May 2025 marks 20 years since the modern ransomware era began. Back in 2005, the world welcomed the likes of YouTube, Google Maps, and Reddit: platforms that changed how we connect, navigate, and share. But while global digital connectivity was accelerating, GPCode, nicknamed the “$20 ransomware”, emerged as the first widely distributed ransomware strain to use strong RSA[DL1] encryption. It signalled a seismic shift. What was once basic scareware had now evolved into a new era of cyber extortion: sophisticated, targeted, and ruthlessly monetised.
GPCode’s use of phishing was advanced for its time. It was often delivered via emails that mimicked legitimate business communications, a notable leap in deception tactics in 2005. Unlike earlier malware, which typically spread through simple mechanisms like infected floppy disks or email worms, GPCode employed targeted social engineering techniques to trick users into opening malicious attachments, dramatically increasing its success rate. Most significantly, it pioneered a now-familiar criminal model: holding encrypted data hostage for payment, effectively launching the business model of modern ransomware.
Two decades later, ransomware is no longer just a criminal nuisance. It’s a threat that can shut down hospitals, disrupt national retail networks, and jeopardise public safety. In April 2025, ransomware attacks hit major UK retailers, including Marks & Spencer and the Co-op, bringing logistics and payment systems grinding to a halt. It was a stark reminder of how fragile even the most robust commercial operations can be in the face of cybercrime.
But the threat isn’t just commercial. In June 2024, Synnovis, a pathology services provider to the NHS, was hit by a ransomware attack that forced the cancellation of over 1,100 surgeries and 2,100 outpatient appointments across London hospitals including Guy’s and St Thomas’, and King’s College Hospital. The attack, attributed to the Russia-linked Qilin group, demonstrates how ransomware has grown from financial burden, to a national security threat capable of directly impacting public health and safety.
And yet, despite its evolution, the fundamentals of ransomware remain largely unchanged. At its heart, ransomware is still about encryption and extortion. What’s changed is the scale, speed and sophistication through which ransomware can be distributed. Threat actors now leverage AI-generated phishing, ransomware-as-a-service, and exploit kits that let them operate at global scale, faster than ever before.
Interestingly, while attacks are up in recent years, ransom payments are down. In 2024, payments dropped by 35%, from US$1.25 billion (£1 billion) in 2023 to US$813.55 million (£650 million). This shift reflects stronger defences, better collaboration across law enforcement, and a growing reluctance among victims to give in. Even so, the broader disruption, reputational harm, and recovery costs continue to rise, often far outweighing the ransom itself.
As we look ahead, the next generation of cybersecurity professionals will be critical in building resilience to ransomware attempts. They’ll need to understand the evolution of threats like ransomware, and the systemic risk they now pose. Through initiatives like CIISec LIVE, and a commitment to education, standards, and community, CIISec helps ensure professionals across the field, whether on the front lines or shaping policy, are equipped to meet today’s challenges and those yet to come.
We’re 20 years into the ransomware era. The next 20 will demand even more collaboration, innovation, and resilience. From entry-level analysts to seasoned CISOs, every professional has a part to play. CIISec exists to ensure the cybersecurity community doesn’t just keep pace, but leads the response, sharing knowledge, shaping the profession, and helping it evolve.
Let’s keep that momentum going.
