The first event considered to be a ransomware attack happened in 1989.

A hacker physically mailed floppy disks claiming to contain software that could help determine whether someone was at risk of developing AIDs.

However, when installed, the software would hide directories and encrypt file names on people’s computers after they’d rebooted 90 times.

It would then display a ransom note requesting a cashier’s check to be sent to an address in Panama for a license to restore the files and directories.

The program became known by the cybersecurity community as the “AIDs Trojan.” 

“It was the first ransomware and it came from someone’s imagination. It wasn’t something that they’d read about or that had been researched,” Martin Lee, EMEA lead for Talos, the cyber threat intelligence division of IT equipment giant Cisco, told CNBC in an interview.

“Prior to that, it was just never discussed. There wasn’t even the theoretical concept of ransomware.”

The perpetrator, a Harvard-taught biologist named Joseph Popp, was caught and arrested. However, after displaying erratic behavior, he was found unfit to stand trial and returned to the United States.

Since the AIDs Trojan emerged, ransomware has evolved a great deal. In 2004, a threat actor targeted Russian citizens with a criminal ransomware program known today as “GPCode.”

The program was delivered to people via email — an attack method today commonly known as “phishing.” Users, tempted with the promise of an attractive career offer, would download an attachment which contained malware disguising itself as a job application form.

Once opened, the attachment downloaded and installed malware on the victim’s computer, scanning the file system and encrypting files and demanding payment via wire transfer.

Then, in the early 2010s, ransomware hackers turned to crypto as a method of payment.

A serious threat to watch out for in future could be hackers targeting cloud systems, which enable businesses to store data and host websites and apps remotely from far-flung data centers.

“We haven’t seen an awful lot of ransomware hitting cloud systems, and I think that’s likely to be the future as it progresses,” Lee said.

We could eventually see ransomware attacks that encrypt cloud assets or withhold access to them by changing credentials or using identity-based attacks to deny users access, according to Lee.

Geopolitics is also expected to play a key role in the way ransomware evolves in the years to come.

“Over the last 10 years, the distinction between criminal ransomware and nation-state attacks is becoming increasingly blurred, and ransomware is becoming a geopolitical weapon that can be used as a tool of geopolitics to disrupt organizations in countries perceived as hostile,” Lee said.

“I think we’re probably going to see more of that,” he added. “It’s fascinating to see how the criminal world could be co-opted by a nation state to do its bidding.”

Another risk Lee sees gaining traction is autonomously distributed ransomware.

“There is still scope for there to be more ransomwares out there that spread autonomously — perhaps not hitting everything in their path but limiting themselves to a specific domain or a specific organization,” he told CNBC.

Lee also expects ransomware-as-a-service to expand rapidly.

“I think we will increasingly see the ransomware ecosystem becoming increasingly professionalized, moving almost exclusively towards that ransomware-as-a-service model,” he said.

But even as the ways criminals use ransomware are set to evolve, the actual makeup of the technology isn’t expected to change too drastically in the coming years.

“Outside of RaaS providers and those leveraging stolen or procured toolchains, credentials and system access have proven to be effective,” Jake King, security lead at internet search firm Elastic, told CNBC.

“Until further roadblocks appear for adversaries, we will likely continue to observe the same patterns.”