Ransomware is the umbrella term for malware that "encrypts files and demands a ransom in exchange for the decryption key". Its ancestor is the 1989 AIDS Trojan, but the model only blossomed into a real criminal business once Bitcoin (2009) enabled anonymous, cross-border payment. Since CryptoLocker in 2013, ransomware has been cybercrime's largest revenue stream — Chainalysis estimates worldwide ransom payments in 2024 at over $1.14 billion. This article walks through the categories, the attack chain, the cryptography, major incidents, the policy debate, and realistic defences.
The five categories — what's being held hostage #
What gets called "ransomware" actually includes several distinct hostage models.
| Type | What is held hostage | Representative examples |
|---|---|---|
| Crypto ransomware | File contents are encrypted — no decryption without the key | CryptoLocker, WannaCry, LockBit, Conti, REvil |
| Locker ransomware | Screen / OS is locked — files are intact, but you can't log in | Reveton, Android-style, "FBI MoneyPak" scams |
| Doxware / Leakware | Threat to publish stolen data (works even without encryption) | DoppelPaymer from 2020 on; most modern RaaS use it alongside encryption |
| Wiper disguise | No decryption key exists — destruction is the goal, the ransom note is a smokescreen | NotPetya, Shamoon, HermeticWiper |
| DDoS extortion (RDoS) | Threat to knock the service down via DDoS | DD4BC, Armada Collective, Fancy Lazarus |
"Encrypt the files and threaten to publish them unless you pay" — double extortion — has become standard. Locker-style attacks have faded because OS lock screens can be worked around. Wiper-disguise is heavily used in state operations: NotPetya was a GRU wiper that spread worldwide and caused over $10 billion in damage (Maersk / Merck / FedEx TNT being the main casualties).
Multi-extortion — from Single to Quadruple #
The economic leverage of ransomware has expanded in stages over 10 years — a steady history of adding new pressure sources to force payment.
| Stage | Period | Pressure source | Representative groups |
|---|---|---|---|
| Single | ~2018 | Encryption only — "we won't hand over the key" | CryptoLocker, WannaCry, early GandCrab |
| Double | 2019- | + Data exfiltration — leak threats | Maze (pioneer), REvil, Conti |
| Triple | 2020- | + DDoS — taking the service offline | SunCrypt, Avaddon, REvil |
| Quadruple | 2021- | + Reporting to customers / regulators | ALPHV/BlackCat, LockBit, Cl0p |
In 2023 ALPHV/BlackCat filed a complaint directly with the SEC against MeridianLink, alleging the company had failed to disclose the breach within four business days, and used regulatory risk to squeeze the victim from another direction. It is the most extreme real-world example of Quadruple Extortion.
The "pay or we leak" model has matured to the point that even organisations that can restore from backup end up paying. This is the economic basis behind Big Game Hunting — the modern enterprise-focused, high-ransom flavour of ransomware.
The attack chain — how Big Game Hunting unfolds #
Modern enterprise-focused ransomware takes days to weeks between initial access and the encryption trigger. The point isn't "encrypt fast, leave fast" — it's to set everything up carefully, then detonate all at once.
- Detect initial intrusion quickly and you have days to weeks before detonation. EDR behavioural detection plus a responsive SOC is the key
- Backups are deliberately destroyed as part of the playbook, so "we have backups" no longer guarantees safety on its own
- Hundreds of GB of outbound traffic caught by DLP / NDR can be the last line of defence
- CISA warned about holiday-timed "Holiday Ransomware" back in 2021
The cryptography — why you can't decrypt without the key #
"Can't you just compute the key from the ciphertext, the way you crack a password from a hash?" — the answer is "by design of modern cryptography, no". The reason becomes clear when you look at the AES + RSA hybrid construction.
document.docx → document.docx.lockbit. Tens of GB completes in minutes.The encrypted file ends up structured as: [ AES-encrypted body ] + [ RSA-encrypted AES key ] + [ file ID / extension ].
# Brute-force AES-256 → 2^256 possibilities — more than every star in the universe
→ physically impossible
# Solve RSA-2048 / 4096 mathematically → integer factorisation
→ practically impossible until large-scale quantum computers exist
# The only realistic path
→ obtain the attacker's RSA private key
(= pay the ransom / law-enforcement seizure / insider leak)
# The No More Ransom Project's decryption tools
→ accumulated cases where the RSA key was recovered via one of those three routesThe "AES for speed, RSA for key management" hybrid is the legitimate design used across TLS / PGP / SSH — modern encrypted communication in general. Ransomware abuses this correctly-implemented cryptography, which is exactly why "solving" it from the outside is, in principle, not possible.
Realistic decryption paths for victims #
- Pay the ransom — there's no guarantee the key arrives, but major RaaS groups deliver in most cases to preserve their reputation
- Law-enforcement takedown of the operators — REvil (FSB 2022) / LockBit (NCA 2024) / ALPHV (FBI 2023) / Hive (FBI 2023) each resulted in seized keys being released
- Insider leaks — Conti's internal documents and keys all became public after the group declared support for Russia's 2022 invasion of Ukraine
- Implementation bugs — older ransomware (2014–2017 era) used weak key generation; free decryptors are published on the No More Ransom Project (200+ families)
As of 2026, LockBit / ALPHV / Royal etc. implement CSPRNG and RSA key management correctly, so there is no realistic decryption hope. The cryptographer's dilemma — "good cryptography is equally strong for good and bad people" — is on display here.
Notable incidents #
| Year | Incident | What happened / impact |
|---|---|---|
| 2017 | WannaCry (origin: North Korea's Lazarus) | EternalBlue worm + encryption hits Windows globally. 150 countries, 200,000+ machines, UK NHS surgeries cancelled, estimated $4–8 billion losses |
| 2017 | NotPetya (Russia's GRU) | Delivered via the Ukrainian accounting-software M.E.Doc supply chain → wiper. Maersk / Merck / FedEx TNT lead worldwide losses of $10 billion+ |
| 2019 | Maze | The inventor of Double Extortion; the public leak site transformed the industry |
| 2021 | Colonial Pipeline (DarkSide) | Six-day shutdown of the US East Coast fuel pipeline. $4.4M paid → the FBI recovered $2.3M through cryptocurrency tracing |
| 2021 | JBS Foods (REvil) | The world's largest meat processor. $11M paid |
| 2021 | Kaseya VSA (REvil supply-chain) | Abuse of an MSP-product vulnerability → 1,500 client companies chain-encrypted. A $70M lump-sum ransom demanded |
| 2022 | Costa Rica (state-level) (Conti) | Attack on the entire government; the president declared a state of emergency. HHS, tax, and customs were knocked offline |
| 2023 | MGM Resorts (ALPHV) | MGM casinos in Las Vegas down for days; $100M+ in losses. The IT helpdesk was deceived via vishing |
| 2024 | Change Healthcare (ALPHV) | A core piece of US healthcare data processing; pharmacies, hospitals, and insurance claims nationwide ground to a halt for weeks. $22M ransom + $872M recovery costs |
| 2024 | British Library (Rhysida) | The UK national library's OPAC was completely down; even now, full recovery is incomplete (the cleanup is expected to take more than two years) |
| 2024 | CDK Global | DMS outage at 15,000 US dealerships; the auto-retail industry was paralysed |
| 2024 | LockBit takedown "Operation Cronos" (UK NCA) | LockBit infrastructure seized; 14,000 affiliate IDs and 7,000 AES/RSA keys recovered |
Attacks on critical infrastructure, healthcare, and government are still hitting in 2024. Colonial Pipeline and Change Healthcare showed society at large what it looks like for a lifeline to be taken out by ransomware, and governments now treat it as a national-security issue.
The rise and fall of RaaS groups #
The last five years of the major Ransomware-as-a-Service operations.
| Group | Active | Notable features / end |
|---|---|---|
| GandCrab | 2018-2019 | Retired with a "we made $2.4 billion" statement; successor became REvil |
| REvil / Sodinokibi | 2019-2022 | Hit Kaseya / JBS / Apple supplier Quanta → arrested by Russia's FSB in Jan 2022 |
| DarkSide / BlackMatter | 2020-2021 | Brand killed after Colonial Pipeline → BlackMatter relaunched → short-lived |
| Conti | 2020-2022 | Voiced support for the 2022 invasion of Ukraine → Ukrainian members leaked all internal materials ("Conti Leaks") → broke up and split |
| LockBit | 2019-2024 | The most prolific RaaS in history (2,500+ victims) → infrastructure seized by NCA "Operation Cronos" in Feb 2024 |
| ALPHV / BlackCat | 2021-2024 | The first major ransomware written in Rust. After the Change Healthcare attack they exit-scammed with $22M (March 2024) |
| Cl0p | 2019- | Strung together MOVEit / GoAnywhere / Accellion zero-days — "data-leak-only, no encryption" style |
| Royal / BlackSuit | 2022- | A Conti spin-off; hit US city governments (Dallas) |
| RansomHub | 2024- | The ALPHV exit-scam refugees joined and the group grew rapidly |
It's been a game of whack-a-mole: take one down and a new brand pops up. Big operations like LockBit's 2024 takedown produce short-term wins, but as long as the key members live in sanction-evading jurisdictions, the underlying structural problem persists.
The "should we pay?" policy debate #
The FBI, CISA, NCSC, and Europol all consistently recommend don't pay. Reasons:
- It funds the next victim — your ransom becomes the next attack's working capital
- No guarantee the key arrives — newer groups and wiper-disguise attacks may simply not deliver
- You become marked as "an organisation that pays" — and a target for repeat attacks
- OFAC sanctions — in the US, payment to sanctioned groups (North Korea's Lazarus, Russia's Evil Corp, etc.) is illegal
Change Healthcare $22M / Colonial $4.4M / JBS $11M are all publicly-known payments. Coveware data for 2024 says 28% of victims paid (the trend is downward — it was 76% in 2019).
Legislative movement #
- Australia (2024) — critical-infrastructure operators and large companies are required to report ransom payments to the government within 72 hours
- US CIRCIA Act (passed 2022, full effect by 2026) — critical-infrastructure operators must report ransom payments within 24 hours
- Outright ban debate — the US and UK are debating fully banning ransom payments. "Cut off the economic incentive" vs "SMBs can't continue operating" are still at odds
- Insurance industry — Lloyd's of London has excluded "state-sponsored ransom" from coverage since 2023
A realistic decision framework #
- Can we restore from backup? (yes, if it's immutable / offline)
- How damaging is the data leak? (under Double Extortion, getting the key still doesn't stop the leak)
- Is the group on the OFAC sanctions list? (a US entity paying anyway crosses into criminal territory)
- What's the effect on the industry? (being seen as "an industry that pays" attracts more targeting)
Crypto tracing — the "Bitcoin = anonymous" myth #
The naive assumption that "if the ransom is in Bitcoin the attacker can't be caught" has been largely demolished by cryptocurrency-tracing firms like Chainalysis / TRM Labs / Elliptic. Bitcoin and Ethereum are public blockchains, meaning every transaction is permanently visible.
| Incident | Tracing outcome |
|---|---|
| Colonial Pipeline (2021) | Of the 63.7 BTC paid as ransom, the FBI seized roughly $2.3M-worth within about a month by obtaining the DarkSide wallet's private key |
| Hive ransomware (2022-2023) | The FBI was inside the infrastructure for seven months, quietly distributing decryption keys to victims while continuing the investigation → seizure |
| REvil (2022) | Crypto wallets were seized from operators arrested by the FSB; some funds were reportedly returned to victims |
Operators try to evade tracing through:
- Mixer / tumbler services — mixing flows across many addresses (though Chainalysis can trace most of them)
- Monero (XMR) — a truly anonymous cryptocurrency; unlike Bitcoin, transaction contents are not public, which is why major RaaS groups have increasingly demanded it from 2022 on
- OFAC sanctions evasion — North Korean groups cash out via DPRK-based exchanges; violators risk being cut out of the international remittance system
"Bitcoin ransom = anonymous and safe" is stuck at the 2014 understanding. Once Chainalysis-style tracing became practical, modern major RaaS shifted to Monero — that shift is precisely the proof.
Defence — backups are the last line #
The bedrock of ransomware defence is "be able to recover without paying". Four defensive layers:
| Layer | Content |
|---|---|
| Prevention of intrusion | Email filtering / macro disablement / EDR / application allowlisting / MFA / patch management |
| Detection and containment after intrusion | EDR detection of abnormal encryption behaviour (mass file renames) → automatic isolation / 24/7 SOC / network segmentation |
| Stopping the encryption trigger | LSASS protection / Tier-isolated Domain Admin / block VSS shadow-copy deletion / cut administrative paths into the backup infrastructure |
| Recovery capability ★ | 3-2-1 rule + immutable backups + offline (air-gap) copies + regular restore drills |
The classic 3-2-1 = 3 copies / 2 different media / 1 offsite. Today this is extended to 3-2-1-1-0: + 1 immutable or offline copy (cannot be deleted or rewritten) + 0 errors (regularly verified). Major backup products like Veeam and Rubrik have made this the standard.
Practical paths to immutable backups #
- AWS S3 Object Lock — once written, deletion is blocked for a configurable period
- Veeam Hardened Repository — Linux + immutable filesystem
- WORM tape — Write Once Read Many
- Run it under a different domain / different account — outside the reach of any Domain Admin compromise
Detection signals #
# Windows — vssadmin / wmic trying to delete shadow copies (almost certainly ransomware)
PS> wevtutil qe Security /q:"*[System[EventID=4688]]" /f:text \
| grep -E "vssadmin|wmic.*shadowcopy"
# Linux — audit unlink calls under the backup directory
$ auditctl -a always,exit -F arch=b64 -S unlink -F path=/backup/
# Sysmon / EDR detecting mass file renames
# thousands of renames from one host in a short window → ransomware signalEDR rollback features — Microsoft Defender, SentinelOne, and CrowdStrike all record file changes via VSS or their own snapshots, and can roll changes back if encryption hits (within limits).
The No More Ransom Project is a free decryptor collection co-run by Europol, the Dutch police, Kaspersky, and McAfee. In eight years they've published decryption keys for 200+ families and helped over 1.5 million people recover for free. Check this site first.
Summary #
Ransomware is the post-2010 cybercrime revenue model that exists by "taking a good technology — correctly-implemented cryptography — and using it for bad ends". The 1989 AIDS Trojan is the ancestor; Bitcoin (2009) made payments work; CryptoLocker (2013) was the industrialisation point; and from Single to Double to Triple to Quadruple Extortion, the leverage kept climbing until Big Game Hunting was able to take entire enterprises offline for weeks at a time.
Technically, because it weaponises modern cryptography, decryption is in principle impossible — which forces victims into "pay vs restore from backup". The No More Ransom Project and seized keys from law-enforcement operations have saved some cases, but you cannot expect that for today's major RaaS.
The core of defence is "assume you'll be compromised, and have the recovery capability ready". 3-2-1-1-0 + immutable backups + restore drills are the last line; EDR + network segmentation + Tier-isolated Domain Admin are the second line, where the days-to-weeks between intrusion and detonation can still be used to stop the attack. "Pay or not pay" is no longer just an individual organisation's moral call — it is a society-wide incentive problem, and government regulation plus the shrinking insurance market keep pressing on the side that would pay.