A Data-Driven Decade Review of Ransomware Evolution and Defensive Countermeasures

Abstract

Ransomware has developed over the last ten years from straightforward locker malware to intricate, profit-driven international operations. This study integrates information from industry intelligence sources (Coveware, Chainalysis, ENISA, CISA) and academic databases (Scopus, IEEE Xplore, ACM, Springer) to present a thorough, data-driven review of ransomware from 2015 to 2025. 165 peer-reviewed publications and 47 industry datasets were examined using a PRISMA-style systematic review procedure in order to derive quantitative information on event frequency, ransom demands, payments, and sectoral implications. Three main evolutionary periods are revealed by the findings: (1) Locker to crypto-ransomware transition and worldwide outbreaks (e.g., WannaCry, NotPetya) in 2015–2017; (2) Ransomware-as-a-Service (RaaS) and double extortion strategies in 2018–2020; and (3) sophisticated AI-assisted and Living-off-the-Land (LOTL) ransomware models in 2021–2025. The government, healthcare, and energy industries continue to be the most frequently targeted, with losses expected to surpass $20 billion yearly by 2021. Backups and antivirus software are no longer adequate forms of defense. Although they show promise, advanced methods like blockchain-based forensics, AI-driven anomaly detection, and Zero Trust architectures are not widely adopted. The paper charts the ten-year evolution of ransomware, assesses the efficacy of countermeasures, and suggests future security strategies, such as worldwide policy harmonization, AI-based automated protection, and quantum-resilient cryptography.