Over the last decade, the pattern in cyber attacks has shifted noticeably. Large enterprises still get headlines, but the most consistent victims are now home users, contractors, MSPs, and SMBs. Lower visibility, weaker controls, and reliance on cloud and 3rd party platforms have made these environments attractive to both criminal groups and state linked actors.

I put together a timeline of major attacks from 2016 to 2025 to show how this trend evolved. The text version is below for anyone who prefers reading it directly.

Timeline of attacks (2016–2025)

• 2016 — Mirai botnet DDoS Home users with consumer IoT devices were compromised and turned into a large DDoS botnet. Multiple criminal groups reused the leaked Mirai code. • 2017 — WannaCry ransomware Home users and SMBs were hit by a worm exploiting SMBv1. Widely attributed to the Lazarus Group. • 2017 — NotPetya wiper SMBs were affected by a destructive wiper disguised as ransomware. Linked to Russian state associated actors. • 2018–2020 — Emotet/TrickBot → Ryuk/Conti Credential theft and ransomware campaigns targeting SMBs. Operated by multiple criminal groups. • 2019 — Cloud and 3rd party breaches SMBs and home users impacted by weak access controls and data exposure across various cloud platforms. • 2020 — Toll Group ransomware Contractors and service providers disrupted by ransomware attacks affecting logistics operations. • 2020–2021 — SolarWinds supply chain breach 3rd party providers compromised via trojanized software updates. Attributed to a Russian state linked APT. • 2021 — Kaseya VSA ransomware MSPs and SMBs hit through a supply chain ransomware attack. Attributed to the REvil group. • 2021–2023 — Ransomware as a Service surge SMBs targeted by affiliate driven ransomware operations across multiple RaaS groups. • 2022–2024 — SaaS and 3rd party platform breaches Home users and SMB customers affected by credential theft and data exfiltration across cloud platforms. • 2023–2025 — Targeting MSPs and niche contractors

MSPs and specialised contractors targeted with ransomware, data theft, and extortion by both criminal and state linked actors.

I’ve been working on a Windows focused threat hunting tool (www.sapience-tech.com) aimed at home users and SMBs who don’t have EDR or SIEM tooling. It grew out of trying to help smaller environments spot early indicators of compromise without needing enterprise grade infrastructure. Happy to answer questions about the data, the timeline, or the approach.