Ransomware – key milestones and major players

At the turn of the century, ransomware barely registered on the Richter scale of threats posed to global business operations. Today, it is potentially one of the most devastating to both multinational corporations and SMEs alike.

Much has been made of the recent surge in ransomware attacks. In February, I wrote that I expected them to remain a considerable challenge this year and for the foreseeable future. It was a safe bet given that ransomware gangs made at least $350 million in 2020, a 331% increase over payments recorded in 2019. However, in the last six months, ransomware has arguably become an even greater concern. US Colonial Pipeline, Kaseya, JBS, the Irish Health Service and the Houston Rockets, are just some of major organisations to have fallen foul of cybercriminals demanding a ransom in 2021. There is currently a lot of debate in the media about whether criminalising ransomware payments and clamping down on the cyber insurance industry can help stem the flow.

Whatever the root cause, the fact remains that there is now an established, dynamic, and highly skilled network of cybercriminals conducting ransomware operations to devastating effect. In this blog, we will look at a few of the major players in the ransomware ecosystem and some of the key events that have driven its rapid growth.

A perfect storm

Before exploring the main actors that are fuelling the spike in ransomware, it’s worth understanding how the threat has developed over time, from the first recorded attack to the emergence of cryptocurrency, the Ransomware-as-a-Service model, and the creation of a perfect storm for rampant worldwide cybercrime.

The first known ransomware attack, referred to as AIDS Trojan or PC Cyborg, was recorded in 1989 when an AIDS researcher gave out 20,000 floppy disks infected with malware to those attending the World Health Organisation’s AIDS conference. While the malware itself was weak, and easily removable with decryption software, the attack set the stage for the next 30 years of ransomware.

Since then, cybercrime has snowballed as hackers discovered new, innovative means to breach security measures, aided by the dawn of the internet and an increasingly digitally connected society.  In 2008, the arrival of Bitcoin was a major paradigm shift, which handed the advantage to cybercriminals. Now, they had a means of receiving payment in a decentralised currency, emboldening them to go even further in their efforts to exploit new victims, safe in the knowledge that their illicit activity will (most likely) go undetected.

Nowadays, there are also a host of Ransomware-as-a-Service (RaaS) type offerings that can provide non-technical criminals with the ability to conduct ransomware operations without the need to attain hacking skills or learn how to create malware. This evolution in modern ransomware highlights the business opportunities that it now presents.

The events of the last three decades have undoubtedly created fertile ground for cybercrime, which has given rise to several notorious ransomware gangs, operating as large, distributed businesses, complete with call centres to handle ransom payments. But who are the shady figures that operate in these groups?


Nation state actors and advanced persistent threats (APTs) are widely recognised to have elevated cyber hostilities over the last few years; so much so that cyber warfare has almost become an accepted norm. The SolarWinds incident at the end of 2020 exposed the extent of cyber espionage being conducted by nation state actors and sent shockwaves through the international community. Recent talks between US President Joe Biden and Russia’s Prime Minister, Vladimir Putin, centred around which critical national infrastructure should be considered off limits to cyber-attacks.

Looking specifically at ransomware, nation states are often also linked to many of the most active gangs. For instance, REvil, the Russia-backed group which mysteriously disappeared from the internet this week, is believed to be responsible for the ransomware attacks on JBS and Kaseya, while DarkSide, the ransomware gang linked with the US Colonial Pipeline attack is also allegedly supported by Russian intelligence units.

According to BlackFog’s 2021 State of Ransomware Report, some of the other most active groups include Wizard Spider (aka Conti), FANCYCAT (CLOP) and Egregor. However, there is certainly no shortage of gangs who will, with increased aggression, steal and leak an organisation’s data if they don’t receive a ransom.

In today’s modern world, the cyber threat landscape continues to grow more complex and sophisticated. Attacks and breaches are inevitable, and no organisation wants to be faced with deciding between paying a ransom or losing important data. Cybersecurity has never been more critical.

At Babel, we’re proud to work with some of the businesses at the forefront of cybersecurity. Our expertise in building and implementing impactful campaigns on behalf of our security clients is unmatched. As we exit lockdown, businesses will need to start assessing security posture and consider their options. If you’d be interested in learning how an integrated PR and communications programme can help you be a part of those conversations, we’d love to hear from you.

In the meantime, check out a recording of our #BabelTalks event on the impact of COVID-19 on the cybersecurity landscape. The panel discussion features the CEO of the UK National Cyber Security Centre, Ciaran Martin, and New York Times Cybersecurity Reporter, Nicole Perlroth. You can also download our whitepaper on creating meaningful commentary in an industry full of FUD here.

Written by

Senior Campaign Director

Welcome to Babel
winning B2B technology PR.
We understand your business. We create compelling content. We always deliver.