Ransomware is getting a lot of attention these days. Its popularity makes sense: As noted by Ars Techinca, for example, ransomware phishing emails are now scraping LinkedIn and other sources for reliable data on employees and then shooting legitimate-looking email spears to companies around the world. Once infected, many businesses consider paying out and walking away since they can’t risk bad publicity or the loss of critical files.

Cybercriminals aren’t resting on their laurels. New ransomware incidents suggest that not only are bad guys stepping on the gas, but they’re also changing direction to increase their earnings.

Fast and Locked

Three years ago, ransomware was a niche market; brute-force hacks to grab point-of-sale (POS) data or disrupt corporate operations were the de facto standard. But increasingly sophisticated methods to conceal encryption code and prevent white-hat firms from disinfecting compromised computers, coupled with the massive scare factor of a locked-out device, conspired to make this particular brand of attack a lucrative endeavor. Now, ransomware is an industry unto itself, complete with market leaders, knock-off kits and even customer service.

According to CSO Online, companies are dealing with an influx of ransomware attacks. Security firm Stroz Friedberg saw three to four cases per week over the first quarter of 2016 spread across multiple industries. What’s more, the asking price is on the rise, prompting some companies to consider payment rather than remediation.

Prevention is the ideal defense, either through increased awareness of common tactics or improved detection systems that catch ransomware in its earliest stages. The problem? Malware-makers are changing targets.

Ransomware Incidents Start Fresh

Companies are familiar with common ransomware incidents. Often, legitmate-looking emails arrive in employee inboxes or users are victimized by drive-by downloads. But as noted by PCWorld, the bad guys are changing direction. Now, they’re taking a more direct route by targeting unpatched server-side software.

The threat is called Samsam, and it works like this: Attackers use Jexboss, a legitimate penetration tool, to exploit the JBoss enterprise application server. If they discover unpatched software, it’s possible to install ransomware code directly, in turn compromising all connected computers.

A recent ransomware incident asked for more than $18,500 in bitcoins after a successful Samsam attack. With most companies covering their bases for other, more familiar infection pathways, this innovative attack is a win-win for cybercriminals.

Ransomware is now an industry unto itself. Like any forward-thinking tech vertical, there’s big emphasis on speed and innovation; malware-makers are looking to ramp up their infection volume while also developing new and unexpected ways to slip past corporate defenses. For companies, this means it’s time to buckle up — 2016 may be a bumpy ride.