Ransomware Explained: Mechanics, Incidents, and Defenses thumbnail

Ransomware Explained: Mechanics, Incidents, and Defenses

⏱ approx. 29 min views 68 likes 0 LOG_DATE:2026-05-10
TOC

Ransomware #

Ransomware is the umbrella term for malware that "encrypts files and demands payment (a 'ransom') in exchange for the decryption key." Its ancestor is the 1989 AIDS Trojan, but the model only became viable as a business after Bitcoin (launched 2009) enabled anonymous, cross-border payment. CryptoLocker (2013) was the industrialization point, and ransomware has been the largest cybercrime revenue source since. Chainalysis estimates 2024 total ransom payments worldwide exceeded $1.14 billion.

This article continues from the Trojan Horse article, focusing on ransomware as the final payload Trojans deliver. Rather than rehashing malware delivery in general, this piece zeroes in on what's specific to ransomware: the five sub-categories, the staged evolution of multi-extortion, the Big Game Hunting attack chain (SVG 1), why AES + RSA hybrid cryptography is unbreakable without the key (SVG 2), canonical incidents, the rise and fall of major RaaS groups, the "should we pay?" policy debate, cryptocurrency tracing, and realistic defenses. The goal is to assemble the picture by touching each face of "ransomware is a technical, legal, and economic problem all at once" in turn.

1. The five categories — what's being held hostage #

What gets called "ransomware" actually covers multiple distinct hostage models:

Type Hostage Examples
Crypto ransomware The files themselves are encrypted — irrecoverable without the key CryptoLocker (2013), WannaCry, LockBit, Conti, REvil, Royal
Locker ransomware Locks the screen / OS — files are intact, but you can't log in Reveton (2012), many Android variants, "FBI MoneyPak" scams
Doxware / Leakware Threatens public release of stolen data (works without encryption) Many modern RaaS use it alongside encryption (DoppelPaymer onward, 2020+)
Wiper-disguised ransomware The decryption key doesn't exist or doesn't workdestruction is the goal; the ransom is camouflage NotPetya (2017), Shamoon (2012), HermeticWiper (2022 Ukraine)
DDoS extortion (RDoS) Take you offline with DDoS, or threaten to unless paid DD4BC (2014), Armada Collective, Fancy Lazarus (2021)

The modern mainstream is Crypto ransomware combined with Doxware — encryption plus the threat that "if you don't pay, the stolen data goes public" is now standard. Locker ransomware faded because OS lock screens are bypassable. Wiper-disguised is heavily used in nation-state attacks — NotPetya was a wiper deployed by Russia's GRU disguised as ransomware against Ukraine; it spread worldwide and caused over $10 billion in damage (centered on Maersk / Merck / FedEx TNT).

2. Multi-extortion — Single → Quadruple #

Ransomware's economic leverage has expanded in stages over a decade. The history of how the payment-pressure surface area kept growing:

Stage Period Pressure source Representative groups
Single Extortion through 2018 Encryption only — "you don't get the key" CryptoLocker, WannaCry, early GandCrab
Double Extortion 2019- + Data leak — "if you don't pay, we publish what we stole" Maze (2019 originator), DoppelPaymer, REvil, Conti
Triple Extortion 2020- + DDoS — "we'll also take your service offline" SunCrypt, Avaddon, REvil
Quadruple Extortion 2021- + Direct contact to customers / regulators — "we'll notify your customers and regulators of your breach" ALPHV/BlackCat, LockBit, Cl0p

The most egregious Quadruple Extortion case: in 2023 ALPHV/BlackCat reported MeridianLink directly to the SEC, filing a complaint that the company "failed to disclose the breach within four business days," flanking the victim with administrative risk on top of the cyber damage.

Once the "if you don't pay, we leak the data" model took hold, organizations capable of restoring from backup also started paying. That's the economic backdrop behind the rise of Big Game Hunting — the high-ransom enterprise-targeted ransomware industry.

3. The attack chain — typical Big Game Hunting flow #

Modern enterprise ransomware spends days to weeks preparing between intrusion and detonation. "Encrypt fast and bail" isn't the model; prepare thoroughly and detonate all at once is the essence of Big Game Hunting.

Big Game Hunting ransomware attack chain From Initial Access to Encryption / Negotiation typically spans days to weeks; long prep, then fast detonation (1) Initial Access (Day 0) — often a foothold purchased from an IAB Phishing / leaked RDP-VPN credentials / Citrix-VPN gateway vulns / Living off Trusted Sites (2) Reconnaissance (Day 1-3) BloodHound for AD graph / identify critical servers and DBs / map DCs / locate backup servers (3) Privilege Escalation + Credential Access (Day 2-7) mimikatz LSASS dump / Kerberoasting / DCSync to obtain Domain Admin (4) Lateral Movement (Day 3-10) Spread to all hosts as Domain Admin / Cobalt Strike beacons / Pass-the-Hash / RDP / WMI (5) Backup Destruction (Day 5-14) ★ The pivotal Big Game Hunting step Steal Veeam / Commvault / VSS / Azure Backup credentials → encrypt or delete backups (6) Data Exfiltration (Day 7-21) — ammunition for Double Extortion Hundreds of GB to multiple TB sent to Mega.nz / pCloud / attacker S3; rclone / megasync are the standard tools (7) Encryption Trigger (overnight or weekend) Simultaneous encryption across all hosts / typically nights, weekends, or holidays (= maximize detection lag) / drop ransom note (8) Negotiation (Day 1-30) — TOR chat portals / "50% off if you pay within 3 days" / leak-site countdowns

Things to note:

  • Days to weeks pass between intrusion and detonationdetecting initial access early can prevent encryption. EDR behavioral detection + a fast-responding SOC earn their value here
  • Backup Destruction is built into the chain — Veeam / Commvault / VSS snapshots / backup NAS are deliberately destroyed before encryption. That's why "we have backups, so we're fine" no longer holds
  • Exfiltration happens before encryptionDouble Extortion ammo gets secured first, then encryption fires. Hundreds of GB of outbound traffic detectable by DLP / NDR is the last line
  • Detonation timing skews to nights and weekendsFriday night detonation is common (response stalls until Monday). CISA in 2021 specifically warned about "Holiday Ransomware" targeting major holiday weekends

4. Encryption mechanics — why decryption is impossible without the key #

A common question from victims: "Just like passwords get cracked from hashes, can't you compute the key from the encrypted data?" The answer: "Modern cryptography is mathematically designed to make that impossible." The structure of AES + RSA hybrid encryption explains why.

Ransomware encryption — the AES + RSA hybrid scheme "Encrypt files fast" and "deliver the key safely" are at odds — solved in two stages ▼ The attacker's setup — an "RSA key pair" generated and held by the attacker RSA Public Key Embedded in the malware ★ RSA Private Key Held only by the attacker ▼ The encryption flow on the victim host — per file (1) Generate a fresh AES key per file AES-256 / 256-bit key from a CSPRNG Different key every time (2) Encrypt the file with AES document.docx → document.docx.lockbit Tens of GB done in minutes (fast) (3) Encrypt the AES key with RSA public Embed the encrypted AES key in the file or footer "Only the RSA private key holder can decrypt" ▼ Result — structure of an encrypted file [ AES-encrypted body ] Decryption needs the AES key [ RSA-encrypted AES key ] Decryption needs the RSA private key (= attacker only) [ File ID / extension ] .lockbit / .conti / .crypt ▼ What's required for decryption (= why computation can't break it) - Brute-force AES-256 → 2^256 trials → more than the stars in the universe → physically impossible - Mathematically break RSA-2048 / 4096 → infeasible until quantum computers mature (factoring problem) - The only realistic paths: pay the attacker / law enforcement seizes the key / insider leak - "No More Ransom Project" decryption tools all came from past instances of those three ▼ Rare cases where implementation bugs saved victims - Key persisted in memory / weak CSPRNG made keys predictable / RSA public stored on disk allowed deriving the private In 2026, the major RaaS (LockBit, ALPHV, Royal, …) don't make these mistakes — there's no decryption hope

The two-stage hybrid (speed via AES, public-key management via RSA) is the standard, correct design used in TLS / PGP / SSH and most modern cryptographic protocols. Ransomware exploits this very correctly-implemented cryptography, which is why "breaking" it is, in principle, impossible. The cryptographer's dilemma — "strong crypto helps the good and the bad equally" — appears here directly.

For victims, the realistic decryption paths are limited:

  1. Pay the ransom — no guarantee the key arrives, but as a "business," major RaaS mostly do deliver (their next victims won't pay otherwise)
  2. Law enforcement compromises the attacker — REvil (2022 Russian FSB), LockBit (2024 NCA), ALPHV (2023 FBI), Hive (2023 FBI) have all had seized RSA private keys made public
  3. Internal leak — Conti (2022, when their public support of Russia's invasion of Ukraine prompted a Ukrainian member to leak everything) shows internal feuds can release keys
  4. Implementation bugs — older ransomware (some 2014–2017) had weak keygen or storage mistakes; decryption tools live at No More Ransom Project200+ tools, free

5. Representative incidents — what changed each time #

Year Incident What happened / impact
2017 WannaCry (North Korea Lazarus origin) EternalBlue wormed worldwide + encryption. 150 countries, 200k+ hosts, UK NHS surgeries cancelled, $4-8 billion estimated loss
2017 NotPetya (Russia GRU) Via Ukrainian accounting software M.E.Doc supply chain → wiper (irrecoverable). Centered on Maersk / Merck / FedEx TNT, $10 billion+ worldwide loss
2019 Maze Inventor of Double Extortion (leak threats). Public leak site changed the industry model
2020 WastedLocker / Garmin $10M ransom paid (estimated); Garmin's services down for days
2021 Colonial Pipeline (DarkSide) East-coast US fuel pipeline down for 6 days. $4.4M ransom paid → FBI recovered $2.3M via crypto tracing
2021 JBS Foods (REvil) World's largest meat processor. $11M paid
2021 Kaseya VSA (REvil supply chain) Exploited an MSP product vulnerability → 1,500 customer companies encrypted in a chain reaction. $70M lump-sum ransom demanded
2022 Costa Rica state (Conti) An attack against a national government. The president declared a state of emergency. HHS / tax / customs services went offline
2023 MGM Resorts (ALPHV) Las Vegas MGM casinos offline for days; $100M+ in losses. Social engineering (vishing) tricked the IT helpdesk
2023 Caesars Entertainment Reportedly paid $15M to resolve before disclosure
2024 Change Healthcare (ALPHV) The hub of US medical-claims processing. Pharmacies / hospitals / insurance claims nationwide stalled for weeks. $22M ransom + $872M in recovery costs
2024 British Library (Rhysida) The UK national library's OPAC fully offline. Still not fully recovered (estimated 2+ years to restore)
2024 CDK Global DMS for 15,000 US auto dealers down; the entire auto retail industry paralyzed
2024 LockBit takedown "Operation Cronos" (UK NCA) Seized LockBit infrastructure, recovered 14,000 affiliate IDs and 7,000 AES/RSA keys

The reality is that "attacks on critical infrastructure, healthcare, and government haven't stopped — even in 2024." Colonial Pipeline / Change Healthcare showed the world that "lifelines can be taken offline by ransomware," and governments started treating the issue as a national-security matter.

6. The rise and fall of RaaS groups — knocked down, sprouting again #

Five years of major Ransomware-as-a-Service (RaaS) operators:

Group Active period Notes / how it ended
GandCrab 2018-2019 Announced "made $2.4 billion, retiring" (true number unknown); succeeded by REvil
REvil / Sodinokibi 2019-2022 Hit Kaseya / JBS / Apple supplier (Quanta) → arrested by Russian FSB in January 2022 (later reportedly released as US-Russia relations soured)
DarkSide / BlackMatter 2020-2021 Brand abandoned post-Colonial Pipeline → revived as BlackMatter → also short-lived
Conti 2020-2022 Endorsed Russia's invasion of Ukraine in 2022 → Ukrainian-aligned members leaked everything ("Conti Leaks") → dissolved and split (Royal, BlackBasta, Karakurt, etc.)
LockBit 2019-2024 The most prolific RaaS in history (2,500+ incidents) → NCA "Operation Cronos" seized infrastructure February 2024 → declared revival but trust never recovered
ALPHV / BlackCat 2021-2024 The first major ransomware written in Rust. After Change Healthcare, executed an exit scam absconding with $22M (March 2024)
Cl0p 2019- Specializes in zero-days against enterprise file-transfer software (MOVEit / GoAnywhere / Accellion) — moved to "leak-only, no encryption"
Royal / BlackSuit 2022- Conti descendant; hit US municipal systems (Dallas)
BlackBasta 2022- Conti descendant; targets healthcare heavily
RansomHub 2024- Refugees from the ALPHV exit scam joined; growing fast

"Knock one down, another rises under a new brand" — the whack-a-mole dynamic continues. Major operations like LockBit takedown (2024) produce short-term wins, but core operators residing in sanctions-shielded countries can keep operating — a structural problem.

7. The "should we pay?" policy debate #

FBI / CISA / NCSC (UK) / Europol consistently advise "don't pay." Reasons:

  • It funds the next victim — ransom revenue is the attacker's resource for the next attack
  • No guarantee the key arrives — major RaaS mostly deliver, but emerging / small-scale / wiper-disguised don't
  • You get marked as "an organization that pays" — repeat-target status
  • OFAC sanctions — in the US, payments to OFAC-sanctioned groups (North Korea Lazarus, Russia Evil Corp) are illegal; both organizations and individuals face criminal liability

But payment continues in practice. Change Healthcare $22M / Colonial $4.4M / JBS $11M are all publicly known payments. Payment rates vary by region and industry, but Coveware's 2024 data shows 28% of cases paid (down from 76% in 2019, but still substantial).

Legislative momentum:

  • Australia (2024)mandatory reporting of ransom payments by critical infrastructure / large companies within 72 hours
  • US CIRCIA Act (signed 2022, full enforcement expected 2026)24-hour reporting of ransom payments by critical infrastructure
  • Total-ban discussionsthe US and UK have ongoing debate over a complete ban. "Cut the economic incentive" advocates vs. "SMBs can't survive otherwise" advocates remain at impasse
  • Insurance industry — since 2020, insurance covering ransom payments has been retreating. Lloyd's of London excluded "nation-state-attributed ransom" from coverage from 2023

The realistic decision matrix:

  1. Can we restore from backup? ← check first (immutable / offline copies make it possible)
  2. How damaging is the leaked data? ← Double extortion means paying doesn't guarantee leaks stop
  3. Is the group OFAC-sanctioned? ← US organizations face criminal exposure
  4. Industry-level effects ← becoming "an industry that pays" intensifies targeting

8. Cryptocurrency tracing — the "Bitcoin = anonymous" myth #

The naive view that "if attackers demand Bitcoin, they can't be caught" has been largely demolished by crypto-tracing firms like Chainalysis / TRM Labs / Elliptic. Bitcoin / Ethereum are public blockchains = every transaction visible forever, and wallet-to-wallet flows are fully traceable.

Incident Tracing outcome
Colonial Pipeline (2021) 63.7 BTC of the $4.4M payment, seized by FBI in about a month ($2.3M worth). The FBI said it had obtained the private key of the DarkSide wallet
Hive ransomware (2022-2023) FBI infiltrated the infrastructure for 7 months, secretly distributed decryption keys to victims while the investigation continued → seizure
REvil (2022) FSB seized crypto wallets from arrested operators; reports of victim returns followed

Ransomware operators take counter-tracing measures:

  • Mixers / tumblers — combine multiple addresses to obscure flows (but Chainalysis's heuristics trace through many of them)
  • Monero (XMR) — switched to a truly anonymous cryptocurrency (post-2022); unlike Bitcoin, transaction contents aren't public
  • OFAC sanctions evasion — North Korea-linked groups cash out via DPRK exchanges, risking exclusion from the international financial system if caught

"Bitcoin ransom = anonymous and safe" is a 2014 understanding frozen in time. Modern major RaaS shifting to Monero is the corollary of Bitcoin tracing becoming operational.

9. Defense — backup remains the last line #

Ransomware defense's root principle is "build the ability to recover without paying." A four-layer defense:

Layer Contents
Prevent intrusion (shared with Trojan article) Email filtering / macro disable / EDR / Application Allowlisting / MFA / patch management
Detect and contain post-intrusion EDR detects abnormal encryption behavior (mass file rename) → auto-isolation / 24/7 SOC monitoring / network segmentation
Block the encryption trigger LSASS protection / Tier-isolated Domain Admins / block shadow-copy deletion (vssadmin) / cut admin paths to backup systems
Ensure recovery capability ★ The last line 3-2-1 rule + immutable backups + offline (air-gapped) copies + regular restoration drills

3-2-1 rule = 3 copies on 2 different media types with 1 offsite. Modernly extended to 3-2-1-1-0: +1 immutable or offline (= cannot be deleted/modified) + 0 errors (regular verification).

Immutable backups are decisive:

  • AWS S3 Object Lock — set retention period during which deletion is impossible
  • Veeam Hardened Repository — Linux + immutable filesystem
  • WORM (Write Once Read Many) tape
  • Backup in a separate domain / separate account so Domain Admin permissions don't reach it

EDR rollback — Microsoft Defender / SentinelOne / CrowdStrike track file changes via VSS or proprietary snapshots and can roll back encryption (within limits).

The No More Ransom Project is a free decryption-tool collection jointly run by Europol / Dutch Police / Kaspersky / McAfee. Over 8 years it has published 200+ ransomware decryption keys and helped 1.5+ million people recover for free. Always check this site first.

# Important detection signals on Windows
# vssadmin / wmic attempting shadow-copy deletion (almost always ransomware)
wevtutil qe Security /q:"*[System[EventID=4688]]" /f:text | grep -E "vssadmin|wmic.*shadowcopy"

# On Linux
auditctl -a always,exit -F arch=b64 -S unlink -F path=/backup/

# Detect mass file renames via Sysmon / EDR (thousands on one host briefly = ransomware signal)

Ransomware is the largest cybercrime revenue model since the 2010s, succeeding by "weaponizing well-implemented cryptography — a good technology — for bad ends." Its ancestor is the 1989 AIDS Trojan, Bitcoin (2009) made payment possible, CryptoLocker (2013) was the industrialization point, and the model has since scaled through Single → Double → Triple → Quadruple Extortion to Big Game Hunting that takes enterprises offline for weeks.

Technically, "decryption is mathematically impossible because it abuses correctly-implemented modern cryptography" forces victims into a two-choice corner: pay, or restore from backup. Cases saved by No More Ransom Project keys or law-enforcement seizures exist, but don't expect this against the major modern RaaS.

The defense core is "assume intrusion will happen and ensure recovery." 3-2-1-1-0 + immutable backup + restoration drills is the last line, and EDR + network segmentation + Tier-isolated Domain Admin is the second line that can stop the attack during the days-to-weeks gap between intrusion and detonation. The "pay or don't pay" question isn't an individual ethical decision — it's a society-wide incentive problem, and government regulation plus shrinking insurance coverage keep tightening pressure on the payer side. 2026 may be the year a "ransom payment ban" becomes a realistic possibility — a turning point worth watching.