The Evolution of Ransomware & How to Stop It

Ransomware attacks have become increasingly sophisticated, personalized and targeted. In this guest article, Citrix explores how enterprises can evolve their security to protect themselves. 

The last two years have seen tons of exciting changes in the way we work, including the rapid adoption of hybrid work models and flexible technology designed to empower distributed workers. However, this evolution has also seen a corresponding evolution in cybersecurity threats, especially those that target remote and hybrid workers. Ransomware attacks have emerged as a serious risk to organizations of all sizes, with the average cost of a ransomware breach reaching $4.62 million.

For your IT and security teams to keep pace with the latest ransomware attacks, it’s essential to know how ransomware has evolved and what you need to do to protect your organisation. In this interview with Citrix Chief Security Strategist Kurt Roemer, you will learn why ransomware has become a bigger threat, the new tactics bad actors are using to target your distributed workforce, and how your organization can best protect sensitive data from sophisticated ransomware as a service attacks.

Why Ransomware Attacks Are Worse Than Ever

Q: In your view, how are ransomware attacks today different than the past?

A: Ransomware attacks are worse now than they’ve ever been. There are several reasons, but the biggest is ransomware attacks have become more personal and targeted. The bad guys used to cast a wide net by contacting hundreds of people at once to see if they could fool a few into giving them access to sensitive data. Today, bad actors are using social media and other publicly available information to go after specific individuals with high-level clearances and access privileges. That’s part of the reason we’ve seen so many ransomware attacks end up as international headlines.

Q: Yes, and recent attacks were both costly and highly disruptive. Why else has ransomware prevention gotten harder?

A: The big rise in people working from home has increased the attack surface dramatically. WFH employees don’t have the multi-layer protections of the corporate environment, like physical security, network security, and the social aspects that help security. It’s harder to ask a colleague, “Hey, does this email look weird?” in a hybrid environment. Remote workers also have a lot of devices on their network, like printers, thermostats, or game consoles that may not be patched often enough to ensure security. Bad actors are using these software and firmware vulnerabilities to target their ransomware. We now need patching to happen as quickly as possible when it used to be maybe once a month for critical security updates.

How New Ransomware Attacks Work

Q: So you’re saying the technology behind ransomware attacks has gotten both more sophisticated and easier to use?

A: Absolutely. One scary example is what’s known as “ransomware as a service.” Ransomware operators used to custom craft their messages and entry vehicles for a big audience, guessing where those potential victims would gather sensitive data and where they stored it. Now bad actors can actually go out and purchase ransomware as a service kits, which offer a set of exploits along with email addresses (or a domain) along with pre-made ransomware messages and payloads that can be customized to achieve their objectives. It might sound absurd for hackers to buy specialized tools for specific targets, but the high amounts of money people will spend on a ransom sadly make these illegal investments worthwhile.

Q: Speaking of money, how have the rise of cryptocurrencies impacted the ransomware landscape?

A: A big reason for the popularity of cryptocurrencies is their anonymity—you can privately pay and receive funds outside of the regulated banking system. Because ransomware also relies on anonymity, cryptocurrencies are a common way for bad actors to demand and receive payment. And for companies caught in a desperate situation, you can imagine the temptation of quietly paying a crypto-based ransom and not telling anyone. However, if your ransomware attack is from a state-sponsored or banned group, paying the ransom could mean funding illegal activity—exposing your organization to significant consequences.

Have a plan for when targeted ransomware attacks happen, as mitigation of these risks is social and ethical, not just technical.

Kurt Roemer
Chief Security Strategist, Citrix

kurt-roemer Citrix

How to Protect Distributed Workers from Ransomware Attacks

Q: With all these serious ransomware threats in mind, how should organizations address these security risks and better protect their data?

A: The first step is definitely awareness. You need to track what’s going on in security news and how ransomware is changing. It’s gone from encrypting somebody’s local drive to encrypting networks and file shares to even going through and accessing cloud services. Ransomware has also turned into extortion in many cases, where they’ll look through your data and see if there’s something sensitive or embarrassing they can threaten to leak. So the next step is having a plan for when targeted ransomware attacks happen, as mitigation of these risks is social and ethical, not just technical. Your PR and communications team need to ask: “If this were to happen, how do we handle this? How do we declare a disaster for this particular incident? How do we assign priorities to it?”

Q: That makes sense. Beyond these social plans, what are some technical best practices to prevent evolved ransomware from succeeding?

A: Educate your employees about ransomware, as compromised credentials were the most common attack vector in the last year. You also need to adopt zero trust to the nth degree, starting with your endpoints as that’s where most attackers get in. Make sure you’re patching devices and applications regularly, and implement EDR and SASE solutions to protect access to your network and cyber resources. These tools enable you to automate security for your workforce’s end points. There are also ransomware simulators available for you to test your resiliency to attacks and game out your response to a data breach. Above all, take ransomware seriously by having a tested plan to prevent and respond to it. Readiness enables you to act decisively instead of from a place of panic or fear.



Citrix provides technology that empowers organisations to unlock potential and deliver a better employee experience. Citrix’s goal is to give people the space to succeed and do their best work – wherever they are.
The Citrix platform brings intelligence, virtualisation, workspace and app delivery, a zero-trust security approach, and data analytics together in a seamless experience that fosters innovation, resilience, and business continuity. From enabling sustainable remote work models to streamlining the journey to multi-cloud, Citrix helps securely deliver how work gets done today and in the future.