Ransomware is a particularly unpleasant form of malware that encrypts or otherwise blocks access to files on a victim’s computer or network storage, and demands payment for unlocking the data. Over the years, it has become even more dangerous, damaging and painful to tackle as attackers often adjust and improve their tactics to extract payment from successful ransomware attacks.

The victims of ransomware are faced with a stark choice: pay the ransom, lose access to the data the attacker has encrypted, or even worse, find it publicly leaked – a significant reputational, financial and legal risk. In recent years, further, even more egregious tactics have been layered on top of the original: users are sometimes tempted to pay the ransom, but may not receive the keys to decrypt their files anyway. Those who defy the attackers risk having their sensitive data published on the internet – or sold on to other attackers or criminal gangs for blackmail purposes. And ransomware can have persistence, so even if a victim pays the ransom, or recovers their systems using a backup, they can still find they have lost access all over again.

With regular, secure backups being one of the most effective defensive approaches against ransomware – it is almost inevitable that attackers try to encrypt and/or destroy any backups they can find, too.

How does Ransomware work?

Modern ransomware is often inserted into an organization or individual’s devices via commonly-used vectors: Phishing scams, trojans and misuse of common protocols such as Microsoft’s Remote Desktop Protocol (RDP). Initial access brokers (IABs) sell compromised credentials and other types of initial access information to attackers, while some of the more well-resourced attackers, such as Lazarus Group, the nation state group publicly attributed to the WannaCry ransomware outbreak, rely on zero-day, critical, easy-to-exploit or otherwise significant vulnerabilities to gain access. While some ransomware strains are deployed and executed with minimal input from the threat a90ctors, more sophisticated or potentially rewarding attacks attract more well-resourced and experienced groups who execute Hands on Keyboard (HOK) attacks.

How big is the ransomware problem?

The short answer: it’s enormous, and growing. Figures from eCrime.ch, which tracks the publicly-visible information posted to ransomware operators ‘ dedicated leak sites (DLS), noted the number of disclosed victims between 2024 to the end of 2025 increased from 7,826 to 6,937.It’s worth noting that these figures are self-reported by criminal groups, and so need to be taken with a grain of salt.

What about other indicators, in that case? Well, according to Verizon, 44% of the breaches the company reviewed in the process of building the 2025 edition of its industry-standard Data Breach Investigations Report involved some sort of ransomware. The Verizon DBIR is a collation of incident and breach data collected from over 70 organizations around the world, including law enforcement organizations, incident response specialists and forensic security companies.

If there’s any good news from Verizon and eCrime.ch’s numbers, it’s this: the Verizon analysis found 64% of victim organizations did not pay a ransom demand, up from 50% two years ago. We’ll talk about why this number is important later.

Who is most likely to become a victim?

According to the ecrime.ch service, in 2025 around 65% of publicly reported victims were between 1-200 employees. Over 29% of victims fell into the category of 201-5000 employees, and less than 5% were organizations with more than 5000 staff.

Verizon DBIR collates breach reports from cyber security organizations around the world, by the way – so it’s a great litmus test of trends and behaviors in this sector. Of the 10,747 breaches reviewed for the 2025 edition, it is worth noting that ransomware was disproportionately present in breaches involving small organizations: while 39% of large organization breaches involved ransomware, that number is sky-high for smaller organizations reaching 88%.

It’s safe to conclude that ransomware disproportionately affects smaller organizations.

What about home users?

Individuals are also targeted, but the tactics used are often different;: malvertising, phishing, infected downloads and misconfigured remote access services, such as Remote Desktop Protocol (RDP). Individual users, especially those with less technical knowledge or experience, can be intimidated by aggressive ransomware demands, terrified by the potential loss of valuable data and scared of blackmail if embarrassing information is stolen and published. Even experienced users are likely to feel a mix of fear, shame and dread when they find their files locked away or exposed by an attacker.

Individual extortion victims tend not to be everyday people: attackers may be more likely to extort or threaten individuals with enhanced public profiles or other interesting attributes. It’s also worth bearing in mind the cost to the attacker of extracting what may, in the end, amount to a few thousand dollars in ransom.

A recent exception is the Vastaamo data breach, which saw the confidential psychotherapy notes of 33,000 members of the public in Finland stolen and, eventually, leaked. The attacker initially released small batches of individuals’ notes, focusing on high profile individuals and public office holders.

Ransomware: history and evolution

We’ll talk through a few historical examples of ransomware for two reasons: to demonstrate how this type of attack has evolved over time, and to show the impact on organizations and individuals.

Early ransomware: The AIDS Trojan

The first documented case of ransomware goes back to the era of 5.25” floppy disks in 1989 with the AIDS Trojan, a software package sent through the postal system  to around 10,000 people, and accompanied by a license agreement. Users – some of them clinicians – who installed the software but did not send payment (in cheque form to an address in Panama, no less) found their computer’s hard disk encrypted. Luckily for many victims, because the trojan used symmetric cryptography, the decryption key could be extracted from the same floppy disk used to deliver the ransomware. This is an example of crypto ransomware – albeit the most basic and early of its kind.

Anonymous ransom payment and stronger encryption

Two major developments drove the wider adoption and increased effectiveness of ransomware:

Anonymous ransom payment 

Two innovations drove greater use and development of ransomware after this: First was the ability to send and receive payment anonymously – or at least electronically. The use of premium rate phone and SMS services as a way of transferring payment to an attacker is an early example used by WinLock, a locker ransomware trojan of Russian origin that, instead of encrypting the victim’s computer, swamped its display with pornographic images and demanded they send a premium-rate SMS to get a code that would allow them to unlock their PC. At the time, it was estimated that the scheme earned up to $16 million a month.

PGPCoder, a family of trojans carrying a ransomware payload, initially took payment in e-gold or deposit to a Liberty Reserve account to prevent revealing who was collecting the ransom or extortion payment. Some variants of PGPCoder were more effective than others – one example relied on symmetric encryption, for example, while others could be defeated with a utility.

Stronger encryption

The second development was in the use of stronger and stronger encryption by attackers. Switching from symmetric to asymmetric encryption, in which the attackers hold the decryption key remotely, and the use of increasingly long encryption keys, meant fewer opportunities to decrypt victims’ files without some form of involvement with the attackers or their infrastructure. An example of the challenges this created is the rise and fall of CryptoLocker; although the ransomware itself was relatively easy to remove, CryptoLocker used such heavy encryption that files affected by a CryptoLocker attack were considered impossible to decrypt. But the success of an operation to take down the GameOver Zeus Botnet used to spread CryptoLocker in 2014 resulted in the private keys used by the gang falling into the hands of security researchers. Using an online tool, victims could now decrypt files they’d thought lost forever – without having to pay a ransom.

Cryptocurrency turbocharges ransomware

In the meantime, the advent of bitcoin and adoption of cryptocurrencyd gave rise to more ambitious and capable ransomware – and also the opportunity to pursue bigger targets with more elaborate and complex tactics. The ability to quickly move payment in relative anonymity meant that large corporations with more to lose could be targeted – and that, to the criminals behind various ransomware operations – justified more significant investment in both ransomware and its execution.

The era of hands-on-keyboard attacks

The increasing returns associated with holding entire organizations to ransom drove a further evolution: high-intensity ransomware attacks that involved hands-on-keyboard (HOK) activity by the attackers in real time.

Case study: Colonial Pipeline

In 2021, the Colonial Pipeline incident resulted in fuel shortages up and down the US East Coast after the company, responsible for petroleum products through its physical infrastrucutre, suffered a ransomware attack initiated through a virtual private network (VPN) account with no multifactor authentication protection in place. In this case the attackers (DarkSide gang) stole around 100GB of data and threatened to release it online if a ransom of almost 75 Bitcoin – equivalent at the time to almost $5 million, was not paid. With the involvement of the FBI, Colonial Pipeline paid the ransom but then discovered the encryption tool provided by DarkSide was slower to decrypt than simply using its own disaster recovery plan and recovering from backups.

This raises a few other details worth mentioning: aside from encrypting files or locking access, ransomware attackers are also willing to dump sensitive company information online – or at least threaten to – to cause victim organizations even more pain and inconvenience. This includes valuable intellectual property or embarrassing or sensitive information. It’s also worth noting that, because Colonial Pipeline had backups, it was able to recover much of its operations – albeit at a slow pace that resulted in panic buying at petrol and diesel pumps, and, in some cases, grounded flights.

A footnote: the US Department of Justice later took the unusual step of recovering around 80% of the payment, showing that cryptocurrency payments are not always anonymous or unrecoverable. Ironically, a crash in the value of Bitcoin between the payment of the ransom and its recovery meant that only $2.4 million was recovered.

Double and triple extortion

Ransomware tactics now often combine encryption, data leak threats, and pressure on third parties such as customers or suppliers. When combined with DDoS attacks, this approach can be devastating.

Ransomware as a Service (RaaS) and the pandemic

The COVID pandemic brought sudden and unplanned home working to millions of employees, and the sometimes lax security that came with this resulted in a boom time for ransomware gangs.

It also helped propel a practice known as ransomware as a service (RaaS) into the limelight. RaaS, an ironic twist on software as a service (SaaS) allows non-technical criminals to operate ransomware as an affiliate, renting of licensing ransomware from hacking groups to operate themselves. While sophisticated organized groups such as Ryuk pursued complex, well-secured and lucrative targets, RaaS gangs tend towards lower hanging fruit, and often use the services of initial access brokers (IAB) to identify and infect victims.

Double and triple extortion

Over time, ransomware attackers have developed their psychological methods to extract value from victims. Triple extortion refers to encrypting data, threatening to leak or sell it to others, and using the same data to target other groups such as suppliers or customers, who would be affected. When coupled with a DDoS attack, a common additional tactic for applying pressure, it can represent a major threat to a commercial or government organization.

The role of APT groups

APT (Advanced Persistent Threat) groups are highly-skilled and well‑resourced threat actors that employ ransomware to support strategic or geopolitical objectives. APTs are often funded, managed or otherwise supported by nation states, but can also take the form of large, effective organized crime groups. Although APT groups typically focus on high-value or strategic targets, their ransomware operations can create significant spillover effects that impact ordinary businesses via supply-chain compromises, shared software vulnerabilities, and broad‑reaching campaigns.

Modern Ransomware Evasion: EDR Killers

A recent trend in ransomware campaigns is the use of so‑called EDR killers – malware created to crash, remove, disable or otherwise tamper with endpoint detection and response (EDR) tools before launching an attack. EDR killers typically rely on a technique known as bring your own vulnerable driver (BYOVD).

In practice, gangs operating Ransomware as a Service (RaaS) platforms develop these tools and sell or licence them to affiliates. Some closed ransomware groups, such as Warlock, are also in the process of developing similar toolsets.

Defenders should look to turn on Potential Unwanted Applications (PUS / PUsA) in their antivirus and EDR systems, allowing administrators to see when an attacker tries to insert their compromised driver as part of the attack.

New era: AI-powered Ransomware

ESET researchers recently analyzed PromptLock, the first known example of AI‑powered ransomware. Although it was only an academic proof of concept, it already shows how cybercriminals could misuse publicly available AI tools to automatically steal, encrypt or even destroy data.

What to do if your organization – or your device – falls victim to ransomware

Firstly, you or your organization should have backups. If not, fix this now before it becomes an overdue task that causes you or your organization serious loss. Properly secured backups are pretty much the only reliable defense against modern ransomware, and they’re often cheaper to maintain than the cost of restoring from scratch or paying a ransom that may or may not fix the problem.

Should you suffer an attack, it’s vital to isolate the infected systems. Work out which systems have been affected, and then immediately isolate them. The US Cybersecurity and Infrastructure Agency (CISA) offers a helpful checklist for tackling ransomware incidents. First, identify which systems have been affected, and take them offline. It may be simpler in the first instance to take your company network offline at the network switch level. You’ll want to identify and isolate any systems critical to daily operations if possible. Physically isolating devices from the network to prevent infection or further spread of the infection may also be necessary via unplugging ethernet cables and turning off Wi-Fi access points. If you can, power down devices and take snapshots of cloud volumes. It’s critical you avoid wiping drives that you suspect contain ransomware, as that can hinder forensic investigation, which both makes it harder to work out what needs to be remediated and understand how the attack was successful in the first place.

Next step is to wipe infected devices and reinstall the operating system – although be aware that a very small number of malware families can achieve persistence and simply return. If that’s the case, you are better off handing over to a professional incident response provider.

After this point, and assuming you’re working with clean machines, a clean network and malware-free backups, you can begin the process of updating operating systems and antivirus tools, reinstalling software and restoring from backup. After the fact, CISA further recommends keeping an eye on network traffic and cybersecurity tools for signs of further activity.

Does paying a ransom solve the problem?

As we’ve seen from the Verizon report, around half of commercial victims pay ransoms. Ethically, it is a dubious decision, and practically, it may not get your data back, or stop it from being published or sold to the highest bidder. As Colonial Pipeline discovered, it may also not be quicker or more effective than restoring from backup. It also doesn’t prevent the attackers from retaining access to your data, or coming back again to do exactly the same – and more importantly, you’re enriching the criminals, who attacked you. Organizations and individuals are better off making solid disaster recovery plans and regular backups, and saying no to attackers’ demands. It’s also worth noting that ransomware is popular amongst criminal gangs and nation states on the lookout for usable, untraceable currency because victims pay ransoms. The problem would go away if it wasn’t a lucrative criminal enterprise.

Why paying the ransom often fails

Even if the ransom is paid and the attackers provide a decryption tool in return, the victim often still ends up without a successful recovery. How so?

  • Stolen data may be corrupted or incomplete as a result of the encryption process
  • Decryption tools can be unsafe, slow, broken or contain malware
  • Decryption tools aren’t guaranteed to work
  • Attackers often use double extortion, encrypting data and also offering it for sale to criminals or competitors after the ‘final’ payment
  • In some cases, attackers may have no intention of delivering a working key or decryption tool, although developing a reputation for not delivering will break their business model in the medium term
  • Attackers can be inept: The WannaCry ransomware attack was notable for many things, but one in particular was of interest: the attacker’s ransom demand nominated a cryptocurrency account, but the attacker would have no way of working out which payments had come from which victims
  • Long term security consequences: The attackers may have achieved persistent access to you system, can return to exploit the same vulnerabilities or avenues of attack if left unfixed – or may pick your organization out as a soft target that pays ransom demands.

Minimizing the impact of a ransomware attack

An effective remediation approach is crucial for reducing downtime and restoring operations after a ransomware incident. Strong remediation tools should provide reliable rollback capabilities, enabling automated restoration of affected files from a secure, tamper‑resistant cache. Ideally, the technology should operate independently of platform‑built features like Volume Shadow Copy Service (VSS), which are frequently targeted and deleted by attackers.

Take a prevention-first approach to defend against ransomware

If you’ve nailed the backup issue, great – but there are other steps to take, too. Lock down remote access – especially RDP. Enforce multifactor authentication, particularly the use of authentication tokens and mobile apps: there’s really no excuse to skip MFA these days, and SMS tokens are increasingly vulnerable. As we’ve seen recently thanks to research from Push Security, well-resourced APT groups are now chasing in-browser attacks to bypass even strong MFA.

A few more considerations that may help prevent attacks before they have a chance to start:

  • Regular offline backups
  • Established and well‑tested disaster recovery plans
  • Clear response procedures—supported by robust security technologies
  • Don’t forget the judicious use of Multifactor Authentication (MFA), Remote Desktop Protocol (RDP) controls
  • Multilayered protection for critical systems
  • Advanced solutions like Managed Detection and Response (MDR) or Extended Detection and Response (XDR), both of which stop many attacks before they begin

Other than that, strong email security policies (yes – including training for users), robust patching and backup regimes and the use of endpoint security can all help.


ESET PROTECT provides a multilayered approach to ransomware protection, covering every stage from prevention to recovery. ESET can advise on a number of initial steps to protect security systems from compromise and tampering. ESET’s comprehensive cybersecurity offering, including Ransomware Remediation, helps quickly recover and reduce the impact of even the most sophisticated ransomware attacks.If you’re an organization of any size, ransomware attacks can cause significant financial losses and disrupt business operations. ESET PROTECT MDR provides complete, fully automated defense from prevention through response to recovery.
What can be included:

  • 24/7 Threat Monitoring with Managed Detection & Response service by ESET security experts

  • Ransomware Shield to stop ransomware before it can encrypt your data

  • Ransomware Remediation to automatically back up and restore affected files

eset_protect_platform (1)

If you’re a home user, ransomware doesn’t have to mean losing your files.Ransomware can lock your photos, documents, and personal data - and demand payment to get them back.
ESET HOME Security Ultimate helps protect what matters to you by blocking ransomware attacks and automatically restoring your files if something goes wrong.
What can be included:

  • Ransomware Shield to stop ransomware before it can encrypt your data

  • Ransomware Remediation to automatically back up and restore affected files

  • Protection designed specifically for personal devices and everyday use

Home Security Ultimate banner

Future directions

It’s likely that at least two future attack types are going to emerge as serious threats. Supply chain attacks, where smaller, weaker or more vulnerable suppliers are compromised to get access to a larger and more lucrative target, already exist and are already a known vector. An attack on US retailer Target in 2013 resulted in the theft of 40 million customers’ information and was achieved through the compromise of Target’s Air Conditioning supplier. Since then, downstream supply chain attacks have compromised software providers to infect thousands of customers.

Another concern is the relative vulnerability of IoT (Internet of Things) devices to ransomware attacks – especially Industrial IoT networks.

Finally, it appears inevitable that ransomware attacks will increasingly use AI tooling in future. The discovery of the AI-powered PromptLock ransomware in August 2025 suggests that attackers are increasingly likely to use AI’s capabilities to boost their ransomware powers in future.

Conclusion

Ransomware remains the biggest cyber threat to organizations and individuals, and this situation is unlikely to change. Aside from practicing good cyber hygiene, organizations and individuals should make it absolutely imperative that they maintain regular and secure backups of sensitive information, and be prepared to wipe and reinstall all of their systems as needed.

Frequently asked questions

What is ransomware?

Answer: Ransomware is a type of malware that denies access to data or systems, demanding a ransom payment to restore it.

How has ransomware evolved?

Answer: It now includes double/triple extortion tactics and higher ransom demands. Victims face the threat of having their sensitive data exposed or sold to others

What are the main attack vectors?

Answer: Remote access (Microsoft RDP is an attacker favorite), email phishing, trojans, supply chain vulnerabilities, and exploiting known software flaws are all main attack vectors.

How can I defend against ransomware?

Answer: All users, corporate and personal, should back up sensitive information regularly and update their systems regularly . Organizations need to secure RDP, implement email security measures, patch regularly, maintain backups, and consider either advanced, constantly-monitored EDR solutions or, for proper 245/7 coverage, a Managed Detection and Response (MDR) service such as ESET Protect MDR.

What if a ransomware attack succeeds?

Answer: Make sure you and your organization has a response plan: isolate affected systems, notify IT and security teams, involve law enforcement, and consider professional incident response. Paying the ransom likely won’t help anyone but the attacker, so don’t do it unless directed to by law enforcement.

What’s the future?

Answer: Increased complexity, new targets like IoT, and a continuing shift toward bigger ransom demands and more threatening and elaborate extortion tactics. The use (or rather, misuse) of Artificial Intelligence in ransomware attacks is an emerging and serious trend.