Cisco Talos, Cisco's threat intelligence and research division, explores the costly backstory of ransomware in a new essay on the past, present, and future, beginning years before the internet became available to the general public.
In December 1989, a person mailed letters containing floppy disks to 20,000 recipients, and just like many of today's cyberattacks, the lure was linked to one of the big news events of the time – the floppy disks were said to contain new software that could determine whether the user was at risk of developing AIDS.
But the program instead locked the user's computer and generated a message asking them to send the ransom via check to a post office box in Panama.
How much money”The AIDS Trojan"Drawn in" does not tell the story, but the author was identified and arrested, and spent a number of years in prison. Today he is deceased. But in the decades that have passed since then, the legacy of his work has cost enormous sums.
In 2023 alone, criminal groups and individuals were reported to have collected more than ten billion kronor in ransoms using ransomware, according to a report from the law firm Fisher Phillips. And the costs to the businesses affected are far greater than that.
"Ransomware is not just a financial crime and the costs are much greater than the ransom. The costs to an affected business, both in lost revenue and in restoring the damage, can be enormous, and of course there is also the risk that the business will lose trust with customers or the public, and this is damage that may be impossible to repair. For private individuals who are affected, it often means stress and anxiety, and in many cases invaluable private data and memories are lost," says Henrik Bergqvist, cybersecurity expert at Cisco Sweden.
Large-scale disruptions
From targeting individuals, attackers are now almost entirely focused on companies and organizations – because there is more money to be made there.
In recent years, several large-scale ransomware attacks have also affected Swedish businesses, public services and citizens' everyday lives. The retail chain Coop was forced to close many stores for several days in the summer of 2021 after being hit by an attack. The Church of Sweden's IT system was down for weeks in the winter of 2023, which led to funerals having to be cancelled, and municipalities and regions have been repeatedly targeted.
In January this year, a ransomware-attack room against a large Nordic IT provider which disrupted the operations of many of the company's customers.

The first “modern” large-scale ransomware attack can be traced 20 years ago, in December 2004, Russian individuals received an email with what was said to be a job offer but instead contained malicious software that encrypted the computer's system files.
Although criminal activity has become more professional, and criminals today work more organized and use cryptocurrencies to stay hidden from authorities, the methodology and lures are still similar to those used at the beginning of the ransomware story.
“People are people and cybercriminals "Over the years, they have been incredibly skilled at getting victims to click on something they shouldn't have clicked on, exploiting world events, celebrities and our fears and hopes. In many high-profile cases, the attack has been preceded by extensive research work where individuals have been mapped based on their presence on social media. Here, the rapid development of AI and 'deepfake technology' makes it even easier to quickly and easily produce more credible and personalized decoys," says Henrik Bergqvist.
As ransomware technology evolves, so do countermeasures. New and improved security systems – AI-enhanced too those – which shorten the time to detection, and more resilient IT systems that can limit damage, mean that many attacks do not achieve their goals.
Law enforcement, intelligence agencies and police have a well-functioning international collaboration to track down and dismantle the most prominent cybercriminal groups. But to ensure that ransomware is not still an issue that is still being debated in 35 years, continued hard work is needed.
"There is no 'quick fix', but you have to gradually work on many levels to make ransomware less attractive. Become faster at updating vulnerable software, get better at back-up, and be more open and transparent when you are attacked. The dark figures surrounding ransomware are still too large and the more information there is, the smarter and more powerful you can act and the easier it will be to increase awareness and knowledge," says Henrik Bergqvist.







