From infiltration to intimidation: The new age of ransomware

Ransomware attacks have become one of the most pressing cybersecurity threats facing individuals, businesses, and even governments around the world. These attacks typically involve a hacker gaining access to a system, encrypting the victim’s files, and demanding a ransom to unlock them. But in recent years, the nature of ransomware attacks has evolved. What once ended with a payment—or a refusal to pay—now often extends into a longer, more complex process involving data leaks, reputational damage, and continued pressure from those behind the attack.

A ransomware attack usually begins with a seemingly small breach: a phishing email that tricks an employee into clicking a malicious link or downloading an infected file, or an unpatched vulnerability in a system that gives attackers access. Once inside, the attacker may spend days or even weeks quietly navigating the network, identifying sensitive files and gathering credentials before launching the actual encryption phase. When the system is locked down, the attacker delivers a ransom note demanding payment in exchange for a decryption key.

However, this is no longer where the story ends. Increasingly, attackers engage in what’s called "double extortion." In addition to encrypting the victim’s files, they also steal a copy of the data. If the ransom is not paid, they threaten to leak this information online. In some cases, they follow through with their threats, releasing customer information, business contracts, or internal communications in stages. This creates further pressure on the victim to reconsider their refusal to pay.

There have even been instances of “triple extortion,” where the attackers contact clients, business partners, or media outlets directly, attempting to publicly embarrass the victim and inflict reputational harm. In some cases, other actors—possibly affiliated with the original hacker—join in, amplifying the pressure through social media, blogs, or email campaigns. This layered approach keeps the victim under stress long after the initial ransom demand is made.

While large corporations and public institutions often make headlines when they fall victim to ransomware, attackers are increasingly shifting their focus toward small and medium-sized businesses, as well as individuals. These targets typically lack the sophisticated cybersecurity infrastructure and dedicated IT teams that larger organisations have, making them easier to breach. For many small enterprises, a successful ransomware attack can be devastating—disrupting operations, compromising customer trust, and leading to financial losses that are difficult to recover from. Individuals, too, can become victims, particularly through personal devices that are inadequately protected or by falling for phishing emails that mimic trusted sources.

This widening scope of attack means that cybersecurity is no longer just a concern for big business; it’s a shared responsibility for anyone with a digital presence.

To safeguard against ransomware, organisations and individuals can adopt several proactive measures. Regularly updating software and systems ensures that known vulnerabilities are patched, reducing potential entry points for attackers. Implementing strong password policies and multi-factor authentication adds layers of security, making unauthorised access more difficult. Employee training is also crucial; educating staff about phishing tactics and safe online practices can prevent inadvertent breaches. Maintaining secure, offline backups of critical data ensures that, in the event of an attack, systems can be restored without yielding to ransom demands. Additionally, developing and routinely updating an incident response plan allows organisations to react swiftly and effectively, minimising potential damage.

The impact of ransomware is truly global. In 2024 alone, organisations across more than 100 countries reported attacks, with sectors like business services, education, healthcare, and retail among the most frequently targeted. To address these risks, Sri Lanka has implemented key pieces of legislation such as the Computer Crimes Act No. 24 of 2007, which criminalises unauthorised access and data theft, while Institutions like the Sri Lanka CERT (Computer Emergency Readiness Team) and FinCSIRT provide guidance and respond to incidents. Nevertheless, a broader awareness of how ransomware attacks unfold and stronger measures to protect victims of such attacks is needed to strengthen national resilience as we embrace the digital age.