Over the past 18 months, the Sophos Rapid Response team has been called in to investigate and remediate hundreds of cases involving ransomware attacks. Ransomware isn’t new, of course, but there have been significant changes to the ransomware landscape over this period: the targets have shifted to ever-larger organizations, and the business model that dictates the mechanics of how attacks transpire has shifted.

The biggest change Sophos observed is the shift from “vertically oriented” threat actors, who make and then attack organizations using their own bespoke ransomware, to a model in which one group builds the ransomware and then leases the use of that ransomware out to specialists in the kind of virtual breaking- and-entering that requires a distinct skill set from that of ransomware creators. This ransomware-as-a- service (or RaaS) model has changed the landscape in ways we couldn’t predict.