The Evolution of Ransomware: How Attacks Have Changed and What to Expect Next

Key Takeaways:

  • Ransomware actors now conduct pre-attack reconnaissance and actively hunt for high-value targets, including healthcare organizations, critical infrastructure, and governments.
  • Today's attackers can move from initial access to full network encryption in less than 24 hours, and in some cases within just five hours of first gaining a foothold.
  • The Huntress Managed Security platform delivers proactive hardening and 24/7 managed detection and response across endpoints, identities, and cloud/email environments, helping you catch and contain ransomware campaigns before they wreck havoc on your business.

The Evolution of Ransomware: How Attacks Have Changed and What to Expect Next

Key Takeaways:

  • Ransomware actors now conduct pre-attack reconnaissance and actively hunt for high-value targets, including healthcare organizations, critical infrastructure, and governments.
  • Today's attackers can move from initial access to full network encryption in less than 24 hours, and in some cases within just five hours of first gaining a foothold.
  • The Huntress Managed Security platform delivers proactive hardening and 24/7 managed detection and response across endpoints, identities, and cloud/email environments, helping you catch and contain ransomware campaigns before they wreck havoc on your business.

Historical overview of ransomware

If you thought ransomware was invented recently, you're not alone. You're also wrong.

The first ransomware (christened the AIDS Trojan) arrived all the way back in 1989. Physical media containing the malware were mailed on floppy disks to conference goers at a WHO conference on AIDS. The AIDS Trojan encrypted the names of targeted files on the victim's computer, then demanded payment sent via postal mail to a P.O. Box in Panama.

For the next 24 years, ransomware existed but never gained meaningful traction—the technical infrastructure and payment mechanisms simply weren't there yet. CryptoLocker changed that in 2013. It used asymmetric encryption, demanded payment in Bitcoin, and spread through phishing email attachments at scale. Criminal enterprises finally found a sustainable way to cash in.

By 2016, the first true ransomware-as-a-service (RaaS) platforms began to emerge—ecosystems that would evolve into the sprawling RaaS economy we recognize today, with operators acting less like organized crime and more like software companies with affiliate programs, tech support, and revenue splits.

In 2017, WannaCry and NotPetya taught the world just how destructive ransomware could be. Both used "worm-like" capabilities that automatically spread throughout networks by exploiting unpatched vulnerabilities. WannaCry ultimately infected more than 300,000 systems across roughly 150 countries and caused damage estimated in the hundreds of millions to billions of dollars, including widespread disruption across the UK's National Health Service. NotPetya, which began in Ukraine but quickly spread worldwide, is now widely regarded as one of the most destructive cyberattacks in history, with total losses estimated at over $10 billion).


Key milestones in ransomware evolution

Malware evolution is better understood as several parallel stories—diffuse players adjusting their strategies as the terrain shifts and new vulnerabilities present themselves.

Ransomware-as-a-service goes mainstream

Beyond commoditizing the creation and deployment of ransomware, RaaS groups gave anyone with criminal intent (and a Bitcoin wallet) access to their product without any technical knowledge required to execute an attack. The barrier to entry collapsed.

Double extortion becomes table stakes

Maze pioneered a tactic that essentially rendered backups useless overnight: exfiltrate data before encrypting it, then threaten to publish it publicly if the ransom goes unpaid. Organizations that could previously weather an encryption event now faced a second problem—leaked customer data sitting on a public forum.

The shift from high-volume to high-impact targeting

Ransomware isn't something you throw at everyone and hope something sticks. It's tactical. Targeted. Pre-reconnaissance. Threat actors now take the time to understand which organizations are most likely to pay the biggest ransoms and have the most incentive to pay fast, like healthcare, manufacturers, critical infrastructure, and governments.

Living off the land (LOTL)

Instead of deploying obvious malicious executables, attackers increasingly pivot to tools already installed on your systems to move laterally—think PowerShell, RDP, WMI, and legitimate admin utilities. Detection becomes significantly harder when malicious activity is hidden inside what looks like routine administrative behavior.



Ransomware evolution in cybersecurity

Signature-based antivirus. Network monitoring. Whack-a-mole patching. These solutions remain important, but they don't do you much good when an attacker is living off the land, using legitimate admin tools already on your network to attack you. Stop thinking about how to prevent attackers from getting inside your network and start thinking about what you do if they already have.

The arms race on detection and response has driven significant adoption of endpoint detection and response (EDR) and identity threat detection and response (ITDR). You can't prevent every attack, so detect them and stop them fast.



Stay two steps ahead of the evolution of ransomware

The evolution of ransomware shows no signs of slowing, and every new tactic demands a smarter, more proactive response.

The full agentic Huntress platform combines Managed EDR, Managed ITDR, Managed SIEM, and Managed Security awareness training to protect your endpoints, identities, and cloud/email environments, backed by a 24/7 AI-centric SOC. Stop ransomware before it ever starts. Get a demo of the platform and see exactly how we stop attackers before they stop you.


Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free