive business model optimized for pressure, speed, and profit. Cybercriminals will continue launching ransomware attacks, regardless of how they change, because there is too much money to be made. 

Right now, we believe the most cost-effective approach to ransomware is to narrow the pathways into your organization to reduce the chance of a successful attack, or to subscribe to a security service that handles that for you.  

For much more on the evolution of ransomware and what our Bitdefender experts are seeing, watch our recent ransomware episode of CYBERCRIME: From the Frontline, below: