During the past 12 months, there has been a significant evolution in ransomware attacks on businesses. Historically, the threat actor (TA) would encrypt some or all the data on a business network, then sit back and wait for the targeted company to make the ransom payment before unlocking the encrypted data. As businesses continued to move toward more robust and redundant backup solutions, the frequency of the payments diminished because businesses were able to recover their data from backups. The TAs started to see this trend and changed their modus operandi.