SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
A brief history of cyber-threats — from 2000 to 2020
Tue, 12th Jan 2021
FYI, this story is more than a year old

Carl Sagan once famously said: “You have to know the past to understand the present.” Past events can illuminate future trends, according to commonly-held wisdom — and cybersecurity is no exception.

Annual threat reports provide security teams with an opportunity to reflect on the significant cyber-events of the past 12 months, with an aim to identify trends for future development, ideally translating into better protection.

But while the annual report is helpful, an account of the past 20 years in cybersecurity, throughout which the information security industry was born and matured, is much more valuable.

Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts', but all of them correlating with a change in security behaviour or protection.

Here is a 20-year retrospective of the world's cyber-threats, presented by Sophos.

2000-2004 — The Worm Era

This era saw some of the most prolific worms the information security industry has ever seen, costing over $100 billion in damages and remediation costs. It also marks the beginning of malware as a mainstream media sensation.

First, there was the ILOVEYOU worm, launched in 2000, which targeted Microsoft Outlook users and infected at least 10% of internet-connected hosts in a matter of hours and caused up to $15 billion in damages.

In response, Microsoft released an update to Outlook with changes aimed at combating the worst symptoms of ILOVEYOU, including preventing users from accessing unsafe attachments and warning users if a program tried to send mail on their behalf.

Then came a veritable wave of worms, which broadened horizons beyond Outlook and targeted operating system vulnerabilities and network infrastructure.

In chronological order, here are the worms of the early aughts:

  • CodeRed (July 2001)
  • Code Red II (August 2001)
  • Nimda (September 2001)
  • SQL Slammer (January 2003)
  • Blaster (August 2003)
  • Welchia (August 2003)
  • Sobig.F (August 2003)
  • Sober (October 2003)
  • Bagle (January 2004)
  • MyDoom (January 2004)
  • Netsky (February 2004)
  • Sasser (April 2004)

Many of these worms abused buffer overflow vulnerabilities in various versions of Windows, or in applications such as Internet Information Services (IIS) or SQL Server. The intent was not always clear, but in some cases, the impact was severe.

As a result of the proliferation of worms, Microsoft launched Patch Tuesday, a structured and consistent approach to distributing patches — before this, patches were distributed ad-hoc or as part of service packs.

Email filtering also improved in this era, with vendors employing more detection software to their products. But while email threats continued their assaults regardless, many cyber-criminals were moving on to their next agenda: making money.

2005-2012 — The Monetisation Era

Cyber-criminals, who up until this point caused disruption mostly for notoriety or because of curiosity, began to think of their pastime as a potential avenue for cashflow.

With this motivation in play, many different niches cropped up, exploiting the range of talents found in the cyber-crime ecosystem. Malvertising, spam, botnets and trojans were just the beginning.

Cyber-criminals, like their counterparts in the real world, got organised.


Spam began as a medium to spread worms; a chain letter from an unwitting friend or relative was typical. But it soon became monetised through online scams.

One of the most well-known coordinated spam campaigns was the proliferation of pharmacy spam. ‘Webmasters' would drive traffic to online stores run by kingpins, where targets would encounter many prescription medicines at vastly discounted prices.

With bulletproof hosts in place, cyber-criminals probably made billions from pharmacy spam, and financially motivated cyber-crime was here to stay.


One of the most prolific botnets of the era was the Storm botnet, once dubbed the world's ‘most powerful supercomputer'.

Storm was designed for stealth and profit. At its peak, estimates of the botnet's size ranged from one million to 10 million infected computers. Storm deviated from its predecessors' playbook of noisy and aggressive to favour a more patient and silent approach.

As part of its stealth tactic, the botnet employed a distributed peer-to-peer model. It used fast-flux DNS and polymorphism to evade defenders and infect untold numbers of computers.

This established Storm's notoriety quickly, and soon it became the standard for all future botnets.


One of the fathers of the trojan, the Zeus/Zbot banking trojan targeted users primarily through spam, phishing, advertising or social engineering. It quickly grew from merely a banking trojan to a fully-fledged crimeware kit and marked the beginning of crimeware-as-a-service.

Zeus licenses started at $1,000, but the author offered customised versions at a higher fee, which included 24/7 support and were distributed through affiliates.

The source code for Zeus was leaked online in 2011, which enabled less technical cybercriminals to learn from one of the most well-known malware kits to date. Leaked Zeus code was allegedly responsible for several variants, including Citadel, Gameover Zeus, ICE-9, CIDEX, Ramnit, Dridex, Kronos, Tinba and Panda.

The monetisation era led to an even greater level of email filtering due to the surge in email spam and phishing, while exploit kits and malvertising led to further filtering of web content.

Cooperation between the information security industry, law enforcement and payment processors profoundly impacted cybercriminals' money-making operations, such as that implemented by the Reveton trojan.

2013-present — The Ransomware Era

It may not be the only defining feature of the current era, but ransomware has undoubtedly had the most significant impact, according to Sophos.

As of 2020, damage estimates from ransomware attacks are in the trillions of dollars. Ransomware exposes vulnerabilities in IT defences, spawns new technologies, and can sink entire organisations.


Launched in 2013, the CryptoLocker ransomware attack provided criminals with a winning formula by marrying two technologies: encryption and cryptocurrency. Cryptolocker and many of its offspring also resurrected an old threat vector that had been dormant for over a decade: document malware.

Since then, many groups behind some of the most prolific ransomware families have honed their skills and adapted to a changing environment.

No individual or industry is immune from a ransomware attack. No one technology is enough to stop it. What started as a novel, but probably inevitable, idea has grown into a problem of epic proportions.

Double extortion

The criminals behind Maze ransomware popularised a common standard today: double extortion, whereby cyber-criminals not only encrypt and steal data, but threaten to publish it if targets do not pay.

Even if a company could fully recover from a ransomware attack without paying the ransom, they could still find themselves in regulatory hot water.

Under the threat of a public data breach, some companies might opt to pay the ransom rather than any official fines imposed upon them. Paying the ransom might be the cheaper option of the two, considering the recovery costs and brand damage associated with a breach. 

The battle continues

Ransomware has upended the cybersecurity world perhaps more than any other vector of attack.

It's laid bare the failures by many organisations to do some of the basic security work, whether intentional or not.

It's made us re-evaluate our security controls, build or strengthen security cultures within our organisations, create new industries and innovate new products.

But more than that, it has made it strikingly clear that getting security right is difficult, but we must not be deterred from doing the necessary work that our digital world requires.

To learn more, read the full report from Sophos.