In 2013, CryptoLocker encrypted files with RSA-2048 and demanded $300 in Bitcoin. It was crude, opportunistic, and targeted individuals. A decade later, a single ransomware operation — Cl0p’s MOVEit campaign — compromised over 2,500 organizations simultaneously without deploying a single piece of traditional malware.

The gap between those two points is not just technological evolution. It is the story of how criminal operations adopted nation-state tradecraft, Silicon Valley product management, and industrial-scale economics. Understanding how ransomware became this powerful is the prerequisite for understanding where it can be stopped.

Generation 1: The Spray-and-Pray Era (2013–2016)

The first generation was simple: mass-distribute a binary via email attachments or exploit kits, encrypt everything on the local disk, demand a few hundred dollars in Bitcoin.

Technical profile:

  • Single-stage binary — no persistence, no lateral movement
  • Full-file encryption with RSA + AES
  • Payment via Bitcoin to a hardcoded wallet
  • No data exfiltration — encryption was the only leverage
  • Distribution via Angler/RIG exploit kits and malspam

Why it worked: Most organizations had no endpoint detection beyond signature-based antivirus, no backup strategy beyond network shares (which also got encrypted), and no incident response capability.

Why it plateaued: The ransom amounts were low ($300–$2,000), and the spray-and-pray model had no way to price-discriminate between a home user and a hospital. The economics hit a ceiling.

Generation 2: Big Game Hunting (2017–2020)

The inflection point was the realization that a hospital, a law firm, or a manufacturer would pay $500,000 to get their operations back — but only if the attacker could actually compromise the entire network, not just one workstation.

This required a fundamental shift: ransomware operators needed to think like penetration testers.

The Human-Operated Model

Instead of automated spray campaigns, operators began conducting hands-on-keyboard intrusions. The playbook borrowed directly from red team methodology:

  1. Buy initial access from an IAB or phish a single employee
  2. Establish persistence (Cobalt Strike beacon, custom implant)
  3. Enumerate Active Directory with BloodHound
  4. Harvest credentials (LSASS dump, Kerberoasting, DCSync)
  5. Move laterally to the domain controller
  6. Disable security tools
  7. Deploy the encryptor to every machine simultaneously via GPO or PsExec

This is not malware behavior. This is a penetration test with a destructive payload at the end. The dwell time was typically 5–14 days — long enough to map the network, identify backups, and position for maximum impact.

Ryuk and the Proof of Concept

Ryuk (2018–2021) proved the big-game-hunting model. Operated by the Wizard Spider group, Ryuk was manually deployed after Trickbot or BazarLoader established initial access. Average ransom: $1.5 million. Total estimated revenue: over $150 million in 18 months.

The lesson for every other criminal group was clear: targeted intrusions pay orders of magnitude more than mass campaigns.

Generation 3: Ransomware-as-a-Service and Double Extortion (2020–2023)

The next evolution was organizational, not technical. If human-operated intrusions are the highest-ROI model, but require specialized skills, the answer is franchising.

The RaaS Platform

RaaS operators built affiliate portals that rivaled legitimate SaaS products:

  • Payload builder — affiliates configure the encryptor: target OS, encryption mode, file extension, ransom note, exclusion paths
  • Victim dashboard — real-time status of each intrusion: encryption progress, exfiltration volume, negotiation state
  • Negotiation chat — Tor-hosted portal where victims negotiate directly, with the operator’s team providing “customer support”
  • Leak blog — public shame site with countdown timers, data previews, and search functionality

Revenue split: 70–80% to the affiliate who conducts the intrusion, 20–30% to the platform operator.

LockBit became the dominant franchise (2021–2024) by offering the fastest encryptor on the market, a bug bounty program for its own malware, and aggressive marketing on dark-web forums. At its peak, LockBit had over 100 active affiliates and was responsible for roughly 30% of all ransomware incidents globally.

Double Extortion as Standard

The critical innovation: steal the data before encrypting it.

Before 2020, organizations with good backups could simply restore and refuse to pay. Double extortion eliminated that option. Even if you restore from backup, the attacker still holds your customer data, financial records, employee PII, and intellectual property.

The threat model shifted from “pay to get your files back” to “pay or we publish your secrets.” This is fundamentally harder to defend against because the damage is reputational and regulatory, not just operational.

Maze group pioneered this in late 2019. By 2021, it was the default for every major operation.

Generation 4: The Current State (2024–2026)

The current generation represents the convergence of every previous innovation plus new technical capabilities that make detection and response dramatically harder.

Technique 1 — Intermittent Encryption

Traditional ransomware encrypts entire files. This is slow (a 1TB filesystem takes hours) and creates a distinctive I/O pattern that modern EDR can detect: sustained sequential writes across thousands of files.

Intermittent encryption solves both problems. Instead of encrypting the full file, the encryptor processes only every Nth byte (typically every 16th or 32nd). The result:

  • Speed: A 1TB filesystem encrypts in minutes, not hours. The attack completes before incident response can react.
  • Stealth: The I/O pattern is less distinctive — lower sustained write throughput, fewer sequential operations.
  • Effectiveness: The file is completely unusable despite only a fraction being modified. A JPEG with every 16th byte scrambled will not render. A database with every 16th byte corrupted will not open.

LockBit 3.0 and BlackCat/ALPHV both implemented intermittent encryption as a configurable option in their payload builders.

Technique 2 — EDR Killers and BYOVD

Modern EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) is the primary obstacle to ransomware deployment. Affiliates have responded with dedicated EDR-killing tools.

Bring Your Own Vulnerable Driver (BYOVD): The attacker loads a signed but vulnerable kernel driver — a legitimate driver from a hardware vendor that contains an exploitable flaw. Because the driver is signed, Windows loads it without complaint. The attacker then exploits the vulnerability to gain kernel-level access and terminate EDR processes from ring 0.

Commonly abused drivers:

  • procexp.sys — Process Explorer (signed by Microsoft)
  • gdrv.sys — Gigabyte motherboard utility
  • dbutil_2_3.sys — Dell BIOS utility
  • asio.sys — ASUS overclocking utility

Tools like Terminator, Backstab, and AuKill automate this process: drop the vulnerable driver, load it, exploit it, kill every security process on the endpoint.

Why this is devastating: EDR cannot protect itself against kernel-level attacks. Once the driver is loaded and the EDR process is terminated, the endpoint is blind. All subsequent actions — credential theft, lateral movement, encryption — happen without any telemetry being generated.

Defensive response: Microsoft’s HVCI (Hypervisor-protected Code Integrity) and a strict vulnerable driver blocklist are the primary mitigations. Organizations must maintain and enforce a blocklist of known-vulnerable drivers via WDAC policy.

Technique 3 — ESXi Targeting

A single ESXi hypervisor typically runs 20–50 virtual machines. Encrypting the VMDK files on the hypervisor is vastly more efficient than encrypting each guest OS individually.

Modern ransomware families include dedicated Linux/ESXi variants:

  1. SSH to the ESXi host using stolen vCenter credentials
  2. Kill all running VMs (esxcli vm process kill --type=force)
  3. Encrypt the .vmdk, .vmx, .vswp files on the datastore
  4. Drop a ransom note

The entire virtualized infrastructure — domain controllers, file servers, application servers, databases — goes down in a single coordinated action. Recovery requires rebuilding from backup, which most organizations have never actually tested at scale.

Technique 4 — Living-Off-the-Land Progression

Modern affiliates minimize their use of custom malware. Instead, they chain legitimate system tools:

StageToolPurpose
Reconnaissancenltest, net group, dsqueryAD enumeration without BloodHound
Credential accesscomsvcs.dll via rundll32LSASS memory dump
Lateral movementmstsc.exe, wmic, PsExecRDP, WMI execution, remote service creation
Staging7z.exe, rclone.exeCompress and exfiltrate data
Defense evasionreg.exe, sc.exeDisable Defender, modify services
Impactvssadmin, wbadmin, bcdeditDelete shadows, disable recovery

Every tool in this chain is a signed, legitimate binary that exists on every Windows system. There is no malware to detect — only behavioral anomalies in how legitimate tools are used.

Technique 5 — Supply Chain as Initial Access

The highest-evolution affiliates no longer phish. They compromise a single software vendor or managed service provider and gain simultaneous access to hundreds of downstream victims.

The economics are transformative:

  • Traditional model: 1 intrusion → 1 victim → 1 ransom
  • Supply chain model: 1 intrusion → 500 victims → 500 ransoms (or mass exfiltration for extortion without encryption)

Cl0p’s exploitation of MOVEit (CVE-2023-34362) is the defining example: a SQL injection in a file-transfer platform yielded data from over 2,500 organizations. No ransomware was deployed — pure data theft and extortion. Estimated damage: over $10 billion across all affected organizations.

Technique 6 — Triple and Quadruple Extortion

The extortion model has expanded beyond encryption and data leak:

  1. Encrypt production systems
  2. Exfiltrate and threaten to publish sensitive data
  3. DDoS the victim’s public-facing infrastructure during negotiation to increase pressure
  4. Contact the victim’s customers, partners, regulators, and journalists directly — informing them of the breach and the stolen data

Each layer adds leverage. An organization that might resist paying for decryption often pays when their customers start receiving emails saying “your personal data was stolen from [company] and they are refusing to protect it.”

Why Traditional Defenses Fail

The power of modern ransomware comes from the combination of these techniques, not any single one:

  • Antivirus fails because there is no malware to detect — only legitimate tools used maliciously.
  • Firewalls fail because the attacker enters through valid credentials on a VPN or through a compromised software update.
  • Backups fail because the attacker deletes them before encrypting, or because the data exfiltration makes backup-based recovery irrelevant to the extortion.
  • EDR fails because the attacker kills it from kernel level before deploying the payload.
  • Network segmentation fails because Active Directory is the de facto flat network — Domain Admin credentials reach everything.

No single control addresses the full kill chain. The organizations that survive are the ones that implement defense in depth with the assumption that every individual layer will be bypassed.

Where the Chain Can Be Broken

Despite the sophistication, every ransomware operation depends on a sequence of steps that each present a detection and prevention opportunity:

Initial access: Patch edge devices within 48 hours. Enforce phishing-resistant MFA (FIDO2) on all external entry points. Monitor dark-web markets for stolen credentials containing your domain.

Credential boundary: Deploy Credential Guard to protect LSASS. Enforce AES Kerberos and monitor for RC4 TGS requests (Kerberoasting). Tier administrative accounts — Domain Admin credentials must never touch a workstation.

Lateral movement: Implement real network segmentation with east-west monitoring. Deploy honeytokens and canary files that alert on access. Restrict RDP to jump servers with session recording.

Defense evasion: Enforce HVCI and maintain a BYOVD driver blocklist. Monitor for EDR agent health — if the agent goes silent, treat it as a P1 alert.

Exfiltration: Monitor for anomalous outbound data volumes. Restrict rclone, megasync, and similar tools via application control. Alert on compression utilities executing on servers.

Impact: Maintain immutable, air-gapped backups. Test restoration quarterly — an untested backup is not a backup. Segment the backup infrastructure from the production AD domain.

Conclusion

Ransomware did not become powerful through a single innovation. It became powerful through the systematic adoption of every available advantage: nation-state exploitation techniques, legitimate system tool abuse, kernel-level security subversion, industrial economics via franchising, and multi-layered psychological extortion.

The question is no longer “will we be targeted?” — it is “when we are compromised, how quickly can we detect, contain, and recover?” The organizations that answer that question before the intrusion are the ones that survive it.

References

  • PRODAFT. LockBit, BlackCat, and Akira affiliate infrastructure analysis. prodaft.com
  • Mandiant. M-Trends 2025 — ransomware TTP evolution. mandiant.com
  • Sophos. Active Adversary Report 2025 — dwell time and tool usage trends. sophos.com
  • CrowdStrike. 2025 Global Threat Report — BYOVD and EDR evasion. crowdstrike.com
  • Microsoft. Vulnerable driver blocklist and HVCI guidance. microsoft.com
  • CISA. #StopRansomware advisories. cisa.gov
  • Chainalysis. Crypto Crime Report 2025 — ransomware payment analysis. chainalysis.com
  • Emsisoft. MOVEit breach impact tracking. emsisoft.com