Ransomware has undergone a profound transformation. What began as relatively unsophisticated malware that encrypted files and demanded payment to restore access has evolved into a sophisticated criminal enterprise — one that threatens critical infrastructure, holds sensitive data hostage, and generates billions in revenue each year.

In 2025, organisations facing ransomware are not just fighting to recover their files. They are managing data breach disclosures, extortion threats, regulatory investigations, and reputational damage — all simultaneously, and often with only hours of warning.

$1.1B
in ransomware payments globally in 2023 — a record high
22 days
average downtime following a ransomware attack
76%
of ransomware victims were targeted multiple times within 12 months
AdvertisementGoogle AdSense — Responsive

The Evolution: From Simple Encryption to Triple Extortion

First-generation ransomware was blunt. Malware would encrypt files on a local machine and demand payment — often in Bitcoin — to a hardcoded wallet. Many variants were defeated by restoring from backup. Criminals responded by evolving.

Double Extortion (2019–present)

Before encrypting data, attackers began exfiltrating a copy. Victims who thought they could restore from backup now faced a second threat: their data would be published on a "leak site" unless they paid. Suddenly, having good backups was no longer sufficient. The threat was no longer just about recovery — it was about confidentiality.

Triple Extortion (2021–present)

The next evolution added a third pressure point: contacting the victim's customers, partners, or regulators directly. Healthcare providers received calls informing them that patient records had been stolen. Law firms received threats that privileged client communications would be released. The extortion extended far beyond the original victim organisation.

Ransomware-as-a-Service (RaaS)

The most significant structural change has been the professionalisation of ransomware through affiliate models. Criminal groups such as LockBit, BlackCat (ALPHV), and Cl0p operate sophisticated platforms where affiliates — who carry out the actual attacks — pay a percentage of ransom proceeds back to the developers. This has dramatically lowered the barrier to entry and massively scaled the volume of attacks worldwide.

"Ransomware groups now have customer service portals, negotiation teams, and PR departments. They operate like legitimate software businesses — except their product is extortion."

The Australian Ransomware Landscape

Australia has been disproportionately targeted by ransomware gangs. The ACSC's Annual Cyber Threat Report consistently identifies ransomware as the most financially damaging cybercrime type facing Australian organisations. High-profile incidents affecting Medibank, Optus, and several government agencies have demonstrated that no sector is immune.

The Australian Government's ransomware action plan discourages — though does not prohibit — the payment of ransoms, recognising that payment funds further criminal activity without guaranteeing data recovery or preventing future attacks.

Security analyst responding to incident
Incident response to ransomware requires coordinated action across technical, legal, and communications teams
⚠ Most Common Ransomware Entry Points
  • Phishing emails with malicious attachments or links — responsible for over 40% of ransomware incidents
  • Exploited vulnerabilities in internet-facing systems such as VPNs, RDP, and unpatched software
  • Compromised credentials purchased from initial access brokers on dark web markets
  • Supply chain compromise through trusted third-party software or service providers
  • Malvertising and drive-by downloads targeting unpatched browsers and plugins
AdvertisementIn-Article · Google AdSense

Building Ransomware Resilience

Ransomware resilience requires both prevention — reducing the likelihood of a successful attack — and recovery capabilities that allow rapid restoration with minimal data loss.

✓ Ransomware Defence Checklist
  • Immutable backups: Maintain offline or air-gapped backups that ransomware cannot reach and encrypt — and test restoration regularly
  • Patch management: Prioritise patching of internet-facing systems and known exploited vulnerabilities within 48 hours of disclosure
  • Email security: Deploy advanced email filtering with sandboxing to detonate suspicious attachments before delivery
  • Endpoint detection and response (EDR): Deploy EDR on all endpoints to detect and halt ransomware behaviour before encryption begins
  • Network segmentation: Prevent lateral movement by segmenting networks so ransomware cannot spread across the entire environment
  • Incident response plan: Maintain and regularly test a ransomware-specific IR plan including communications, legal, and ransom decision protocols

Should You Pay? The Hard Question

The decision to pay a ransom is never simple. Payment may be the fastest path to restoring operations, but it funds criminal enterprises, does not guarantee data recovery or deletion, may trigger legal issues (paying sanctioned entities), and marks the organisation as a willing payer — potentially increasing future targeting.

Most cybersecurity authorities, including the ACSC, FBI, and Europol, advise against payment. The best approach is to never be in a position where payment is the only viable option — which requires sustained investment in prevention, detection, and recovery capabilities before an attack occurs.

RansomwareDouble Extortion RaaSIncident Response Backup StrategyAustralia
S
SISTMR Editorial Team
Cybersecurity Researchers · SISTMR Australia

Our certified professionals produce practical, expert-reviewed cybersecurity content for students and practitioners across Australia.