• WRAVEN
  • Posts
  • The Evolution of Ransomware

The Evolution of Ransomware

Why It’s Getting Trickier to Stop

AuthorAuthor

WRAVEN Team & Finley Burns
May 08, 2025

The Evolution of Ransomware: Why It’s Getting Trickier to Stop

So you’ve probably heard “ransomware” in the news, and not in a good way. But how did we go from simple lock-your-files schemes to multi-million-dollar extortion gangs that hit hospitals, pipelines, and even schools? This article will give you the basics on that.

How does ransomware work?

Ransomware is a kind of malware that encrypts and holds your data hostage until you pay up. At its core, it’s pretty simple and attackers will follow this three step chain most of the time:

  • Automated program deployment: Phishing emails, hijacked downloads, or stolen credentials.

  • Encrypt and demand: Locks down files with a strong encryption, then sends a ransom note to the user, usually via the GUI.

  • Ransom payment in cryptocurrency: Bitcoin, Monero, or other difficultly traceable coins.

Cybercriminals execute this kind of fraud on a mass scale to millions of people across the globe every year. It is difficult to measure the impact of it exactly due to the numbers being muddled, but many lose their livelihoods and careers from ransomware attacks.

How tactics have changed over the last 5 years

Ransomware and the cybercriminals that operate it have to adapt in order to not get caught and to make more money. These are some of the ways that they have improved on their hacks in the last several years:

  • Ransomware-as-a-Service (RaaS)
    Affiliates buy prebuilt kits, handle distribution, and split profits with developers.

  • Double (or triple) extortion
    Encrypt data and threaten to leak stolen files; then extort the victim’s clients or partners.

  • Targeted intrusions
    Criminals research organizations, steal credentials, disable backups, then detonate.

  • Supply-chain attacks
    Compromise a trusted vendor or software update to reach dozens or hundreds of downstream victims.

  • Automated leak sites
    Victims who refuse to pay get named publicly on dedicated shaming sites, adding reputational pressure.

  • Fast-moving toolkits
    Builders push updates weekly—new encryption, evasion tricks, worm-like spreaders—to stay one step ahead of defenders.

Beheading the Snake: Defensive Tactics

All these shifts mean defenders can’t just rely on a backup copy in the corner. Today you need:

  1. Proactive threat intel
    Spot new RaaS brands, leak sites, and phishing lures before they hit your inbox.

  2. Network segmentation
    Isolate critical systems so a breach in IT doesn’t automatically jump to OT environments.

  3. Zero-trust controls
    Assume every user or device could be compromised; verify before you trust.

  4. Frequent drills and backups
    Exercise incident response and test restores, because paying up is never the only option.

Ransomware’s evolution is relentless, but as long as defenders fight back, the enemy’s job can be made much harder.

TL;DR:

Ransomware has grown from simple file locks to big extortion ops with leak threats, supply-chain hits, and ready-made kits. Defenders need strong intel, tight network controls, and regular drills to keep up.


A post by the Western Research Advisory for Vulnerabilities, Exploits, & Networks.