The Evolution of Ransomware, Pt. 1
No one wants ransomware attacking their company. But what if you were the target? Ransomware targeting individuals has evolved since WannaCry’s ransomware outbreak that swept across the globe in May 2017. Individual ransomware is no longer just about locked files—it's personal.
The rise of this type of ransomware, where stolen data is weaponized, is creating a new era of ransomware for businesses and individuals. With the evolution of double and triple extortion tactics, ransomware has become a personal threat, rendering traditional defenses, like immutable backups, completely inadequate.
That is how Aaron found himself on a Friday morning this autumn. Aaron was a successful businessperson who faced a $25,000 extortion demand after hackers stole sensitive personal data and threatened to release it publicly.
Aaron founded a company that leased a fleet of planes to governments and corporations, a business that represented the sum of his whole career. When he reached for his phone first thing Friday morning while still in bed, instead of the familiar green on the Bloomberg screen, a stark red skull filled the display. "WE HAVE COPIES OF ALL YOUR DATA," it screamed in block letters, along with, "pay $25,000 in USD with Monero or risk a much higher demand if we find anything particularly sensitive to share with your contacts." A screenshot of some of his files was included as well. And they would find something particularly sensitive if they looked – photos, chats, and emails with the person he had an affair with that summer.
Aaron told me his wife would divorce him, for sure, after the last time, and also take the kids. He was just as concerned about the socially conservative clients he had in the Middle East. He had cultivated these relationships with great care, even hiring an Islamic salesman to insulate himself, knowing of the cultural sensitivities. While they had overlooked his Jewish background, they would not overlook his gay adultery. Exposure would mean the immediate loss of their predictable contracts, which would trigger a cascade of loan defaults on the fleet, lawsuits, and financial ruin - and compound the personal hit of the custody battle.
Despite having a Managed Security Service Provider (MSSP) for digital security, Aaron’s personal devices were a mess. His phone was his lifeline, but also a major risk. He knew about potential risks, such as clicking on unfamiliar links, but he had fallen into poor security habits—clicking on links in emails from “old friends” he hadn’t heard from in years that might want to invest, and using variations of the same password that had been a part of multiple data breaches across sites.
Aaron knew calling his MSSP was out of the question for such a private matter. This was the situation when I first spoke with Aaron. I wanted to break it to him, gently, that the situation was much worse than he realized. It was not just his stolen data – his banking, tax returns, medical records, intimate photos, and private messages. That was bad. But in addition to selling his data, they'd also likely gained access to his social media and email, and would likely post fabricated, deeply damaging content to his business and personal network. Imagine your family photos, twisted into a grotesque narrative with the help of generative AI, falsely accusing you of child predation, or spewing racist vitriol, all meticulously crafted to obliterate your reputation. His friends would probably call the police on him, the victim. Some of the accusations would make it to the divorce court, if not a criminal court. The attackers' goal was straightforward: to leave him with no other choice than to pay them immediately.
This is the terrifying threat of modern ransomware – a threat that may not dominate the headlines in 2025, but nonetheless continues to evolve and pose serious risks. Threat actors have refined ransomware into one of the most effective ways to monetize compromised systems, targeting both individuals and organizations.
Ransomware provides attackers with direct payment from victims. Although it is often difficult and risky, ransomware attackers can also sell the stolen data, a tactic known as 'double extortion ransomware.' This means victims not only lose access to their data, but also risk attackers publicly sharing or selling it, breaching their confidentiality.
Cybersecurity organizations, such as CrowdStrike, Sophos, Mandiant, Verizon, IBM, CISA, and the FBI publish reports that provide insights into the ongoing ransomware threat. Cybercriminals are making the tools and techniques used for the most sophisticated triple extortion ransomware more available. For example, Ransomware-as-a-Service (RaaS) platforms have proliferated, enabling cybercriminals to deploy advanced ransomware attacks. These platforms often provide web interfaces, documentation, tutorials and support, making sophisticated ransomware and money laundering techniques more accessible. Even when a major ransomware group like LockBit is disrupted, the problem of ransomware persists because RaaS tools are widely available.
The evolution of ransomware enables cybercriminals to profit more directly than many forms of hacking, keeping the risk high to individuals and organizations.
Ransomware's ability to extract direct payments, unlike many other hacking methods, makes it profitable and, therefore, a persistent threat to individuals and organizations.
Watch for Part 2 of this article – Where I'll dig deeper into ransomware and provide additional insights and methods to protect yourself.
No one wants ransomware attacking their company. But what if you were the target? Ransomware targeting individuals has evolved since WannaCry’s ransomware outbreak that swept across the globe in May 2017. Individual ransomware is no longer just about locked files—it's personal.
The rise of this type of ransomware, where stolen data is weaponized, is creating a new era of ransomware for businesses and individuals. With the evolution of double and triple extortion tactics, ransomware has become a personal threat, rendering traditional defenses, like immutable backups, completely inadequate.
That is how Aaron found himself on a Friday morning this autumn. Aaron was a successful businessperson who faced a $25,000 extortion demand after hackers stole sensitive personal data and threatened to release it publicly.
Aaron founded a company that leased a fleet of planes to governments and corporations, a business that represented the sum of his whole career. When he reached for his phone first thing Friday morning while still in bed, instead of the familiar green on the Bloomberg screen, a stark red skull filled the display. "WE HAVE COPIES OF ALL YOUR DATA," it screamed in block letters, along with, "pay $25,000 in USD with Monero or risk a much higher demand if we find anything particularly sensitive to share with your contacts." A screenshot of some of his files was included as well. And they would find something particularly sensitive if they looked – photos, chats, and emails with the person he had an affair with that summer.
Aaron told me his wife would divorce him, for sure, after the last time, and also take the kids. He was just as concerned about the socially conservative clients he had in the Middle East. He had cultivated these relationships with great care, even hiring an Islamic salesman to insulate himself, knowing of the cultural sensitivities. While they had overlooked his Jewish background, they would not overlook his gay adultery. Exposure would mean the immediate loss of their predictable contracts, which would trigger a cascade of loan defaults on the fleet, lawsuits, and financial ruin - and compound the personal hit of the custody battle.
Despite having a Managed Security Service Provider (MSSP) for digital security, Aaron’s personal devices were a mess. His phone was his lifeline, but also a major risk. He knew about potential risks, such as clicking on unfamiliar links, but he had fallen into poor security habits—clicking on links in emails from “old friends” he hadn’t heard from in years that might want to invest, and using variations of the same password that had been a part of multiple data breaches across sites.
Aaron knew calling his MSSP was out of the question for such a private matter. This was the situation when I first spoke with Aaron. I wanted to break it to him, gently, that the situation was much worse than he realized. It was not just his stolen data – his banking, tax returns, medical records, intimate photos, and private messages. That was bad. But in addition to selling his data, they'd also likely gained access to his social media and email, and would likely post fabricated, deeply damaging content to his business and personal network. Imagine your family photos, twisted into a grotesque narrative with the help of generative AI, falsely accusing you of child predation, or spewing racist vitriol, all meticulously crafted to obliterate your reputation. His friends would probably call the police on him, the victim. Some of the accusations would make it to the divorce court, if not a criminal court. The attackers' goal was straightforward: to leave him with no other choice than to pay them immediately.
This is the terrifying threat of modern ransomware – a threat that may not dominate the headlines in 2025, but nonetheless continues to evolve and pose serious risks. Threat actors have refined ransomware into one of the most effective ways to monetize compromised systems, targeting both individuals and organizations.
Ransomware provides attackers with direct payment from victims. Although it is often difficult and risky, ransomware attackers can also sell the stolen data, a tactic known as 'double extortion ransomware.' This means victims not only lose access to their data, but also risk attackers publicly sharing or selling it, breaching their confidentiality.
Cybersecurity organizations, such as CrowdStrike, Sophos, Mandiant, Verizon, IBM, CISA, and the FBI publish reports that provide insights into the ongoing ransomware threat. Cybercriminals are making the tools and techniques used for the most sophisticated triple extortion ransomware more available. For example, Ransomware-as-a-Service (RaaS) platforms have proliferated, enabling cybercriminals to deploy advanced ransomware attacks. These platforms often provide web interfaces, documentation, tutorials and support, making sophisticated ransomware and money laundering techniques more accessible. Even when a major ransomware group like LockBit is disrupted, the problem of ransomware persists because RaaS tools are widely available.
The evolution of ransomware enables cybercriminals to profit more directly than many forms of hacking, keeping the risk high to individuals and organizations.
Ransomware's ability to extract direct payments, unlike many other hacking methods, makes it profitable and, therefore, a persistent threat to individuals and organizations.
Watch for Part 2 of this article – Where I'll dig deeper into ransomware and provide additional insights and methods to protect yourself.
