Without a doubt, ransomware has been the defining cyber threat so far in 2021. Hardly a day passes that news does not emerge of yet another attack. From major attacks against a single critical infrastructure operator with immediate real-world impacts to those that cause cascading disruptions after targeting an information technology provider — not to mention the many less publicized incidents that are more localized, but nonetheless still damaging — the threat aperture is wide and growing. In this dynamic environment, it is tempting (and often portrayed as such in the media) to see ransomware as a uniquely 21st-century problem in which criminals sitting behind computers halfway across the globe exploit society's reliance on technology. But while the cyber targets and threat vectors may be new, the underlying coercive practice of taking hostages and demanding payment dates back centuries. Looking back at how it has developed over time offers clues to how its newest incarnation, ransomware, may evolve in the coming years.

A Practice as Old as History

In classical Greece, accounts of the Trojan War, Peloponnesian War and other conflicts feature a diverse collection of city-states, professional pirates and opportunistic criminals demanding ransoms for all sorts of targets. The situation was similar in Roman times, with one notable kidnap-for-ransom victim being a young Julius Caesar, who was captured in the Aegean Sea by pirates. The main goal was and remains monetary gain, but as in contemporary times, it was also a demonstration of coercive power against one's enemies. And while people were often taken as hostages, ransoms were also placed on larger targets, including whole cities, most frequently to force an enemy's surrender.

In the European Middle Ages, the practice evolved into a somewhat formalized and contractualized ransom market developed to free those captured during war. While it has long been known that an important knight, noble or another member of a higher political or military order could be ransomed, more recent scholarship has found that the practice of ransoming foot soldiers was also pervasive. During the Hundred Years' War, for instance, even as high-profile ransoms — like the English capture of the French King John II — are most remembered today, clear rules and expectations also emerged to ransom ordinary prisoners of war. Perhaps paradoxically, ransoms were seen as proof of supposedly more civilized European chivalric culture and warfare, in comparison to more barbaric practices of slaughter or enslavement.

Moving into the early modern period, ransoms became used by an even greater array of actors, ranging from well-known ones like Caribbean pirates who frequently took hostages at sea to lesser known examples like the leaders of the British East India Company both demanding and paying ransoms to exert and maintain their control of large parts of the Indian subcontinent. The practice also remained common in warfare, with opposing sides holding physical and human hostages until their enemies paid to free them.

But as war became more professionalized and the modern state system came into being in the 18th and 19th centuries, the practice of ransoming hostages slowly came to be considered the preserve of more brutish actors — a flip of its view during medieval times. Where ransoms initially had seemed more enlightened than executing prisoners or selling them into slavery, they increasingly became associated with common criminals, political extremists and others seen as outside civilized society. While states could use other, seemingly more legitimate elements of national power to coerce their enemies — and therefore had less use for ransoms — nonstate actors had fewer options beyond taking hostages to make their demands. The more this divergence grew, the more ransoms became associated with activities considered illegal and/or immoral, like criminality and terrorism.

Certainly, over the past century ransoming hostages has come to be seen as outside societal norms and typically practiced mainly by nonstate actors. Whether it be rebels in Colombia, militants in Nigeria, jihadists in the Middle East, pirates in busy global waterways, or ideologically neutral criminal kidnappers in every country, the practice is now widely considered illegitimate and even deviant. And because it has become associated with militancy, extremism and criminality, when states do use it they are seen as pariahs. Just consider the so-called "hostage diplomacy" practiced by those like China, Iran and North Korea: Even if their ransom demands are not explicit — and may involve nonmonetary compensation, such as the release of their citizens imprisoned abroad or the easing of economic sanctions — all parties involved understand that their actions are merely another manifestation of age-old ransom schemes.

Everything Old Is New Again

While cybercriminals' targets and threat vectors may exploit modern society's reliance on computer networks, fundamentally they are essentially pursuing an updated version of what occurred in antiquity. To be sure, the fact that attackers can conduct these activities anonymously and remotely from perceived havens adds a modern twist, but even these characteristics have past precedent. After all, Somali pirates were able to wreak havoc on nearby shipping lanes in the mid-2000s in large part because they could operate with impunity given their central government was unwilling and unable to stop them. Or consider the professional kidnap-for-ransom groups active in many developing countries: They operate essentially anonymously and even somewhat remotely by typically working through intermediaries to hide their true identities and locations. And all throughout history, pirates have succeeded in part by constantly staying on the move and taking advantage of their superior knowledge of local waters and permissive environments to hide from their targets.

So if today's ransomware attackers are not all that different from previous generations of ransomers, what does history suggest we might expect from ransomware going forward? To be sure, the practice of cybercriminals locking up computer networks and demanding payment seems here to stay, but, as with all coercive tactics, it will evolve. A look back through history suggests four possible adaptations that point to a much more expansive threat.

1) More Perpetrators

Today, ransomware attackers are predominantly cybercriminals, but there is no reason other actors could not take advantage of the coercive practice. It is worth noting explicitly that, unlike many other malign cyberattacks, ransomware attacks offer the advantage of directly generating revenue, which makes them attractive to a range of actors. After all, history is replete with examples of nonstate and state actors taking hostages and demanding payment, so why should future ransomware attackers be limited to a relatively small number of technically proficient criminals? Already, cheap and user-friendly ransomware-as-a-service (RaaS) tools are lowering the barrier to entry, enabling opportunistic criminals without technical skills to join the fray. But why limit the action to mere criminals? It seems only a matter of time before a terrorist or rebel group uses ransomware to extort money to fund its operations. And if the practice were to spread, some less scrupulous private businesses could even be incentivized to conduct attacks on their competitors, especially if they were able to use intermediaries to remain hidden. There is already a vast grey market in which private companies sell a wide range of intelligence capabilities, so adding ransomware services would simply be keeping current with the times. And if that happens, what's to stop individuals from pursuing attacks for various ends?

Of course, states could also join or rejoin the ransomware game. Already, state-backed hackers in places like Iran, North Korea and Russia have conducted debilitating (and lucrative) attacks, but such efforts could easily grow if more governments see ransomware attacks as an asymmetric way to achieve their goals, especially if they lack more traditional means of national power and for-purchase ransomware services proliferate. One possible future development could see countries seek to mimic previous Russia-linked cyberattacks such as NotPetya and Bad Rabbit. These were eventually discovered to have been a part of a larger state-backed disruptive cyber campaign targeting Russia's adversaries, but concealed as criminally motivated ransomware attacks in order to maintain a degree of plausible deniability. While some states may seek to develop homegrown capabilities, many will be more likely to try to buy off-the-shelf tools — be it directly from criminals or from more legitimate sellers whose products they then modify to facilitate ransomware attacks. Just as less powerful countries have been able to improve their surveillance capabilities by purchasing advanced spyware from private developers, they may also see increasing incentives to acquire ransomware tools. 

2) More Targets

Although ransomware victims already include a diverse range of public and private entities, as history shows, the room for target expansion is vast. If governments, or at least state-backed hackers, become more involved in ransomware attacks, there is room for more strategic targeting. For instance, rather than cybercriminals' typical focus on extorting as much money as possible mainly from poorly protected private companies or public services, governments may have a greater interest in holding their enemies' military infrastructure hostage or going after their utilities in far more aggressive ways than what cybercriminals have done so far. After all, for all the concern over ransomware attacks on critical infrastructure like that against Colonial Pipeline, such an attack would pale in comparison to the effects of a government-directed effort targeting a rival's water system or electricity grid. And whereas cybercriminals do not have access to classified intelligence that could illuminate less obvious but more vulnerable targets that could give the attacker more power to coerce the victim, states may be able to exploit their secret knowledge to attack niche enemy targets that are less outwardly attractive to criminals, but disproportionately vital — and therefore riper for extortion.

Of course, more players than just countries could get in on the action: The more ransomware capabilities proliferate among various nonstate actors with diverse motivations, the more target sets will grow across the globe. For example, while today's cybercriminals may not care about, say, the Syrian government's computer networks amid much more appealing Western targets, Islamic State supporters — who have already demonstrated some degree of cyber capabilities — might see the Syrian government as a high-value target. Similarly, although today's cybercriminals are unlikely to waste their time on a small company in Mexico, a local rival might see it as the perfect ransomware victim. And while today's cybercriminals focus on a single large target — and increasingly one that can facilitate access to many others through supply chain compromise — in a future of diffused ransomware capabilities, single individuals may once again become the focus of ransomers, be it a foreign government seeking to target an enemy's key leaders or merely an individual harboring a grudge.

3) More Demands

As the possibilities grow that a wider variety of ransomware attackers will target a broader target set, an associated expansion in the type of ransom demands made becomes likelier. While financial motives will likely remain prime, history is full of examples of other ransom demands, suggesting there is a widening scope for future demands as the number and type of perpetrators and victims expand. For instance, should governments begin to go after each other more directly, they may demand their targets make behavioral changes — such as removing troops from a certain area or lifting economic penalties — rather than seek direct financial payouts. In this way, governments could use ransomware attacks as a more malign and coercive form of leverage compared to their traditional use of sanctions.

And of course, nonstate actors could conceivably do the same. Rather than demand monetary compensation, a terrorist group that conducts a ransomware attack against a government might instead seek a prisoner release. Similarly, a militia group could demand that a government end its counterinsurgency campaign in a particular territorial region. At the same time, a corporate ransomer might seek to coerce a rival to leave a contested market or perhaps share valuable intellectual property it cannot illicitly acquire via other means. And individuals with a variety of personal motivations could make a host of ransom demands of other people, companies and even governments.

4) More Accepted

Perhaps the most intriguing development would be if ransomware attacks come to be seen as more acceptable forms of coercion. After all, as noted during the medieval period, the practice of taking hostages and demanding ransoms was once considered not only legitimate, but in fact as preferable to the alternatives of the day. Something similar could happen in the future if ransomware is seen as a more restrained form of coercion compared to a physical attack or a more directly destructive cyberattack. To be sure, though ransomware attacks could escalate to cause real-world damage, unlike kinetic warfare and other types of more aggressive cyberattacks where material destruction is the goal, ransomware attacks do not inherently or directly involve real-world damage, and can be reversed without causing harm. Unlike a bombing campaign or a robbery involving a shooting, a ransomware attack need not result in any human casualties or physical damage — and it is often in the interest of ransomware attackers to avoid doing so in order to keep leverage over their targets.

In this respect, as noted previously, for governments ransomware could come to be seen as an admittedly more malign and coercive form of economic sanctions — which, as ransomware attacks might also one day be, are also favored in large part because they avoid kinetic conflict. Meanwhile, while countries would not, of course, embrace them when used by nonstate actors, governments could come to see ransomware attacks as preferable to attacks involving violence. Given the choice between a militant group taking data or people hostages, the former could very well become grudgingly accepted as the lesser of two evils. And while some governments may feel compelled to respond kinetically to ransomware attacks, attackers who keep their actions in the digital realm stand a much greater chance of limiting the responses from victims — and, therefore, the risk of escalation and the risk to human life.

Back to the Future

To be sure, some of these scenarios may never come to pass, while others could take decades to emerge. The first clearly documented ransomware attack occurred only in 1989, but it took more than two decades for the idea to really catch on — and only in the very recent past has the concept of ransomware moved beyond niche cybersecurity circles and into mainstream conversation. Today's ransomware attackers may rely on computer networks for both their attack vectors and targeting, but their fundamental practice of taking hostages and demanding payment is not so different from what was seen in ancient Greece and Rome. Looking back at history suggests how 21st-century cyber hostage-taking operations might morph yet again going forward. After all, recent innovations like the rise of user-friendly RaaS and the increasingly popular "double extortion" technique — in which ransomware attackers first steal a victim's data before locking it, thus extorting the target not only for the decryption key but also the promise not to leak and/or sell the pilfered data — demonstrate how innovation is an ongoing and natural process in the criminal world, just as in the legitimate economy.