Over the years, Ransomware has evolved into one of the most pervasive and damaging forms of cybercrime. At its core, ransomware works by locking or encrypting computer systems and critical data, typically through the use of both symmetric and asymmetric encryption algorithms, before demanding a ransom payment in exchange for restoring access. Initially, these attacks were often perceived as relatively unsophisticated acts of digital vandalism carried out by opportunistic cybercriminals. Furthermore, victims of ransomware were directed to make payments through methods such as SMS text messages and by sending pre-paid cards via mail, calling a premium-rate telephone number, etc. However, since then, the threat landscape has significantly changed: ransomware has matured into a highly organised and profitable criminal enterprise.
One of the most striking developments in this evolution is the rise of Ransomware-as-a-Service (RaaS), a model that mirrors legitimate software-as-a-service businesses. Under RaaS schemes, skilled developers create and maintain ransomware tools, while other criminals—sometimes with minimal technical expertise—purchase or lease these tools to launch their own attacks. This professionalisation of cybercrime has lowered the barrier to entry for new actors, expanded the scale of operations, and multiplied the frequency of attacks worldwide. At the same time, the as-a-service paradigm enables various ransomware strains to adopt similar mechanisms for malware creation, distribution, ransom collection, and money laundering. This allows the ransomware provider to speed up the mass production of new strains and, at the same time, enables service applicants to rely on an innovative system based on a solid and proven modus operandi. Yet, this coordinated methodology, in which affiliates operate under guidance provided by core developers or manuals, increases the professionalisation of cybercrime. Thus, it contributes to the repeatability and effectiveness of attacks on different targets.
The 2023 Internet Organised Crime Threat Assessment (IOCTA) published by Europol highlights how the proliferation of cybercrime services, such as RaaS, has fostered an interconnected underground economy. This ecosystem has not only attracted a larger number of criminal participants but also increased the overall effectiveness and resilience of their operations. As a result, ransomware has transitioned from being a niche threat into a central pillar of the modern cybercrime economy—fueling both financial gain for criminals and significant economic, social, and security risks for governments, organisations, and individuals across the globe.
Ransomware attacks have also changed their primary targets, starting from ordinary end-users; they have expanded to compromise governments, banks, schools, and also critical infrastructure such as hospitals and energy plants. Furthermore, with the advent of cryptocurrencies, we assisted with the first large-scale outbreak of Ransomware. In fact, by promoting decentralisation and anonymity (or pseudo-anonymity in some cases), these digital assets have created an ideal environment for the Ransomware business.
Figure 1: A small list of major Ransomware attacks over the past decade
The ENSEMBLE project
ENSEMBLE aims to provide a well-rounded response to the fight against (cross-border) cybercriminal activities, at the nexus of advanced AI-based technological solutions, (multi-stakeholder) investigation processes, training, and awareness in order to detect and prevent cybercrime-related activities, with particular focus (among others) on ransomware. Among its tasks, the project will focus on identifying the different steps and processes related to malware and ransomware attacks, from their deployment and spreading to infection and ransom payments. This full-chain event analysis aims to reconstruct the TTPs used to infiltrate and compromise computer systems, as well as to understand the consequences. In this sense, innovative AI-based tools will be developed to correlate incident data and be able to predict and anticipate threat actor behaviours.
By leveraging these methods and tools, the ENSEMBLE project aims to enhance investigative insights and to generate an intelligence framework capable of quickly detecting and extracting comprehensive information about the modus operandi of ransomware criminals.
Written by Dr. Francesco Zola from VICOMTECH
