It’s nearly 20 years since I first encountered ransomware as the security editor of an online computer magazine, although at the time I had no idea what it was and the term had not yet been coined to describe it.
A reader emailed me to describe how the main computer he used as part of his one-man accounting business was suddenly locked and all its files had suddenly “disappeared”. The clue that something unusual was going on was an on-screen message demanding $300 be paid to an E-Gold account in return for a password to unlock the files.
The cause of his woes was later named Cryzip, arguably the first modern ransomware in that it took the trouble to employ competent encryption using an AES Zip archive. At the time it struck me as indefensible, the perfect malware. But it never occurred to me for a second that this novel attack would one day evolve from targeting individuals who’d skipped on antivirus to regularly victimizing the largest companies on earth with every resource at their disposal.
Lack of expertise
How did ransomware make the extraordinary jump from being a small, private problem to a threat to national and economic security? And why are even large organizations still struggling to contain it two decades later?
Various explanations present themselves, including the invention of cryptocurrency and a tendency of some victims to pay ransoms in a way that fuels future attacks. There are also technical issues, such as the targeting of software vulnerabilities, sophisticated social engineering tactics, and the dramatic expansion of the attack surface that criminals can aim at as companies invest in digital technologies.
Sophos’ recent report The State of Ransomware 2025 offers a slightly different perspective. While agreeing that all the above play their part, organizational factors baked into the way companies operate are also examined.
Asking its sample of 3,400 security professionals to identify operational reasons why their organizations fell victim to ransomware, 40% cited a “lack of expertise” as the biggest failing. “Lack of people or capacity” was not far behind at 39%, with “human error” at 34%.
In other words, in many organizations the skills and experience to defend against or respond to ransomware were in short supply or not present at all. This finding was consistent regardless of business size, suggesting that the problem is systemic as well as a reluctance to hire people.
The orthodox response is to argue that this is evidence that the industry needs more people and skills, on the face of it a sensible idea. But it’s also possible that larger security teams would still not be enough to stop today’s complex ransomware assaults.
It’s a pessimistic thought. Ransomware is simply too big today for anyone to stop on their own, at least using a traditional IT setup. Skills and talent alone aren’t enough because defenders need real-world experience to have any chance of keeping up. Realistically, that requires dedicated expertise inside a purpose-built security operations centre (SOC), something only large organizations can justify.
Managed services and SOCs can fill some of this gap, although the current expansion of this sector has its limits. Here, too, the same shortages of experience and skills apply. Perhaps ransom extortion was inevitable anyway, a case of malware experimenting until it found the perfect business model.
Today, I look back on that distressed email from an early ransomware victim all those years ago as an example of how everyone underestimated what we were up against. It marks the beginning of an era we still have not found a way to fully understand, let alone contain.