In 2025, ransomware has evolved significantly past simple file encryption. While denying access to your data by encrypting it and demanding a ransom payment for the decryption key remains a core tactic, today’s ransomware does much more. Cyber– attackers now frequently incorporate additional functionalities like data theft. This means they don’t just lock up your files; they also steal sensitive information. This dual threat creates even greater pressure for victims to pay the ransom, as they face not only data loss but also the potential for public exposure of stolen data or its sale on the dark web.
Ransomware has quickly become the most prominent and visible type of malware. Recent ransomware attacks have impacted hospitals’ ability to provide crucial services, crippled public services in cities, and caused significant damage to various organizations.
Why Are Ransomware Attacks Emerging?
The modern ransomware craze began with the WannaCry outbreak of 2017. This large-scale and highly-publicized attack demonstrated that ransomware attacks were possible and potentially profitable. Since then, dozens of ransomware variants have been developed and used in a variety of attacks.
The COVID-19 pandemic also contributed to the recent surge in ransomware. As organizations rapidly pivoted to remote work, gaps were created in their cyber defenses. Cybercriminals have exploited these vulnerabilities to deliver ransomware, resulting in a surge of ransomware attacks.
A staggering 71% of companies have encountered ransomware attacks, resulting in an average financial loss of $4.35 million per incident.
In the year 2023 alone, attempted ransomware attacks have targeted 10% of organizations globally. This marks a notable rise from the 7% of organizations facing similar threats in the previous year, representing the highest rate recorded in recent years.
How Ransomware Works
In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.
While the implementation details vary from one ransomware variant to another, all share the same core three stages
Step 1. Infection and Distribution VectorsRansomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors.
One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.
Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.
Others may attempt to infect systems directly, like how WannaCry exploited the EternalBlue vulnerability. Most ransomware variants have multiple infection vectors.
In 2025, ransomware attacks frequently leverage vulnerabilities within an organization’s third-party suppliers, recognizing them as a weaker entry point. This often begins with compromised credentials or unpatched software in a vendor’s system, allowing attackers to gain initial access. From there, the threat actors exploit the trusted connection between the supplier and the target organization to move laterally and deploy ransomware, bypassing the main company’s direct defenses.
Step 2. Data EncryptionAfter ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.
Step 3. Ransom DemandOnce file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.
While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform files scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.
