If you thought ransomware was invented recently, you're not alone. You're also wrong.

The first ransomware (christened the AIDS Trojan) arrived all the way back in 1989. Physical media containing the malware were mailed on floppy disks to conference goers at a WHO conference on AIDS. The AIDS Trojan encrypted the names of targeted files on the victim's computer, then demanded payment sent via postal mail to a P.O. Box in Panama.

For the next 24 years, ransomware existed but never gained meaningful traction—the technical infrastructure and payment mechanisms simply weren't there yet. CryptoLocker changed that in 2013. It used asymmetric encryption, demanded payment in Bitcoin, and spread through phishing email attachments at scale. Criminal enterprises finally found a sustainable way to cash in.

By 2016, the first true ransomware-as-a-service (RaaS) platforms began to emerge—ecosystems that would evolve into the sprawling RaaS economy we recognize today, with operators acting less like organized crime and more like software companies with affiliate programs, tech support, and revenue splits.

In 2017, WannaCry and NotPetya taught the world just how destructive ransomware could be. Both used "worm-like" capabilities that automatically spread throughout networks by exploiting unpatched vulnerabilities. WannaCry ultimately infected more than 300,000 systems across roughly 150 countries and caused damage estimated in the hundreds of millions to billions of dollars, including widespread disruption across the UK's National Health Service. NotPetya, which began in Ukraine but quickly spread worldwide, is now widely regarded as one of the most destructive cyberattacks in history, with total losses estimated at over $10 billion).

Malware evolution is better understood as several parallel stories—diffuse players adjusting their strategies as the terrain shifts and new vulnerabilities present themselves.

Ransomware-as-a-service goes mainstream

Beyond commoditizing the creation and deployment of ransomware, RaaS groups gave anyone with criminal intent (and a Bitcoin wallet) access to their product without any technical knowledge required to execute an attack. The barrier to entry collapsed.

Double extortion becomes table stakes

Maze pioneered a tactic that essentially rendered backups useless overnight: exfiltrate data before encrypting it, then threaten to publish it publicly if the ransom goes unpaid. Organizations that could previously weather an encryption event now faced a second problem—leaked customer data sitting on a public forum.

The shift from high-volume to high-impact targeting

Ransomware isn't something you throw at everyone and hope something sticks. It's tactical. Targeted. Pre-reconnaissance. Threat actors now take the time to understand which organizations are most likely to pay the biggest ransoms and have the most incentive to pay fast, like healthcare, manufacturers, critical infrastructure, and governments.

Living off the land (LOTL)

Instead of deploying obvious malicious executables, attackers increasingly pivot to tools already installed on your systems to move laterally—think PowerShell, RDP, WMI, and legitimate admin utilities. Detection becomes significantly harder when malicious activity is hidden inside what looks like routine administrative behavior.

What's unique about ransomware today is the operational sophistication and security that threat groups have developed.

Initial access is often ridiculously easy

Modern phishing lures. Unpatched RDP ports are open on the internet. VPN credentials purchased from initial access brokers. Exposed services. Weak passwords. Attackers rarely need to creatively obtain access to your environment—they just need to find a way in. Think of initial access as low-hanging fruit. The real expertise shows in how attackers move once they're inside.

Attackers are moving faster than ever

For years, ransomware criminals would gain access to a network, remain dormant, and return days or even months later to execute ransomware. As detection technology improved, attackers compressed their timelines to stay ahead of it. Today, many ransomware deployments progress from initial infiltration to full encryption in under 24 hours—and in some cases within just five hours—as median ransomware dwell time continues to fall.

AI is becoming a criminal tool

Just as security teams leverage generative AI to maximize productivity, cybercriminals are too. Attackers use AI to automate attack phases and reduce friction—from AI-generated phishing emails that accelerate credential theft to AI-powered vulnerability scanners that find exploitable gaps faster than your security team can close them.

Signature-based antivirus. Network monitoring. Whack-a-mole patching. These solutions remain important, but they don't do you much good when an attacker is living off the land, using legitimate admin tools already on your network to attack you. Stop thinking about how to prevent attackers from getting inside your network and start thinking about what you do if they already have.

The arms race on detection and response has driven significant adoption of endpoint detection and response (EDR) and identity threat detection and response (ITDR). You can't prevent every attack, so detect them and stop them fast.

Ransomware attacks aren't declining. In fact, research shows that in more than half of the investigated incidents, ransomware is now deployed within a day of initial access, with a meaningful share executed in just a few hours, and the targets are becoming more deliberate and high-value.

Expect more identity-driven attacks

Your attack surface is no longer just your network and endpoints. It's your identity layer too. Attackers are focusing on passwords and anything protected by username and password. Expect more attacks entering through Active Directory, targeting cloud identities, and exploiting weak passwords and multi-factor authentication (MFA) gaps.

Cross-platform targeting is expanding

The ransomware sweet spots aren't going away. They're just expanding. As enterprise environments virtualize critical infrastructure, Linux and ESXi servers are increasingly becoming primary targets.

Smaller organizations are increasingly in scope

Modern ransomware is lucrative enough that if a large business won't pay, attackers go smaller. More and more small and mid-sized businesses that service larger organizations through the supply chain are becoming viable, attractive targets.

The evolution of ransomware shows no signs of slowing, and every new tactic demands a smarter, more proactive response.

The full agentic Huntress platform combines Managed EDR, Managed ITDR, Managed SIEM, and Managed Security awareness training to protect your endpoints, identities, and cloud/email environments, backed by a 24/7 AI-centric SOC. Stop ransomware before it ever starts. Get a demo of the platform and see exactly how we stop attackers before they stop you.