Ransomware — How It Works, Notable Incidents, and How to Defend thumbnail

Ransomware — How It Works, Notable Incidents, and How to Defend

⏱ approx. 26 min views 172 likes 0 LOG_DATE:2026-05-10
TOC

Ransomware is the umbrella term for malware that "encrypts files and demands a ransom in exchange for the decryption key". Its ancestor is the 1989 AIDS Trojan, but the model only blossomed into a real criminal business once Bitcoin (2009) enabled anonymous, cross-border payment. Since CryptoLocker in 2013, ransomware has been cybercrime's largest revenue stream — Chainalysis estimates worldwide ransom payments in 2024 at over $1.14 billion. This article walks through the categories, the attack chain, the cryptography, major incidents, the policy debate, and realistic defences.

01

The five categories — what's being held hostage #

What gets called "ransomware" actually includes several distinct hostage models.

Type What is held hostage Representative examples
Crypto ransomware File contents are encrypted — no decryption without the key CryptoLocker, WannaCry, LockBit, Conti, REvil
Locker ransomware Screen / OS is locked — files are intact, but you can't log in Reveton, Android-style, "FBI MoneyPak" scams
Doxware / Leakware Threat to publish stolen data (works even without encryption) DoppelPaymer from 2020 on; most modern RaaS use it alongside encryption
Wiper disguise No decryption key exists — destruction is the goal, the ransom note is a smokescreen NotPetya, Shamoon, HermeticWiper
DDoS extortion (RDoS) Threat to knock the service down via DDoS DD4BC, Armada Collective, Fancy Lazarus
▸ The modern mainstream is Crypto + Doxware

"Encrypt the files and threaten to publish them unless you pay" — double extortion — has become standard. Locker-style attacks have faded because OS lock screens can be worked around. Wiper-disguise is heavily used in state operations: NotPetya was a GRU wiper that spread worldwide and caused over $10 billion in damage (Maersk / Merck / FedEx TNT being the main casualties).

02

Multi-extortion — from Single to Quadruple #

The economic leverage of ransomware has expanded in stages over 10 years — a steady history of adding new pressure sources to force payment.

Stage Period Pressure source Representative groups
Single ~2018 Encryption only — "we won't hand over the key" CryptoLocker, WannaCry, early GandCrab
Double 2019- + Data exfiltration — leak threats Maze (pioneer), REvil, Conti
Triple 2020- + DDoS — taking the service offline SunCrypt, Avaddon, REvil
Quadruple 2021- + Reporting to customers / regulators ALPHV/BlackCat, LockBit, Cl0p
▸ ALPHV reports a victim to the SEC

In 2023 ALPHV/BlackCat filed a complaint directly with the SEC against MeridianLink, alleging the company had failed to disclose the breach within four business days, and used regulatory risk to squeeze the victim from another direction. It is the most extreme real-world example of Quadruple Extortion.

The "pay or we leak" model has matured to the point that even organisations that can restore from backup end up paying. This is the economic basis behind Big Game Hunting — the modern enterprise-focused, high-ransom flavour of ransomware.

03

The attack chain — how Big Game Hunting unfolds #

Modern enterprise-focused ransomware takes days to weeks between initial access and the encryption trigger. The point isn't "encrypt fast, leave fast" — it's to set everything up carefully, then detonate all at once.

(1) Initial Access (Day 0)
Often a foothold bought from an IAB. Phishing / leaked RDP-VPN credentials / Citrix-VPN gateway vulnerabilities.
(2) Reconnaissance (Days 1-3)
BloodHound to graph AD / identify critical servers and DBs / locate the DC / find the backup infrastructure.
(3) Privilege Escalation (Days 2-7)
mimikatz against LSASS / Kerberoasting / DCSync to obtain Domain Admin.
(4) Lateral Movement (Days 3-10)
With Domain Admin, push out to every endpoint and server / Cobalt Strike beacons / Pass-the-Hash / RDP / WMI.
(5) Backup Destruction (Days 5-14) ★
Steal Veeam / Commvault / VSS / Azure Backup credentials → encrypt or delete backups. The core step in Big Game Hunting.
(6) Data Exfiltration (Days 7-21)
Hundreds of GB to several TB sent to Mega.nz / pCloud / attacker-controlled S3. rclone and megasync are the staples. The ammunition for Double Extortion.
(7) Encryption Trigger
Encryption fires on every endpoint simultaneously. Late at night, weekends, long holidays (maximising detection lag) / ransom notes dropped.
(8) Negotiation (Days 1-30)
Tor chat portals / "50% off if you pay within 3 days" / countdown timers on the leak site.
▸ Where encryption can still be stopped
  • Detect initial intrusion quickly and you have days to weeks before detonation. EDR behavioural detection plus a responsive SOC is the key
  • Backups are deliberately destroyed as part of the playbook, so "we have backups" no longer guarantees safety on its own
  • Hundreds of GB of outbound traffic caught by DLP / NDR can be the last line of defence
  • CISA warned about holiday-timed "Holiday Ransomware" back in 2021
04

The cryptography — why you can't decrypt without the key #

"Can't you just compute the key from the ciphertext, the way you crack a password from a hash?" — the answer is "by design of modern cryptography, no". The reason becomes clear when you look at the AES + RSA hybrid construction.

Attacker's preparation
The attacker generates an RSA key pair. The public key is embedded in the malware; the private key is kept in the attacker's hands only.
(1) A random AES key per file
A fresh AES-256 key is generated per file via a CSPRNG.
(2) AES encrypts the file body — fast
document.docxdocument.docx.lockbit. Tens of GB completes in minutes.
(3) The AES key is encrypted with the RSA public key
The encrypted AES key is embedded in the file footer. Only the holder of the RSA private key can decrypt it.

The encrypted file ends up structured as: [ AES-encrypted body ] + [ RSA-encrypted AES key ] + [ file ID / extension ].

What decryption actually requires — and why computation can't get there
# Brute-force AES-256 → 2^256 possibilities — more than every star in the universe → physically impossible # Solve RSA-2048 / 4096 mathematically → integer factorisation → practically impossible until large-scale quantum computers exist # The only realistic path → obtain the attacker's RSA private key (= pay the ransom / law-enforcement seizure / insider leak) # The No More Ransom Project's decryption tools → accumulated cases where the RSA key was recovered via one of those three routes

The "AES for speed, RSA for key management" hybrid is the legitimate design used across TLS / PGP / SSH — modern encrypted communication in general. Ransomware abuses this correctly-implemented cryptography, which is exactly why "solving" it from the outside is, in principle, not possible.

Realistic decryption paths for victims #

  1. Pay the ransom — there's no guarantee the key arrives, but major RaaS groups deliver in most cases to preserve their reputation
  2. Law-enforcement takedown of the operators — REvil (FSB 2022) / LockBit (NCA 2024) / ALPHV (FBI 2023) / Hive (FBI 2023) each resulted in seized keys being released
  3. Insider leaks — Conti's internal documents and keys all became public after the group declared support for Russia's 2022 invasion of Ukraine
  4. Implementation bugs — older ransomware (2014–2017 era) used weak key generation; free decryptors are published on the No More Ransom Project (200+ families)
▸ Modern major RaaS doesn't make implementation mistakes

As of 2026, LockBit / ALPHV / Royal etc. implement CSPRNG and RSA key management correctly, so there is no realistic decryption hope. The cryptographer's dilemma — "good cryptography is equally strong for good and bad people" — is on display here.

05

Notable incidents #

Year Incident What happened / impact
2017 WannaCry (origin: North Korea's Lazarus) EternalBlue worm + encryption hits Windows globally. 150 countries, 200,000+ machines, UK NHS surgeries cancelled, estimated $4–8 billion losses
2017 NotPetya (Russia's GRU) Delivered via the Ukrainian accounting-software M.E.Doc supply chain → wiper. Maersk / Merck / FedEx TNT lead worldwide losses of $10 billion+
2019 Maze The inventor of Double Extortion; the public leak site transformed the industry
2021 Colonial Pipeline (DarkSide) Six-day shutdown of the US East Coast fuel pipeline. $4.4M paid → the FBI recovered $2.3M through cryptocurrency tracing
2021 JBS Foods (REvil) The world's largest meat processor. $11M paid
2021 Kaseya VSA (REvil supply-chain) Abuse of an MSP-product vulnerability → 1,500 client companies chain-encrypted. A $70M lump-sum ransom demanded
2022 Costa Rica (state-level) (Conti) Attack on the entire government; the president declared a state of emergency. HHS, tax, and customs were knocked offline
2023 MGM Resorts (ALPHV) MGM casinos in Las Vegas down for days; $100M+ in losses. The IT helpdesk was deceived via vishing
2024 Change Healthcare (ALPHV) A core piece of US healthcare data processing; pharmacies, hospitals, and insurance claims nationwide ground to a halt for weeks. $22M ransom + $872M recovery costs
2024 British Library (Rhysida) The UK national library's OPAC was completely down; even now, full recovery is incomplete (the cleanup is expected to take more than two years)
2024 CDK Global DMS outage at 15,000 US dealerships; the auto-retail industry was paralysed
2024 LockBit takedown "Operation Cronos" (UK NCA) LockBit infrastructure seized; 14,000 affiliate IDs and 7,000 AES/RSA keys recovered

Attacks on critical infrastructure, healthcare, and government are still hitting in 2024. Colonial Pipeline and Change Healthcare showed society at large what it looks like for a lifeline to be taken out by ransomware, and governments now treat it as a national-security issue.

06

The rise and fall of RaaS groups #

The last five years of the major Ransomware-as-a-Service operations.

Group Active Notable features / end
GandCrab 2018-2019 Retired with a "we made $2.4 billion" statement; successor became REvil
REvil / Sodinokibi 2019-2022 Hit Kaseya / JBS / Apple supplier Quanta → arrested by Russia's FSB in Jan 2022
DarkSide / BlackMatter 2020-2021 Brand killed after Colonial Pipeline → BlackMatter relaunched → short-lived
Conti 2020-2022 Voiced support for the 2022 invasion of Ukraine → Ukrainian members leaked all internal materials ("Conti Leaks") → broke up and split
LockBit 2019-2024 The most prolific RaaS in history (2,500+ victims) → infrastructure seized by NCA "Operation Cronos" in Feb 2024
ALPHV / BlackCat 2021-2024 The first major ransomware written in Rust. After the Change Healthcare attack they exit-scammed with $22M (March 2024)
Cl0p 2019- Strung together MOVEit / GoAnywhere / Accellion zero-days — "data-leak-only, no encryption" style
Royal / BlackSuit 2022- A Conti spin-off; hit US city governments (Dallas)
RansomHub 2024- The ALPHV exit-scam refugees joined and the group grew rapidly

It's been a game of whack-a-mole: take one down and a new brand pops up. Big operations like LockBit's 2024 takedown produce short-term wins, but as long as the key members live in sanction-evading jurisdictions, the underlying structural problem persists.

07

The "should we pay?" policy debate #

The FBI, CISA, NCSC, and Europol all consistently recommend don't pay. Reasons:

  • It funds the next victim — your ransom becomes the next attack's working capital
  • No guarantee the key arrives — newer groups and wiper-disguise attacks may simply not deliver
  • You become marked as "an organisation that pays" — and a target for repeat attacks
  • OFAC sanctions — in the US, payment to sanctioned groups (North Korea's Lazarus, Russia's Evil Corp, etc.) is illegal
▸ In reality, payments continue

Change Healthcare $22M / Colonial $4.4M / JBS $11M are all publicly-known payments. Coveware data for 2024 says 28% of victims paid (the trend is downward — it was 76% in 2019).

Legislative movement #

  • Australia (2024) — critical-infrastructure operators and large companies are required to report ransom payments to the government within 72 hours
  • US CIRCIA Act (passed 2022, full effect by 2026) — critical-infrastructure operators must report ransom payments within 24 hours
  • Outright ban debate — the US and UK are debating fully banning ransom payments. "Cut off the economic incentive" vs "SMBs can't continue operating" are still at odds
  • Insurance industry — Lloyd's of London has excluded "state-sponsored ransom" from coverage since 2023

A realistic decision framework #

  1. Can we restore from backup? (yes, if it's immutable / offline)
  2. How damaging is the data leak? (under Double Extortion, getting the key still doesn't stop the leak)
  3. Is the group on the OFAC sanctions list? (a US entity paying anyway crosses into criminal territory)
  4. What's the effect on the industry? (being seen as "an industry that pays" attracts more targeting)
08

Crypto tracing — the "Bitcoin = anonymous" myth #

The naive assumption that "if the ransom is in Bitcoin the attacker can't be caught" has been largely demolished by cryptocurrency-tracing firms like Chainalysis / TRM Labs / Elliptic. Bitcoin and Ethereum are public blockchains, meaning every transaction is permanently visible.

Incident Tracing outcome
Colonial Pipeline (2021) Of the 63.7 BTC paid as ransom, the FBI seized roughly $2.3M-worth within about a month by obtaining the DarkSide wallet's private key
Hive ransomware (2022-2023) The FBI was inside the infrastructure for seven months, quietly distributing decryption keys to victims while continuing the investigation → seizure
REvil (2022) Crypto wallets were seized from operators arrested by the FSB; some funds were reportedly returned to victims

Operators try to evade tracing through:

  • Mixer / tumbler services — mixing flows across many addresses (though Chainalysis can trace most of them)
  • Monero (XMR) — a truly anonymous cryptocurrency; unlike Bitcoin, transaction contents are not public, which is why major RaaS groups have increasingly demanded it from 2022 on
  • OFAC sanctions evasion — North Korean groups cash out via DPRK-based exchanges; violators risk being cut out of the international remittance system
▸ Why modern RaaS demands Monero

"Bitcoin ransom = anonymous and safe" is stuck at the 2014 understanding. Once Chainalysis-style tracing became practical, modern major RaaS shifted to Monero — that shift is precisely the proof.

09

Defence — backups are the last line #

The bedrock of ransomware defence is "be able to recover without paying". Four defensive layers:

Layer Content
Prevention of intrusion Email filtering / macro disablement / EDR / application allowlisting / MFA / patch management
Detection and containment after intrusion EDR detection of abnormal encryption behaviour (mass file renames) → automatic isolation / 24/7 SOC / network segmentation
Stopping the encryption trigger LSASS protection / Tier-isolated Domain Admin / block VSS shadow-copy deletion / cut administrative paths into the backup infrastructure
Recovery capability 3-2-1 rule + immutable backups + offline (air-gap) copies + regular restore drills
▸ The 3-2-1-1-0 rule

The classic 3-2-1 = 3 copies / 2 different media / 1 offsite. Today this is extended to 3-2-1-1-0: + 1 immutable or offline copy (cannot be deleted or rewritten) + 0 errors (regularly verified). Major backup products like Veeam and Rubrik have made this the standard.

Practical paths to immutable backups #

  • AWS S3 Object Lock — once written, deletion is blocked for a configurable period
  • Veeam Hardened Repository — Linux + immutable filesystem
  • WORM tape — Write Once Read Many
  • Run it under a different domain / different account — outside the reach of any Domain Admin compromise

Detection signals #

Signals that appear just before detonation
# Windows — vssadmin / wmic trying to delete shadow copies (almost certainly ransomware) PS> wevtutil qe Security /q:"*[System[EventID=4688]]" /f:text \ | grep -E "vssadmin|wmic.*shadowcopy" # Linux — audit unlink calls under the backup directory $ auditctl -a always,exit -F arch=b64 -S unlink -F path=/backup/ # Sysmon / EDR detecting mass file renames # thousands of renames from one host in a short window → ransomware signal

EDR rollback features — Microsoft Defender, SentinelOne, and CrowdStrike all record file changes via VSS or their own snapshots, and can roll changes back if encryption hits (within limits).

The No More Ransom Project is a free decryptor collection co-run by Europol, the Dutch police, Kaspersky, and McAfee. In eight years they've published decryption keys for 200+ families and helped over 1.5 million people recover for free. Check this site first.

10

Summary #

Ransomware is the post-2010 cybercrime revenue model that exists by "taking a good technology — correctly-implemented cryptography — and using it for bad ends". The 1989 AIDS Trojan is the ancestor; Bitcoin (2009) made payments work; CryptoLocker (2013) was the industrialisation point; and from Single to Double to Triple to Quadruple Extortion, the leverage kept climbing until Big Game Hunting was able to take entire enterprises offline for weeks at a time.

Technically, because it weaponises modern cryptography, decryption is in principle impossible — which forces victims into "pay vs restore from backup". The No More Ransom Project and seized keys from law-enforcement operations have saved some cases, but you cannot expect that for today's major RaaS.

The core of defence is "assume you'll be compromised, and have the recovery capability ready". 3-2-1-1-0 + immutable backups + restore drills are the last line; EDR + network segmentation + Tier-isolated Domain Admin are the second line, where the days-to-weeks between intrusion and detonation can still be used to stop the attack. "Pay or not pay" is no longer just an individual organisation's moral call — it is a society-wide incentive problem, and government regulation plus the shrinking insurance market keep pressing on the side that would pay.

𝕏 Post B! Hatena