November 14, 2023 By MacKenzie Milligan 5 min read

Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future.

2005 to 2020: A rapidly changing landscape

While the first ransomware incident was observed in 1989, ransomware attacks rapidly escalated in 2005.

  • In 2005, the Archiveus trojan was the first ransomware to use RSA and asymmetrically encrypt all files in the “My Documents” folder.
  • In 2009, a virus emerged dubbed Vundo that encrypted computers and sold decryptors, allowing groups to obtain more profit.
  • In 2012, a new tactic emerged known as “scareware,” which contained messages claiming to be law enforcement and suggested the victim needed to pay to avoid prosecution. Scareware resulted in increased payments to threat actors.
  • Between 2013 and 2016, ransomware became more widespread across the globe, spreading via botnets. In addition, the first true ransomware for Mac increased the opportunity for even more victims.
  • In 2016, the first Ransomware-as-Service (RaaS) variants were observed. The development of RaaS eliminated the need for threat actors to develop their own malware, allowing inexperienced groups to successfully target organizations. This contributed to an increase in ransomware attacks.
  • Between 2019 and 2020, ransomware groups created dedicated leak sites that put more pressure on victims to pay the ransom to avoid the potential threat of publication of stolen data, resulting in further financial loss for victims. This threat actor tactic was popularly named “double extortion.”

2021 to present: More attacks, greater sophistication

Ransomware continues to be a relevant threat in today’s environment. Since 2021, ransomware groups have become more sophisticated by updating their tactics, forming new groups, finding new targets and taking advantage of outside factors. These changes are important for ransomware groups to stay ahead of security measures and help secure larger ransom payments.

Tactics, techniques and procedure (TTP) changes

Groups still employ double extortion tactics; however, certain groups now use “triple extortion” and “quadruple extortion” tactics to convince victims to pay ransom. Triple extortion increases the potential of a victim paying the ransom, especially for critical infrastructure organizations. In triple extortion, threat actors threaten distributed denial of service (DDoS) attacks in addition to encrypting systems and exposing data if a ransom is not paid, potentially resulting in long periods of downtime for public-private interdependent sectors like the government, healthcare or utilities. In comparison to triple extortion, quadruple extortion pressures victims by contacting customers and business partners, informing them that their sensitive information has been stolen. This adds another layer of pressure for the victims to pay.

To gain initial access to victims, ransomware groups employ various methods, including contacting individuals who work within the target organization (insider threat), posting advertisements requesting initial access to a specific target and working with initial access brokers who sell existing access to various targets.

According to CrowdStrike, 2022 saw an increase in initial access broker offerings, with more than 2,500 posts offering initial access and the top sector offerings for these posts, including academia and technology companies. This was a 112% increase in comparison to 2021, making it clear that ransomware groups have an interest in purchasing initial access instead of doing it on their own.

Read the Threat Intelligence Index

Even more new ransomware groups

Many factors could have led to the increase in new ransomware groups, including affiliates working for more than one group and code leaks. Since 2021, many observed ransomware source code and builder leaks have enabled groups with little-to-no experience to create or modify their ransomware. Code leaks, including Babuk, Conti, Lockbit3.0 and Chaos, have allowed new groups to produce more frequent attacks, thereby changing the threat landscape. However, researchers have observed that groups that use these leaked builders tend to ask for a lower ransom payment. This may indicate that these groups are trying to avoid attention while testing their new variants.

Targeting Linux and ESXi machines

Ransomware groups continue to target operating systems and platforms such as Linux or ESXi machines. These are prime targets because they often host file servers, databases and web servers. Groups will also create Linux encryption with the purpose of specifically encrypting ESXi virtual machines. Linux continues to be the most popular operating system for embedded, constrained and Internet of Things devices used by critical infrastructure sectors like manufacturing and energy. In addition, attacks on Linux systems increased by 75% in 2022 and will likely continue to increase in the latter half of 2023.

Influence of global and geopolitical factors

Recent global and geopolitical factors have also influenced the increase in ransomware attacks. Global factors, including COVID-19, made the healthcare sector an appealing target, whether to obtain information on vaccines or an opportunistic attack where overwhelmed hospitals were more likely to pay a ransom. Geopolitical tensions and sanctions also continue to influence ransomware attacks. APT groups linked to governments in Russia, North Korea and China have utilized ransomware for financial gain and disruption.

How will ransomware continue to evolve?

Ransomware attacks will continue to evolve and become more sophisticated, advanced and targeted. Threat actors are mastering a new technique where attackers exploit vulnerabilities in the supply chain to launch large extortion campaigns. For instance, this year, Cl0p ransomware infiltrated MOVEit, a secure managed file transfer application, which continues to impact hundreds of companies. For a bigger payout, threat actors will likely continue to find initial access to companies that many organizations rely on.

There will likely be an increase in cloud-aware ransomware due to companies continuing to move their critical data into cloud storage. Ransomware groups could exploit cloud services, applications and infrastructure to gain initial access. It is an attractive opportunity for threat actors due to the larger amounts of critical information available to target and hold for ransom.

Groups will continue to use intermittent encryption, a process where only parts of files are encrypted. The encryption is able to avoid products like endpoint security and extended detection and response, which makes it harder for a security system to detect it. By only encrypting specific lines of data, intermittent encryption also enables a faster decryption process, which might entice a victim to pay the ransom.

Encryptionless ransom attacks will also continue; these are known as extortion or data theft attacks. These attacks have been used for many years and continue to trend up and down, depending on the need and threat actor sophistication. In these attacks, groups steal data and threaten to expose it instead of encrypting it.

With the development of artificial intelligence (AI) and AI models like ChatGPT, ransomware groups will likely follow the trend and utilize AI tools like chatbots, AI-developed malware, automated processes and machine learning algorithms. AI will likely help groups develop more advanced and sophisticated techniques to evade current ransomware prevention and guidance. We can expect all types of ransomware threat actors to leverage AI to help them complete successful attacks.

Learning from the past

Looking back on the evolution of ransomware makes one thing clear: the future of cybersecurity is likely to be as unpredictable as its past. Still, the history of ransomware attacks offers much to learn. By maintaining a solid and adaptable cybersecurity strategy, organizations have a better chance of navigating the challenges to come.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today