What is Ransomware
Ransomware is malware that encrypts company files and exfiltrates data for double extortion. Defenders need to combine technical controls with trained employees who close the initial-access vector.
By Dmytro Koziatynskyi Last reviewed
Ransomware is the most expensive cyberattack category for enterprises
Ransomware is a class of malware that encrypts files, systems, or backups and withholds the decryption key until the victim pays a ransom, almost always in cryptocurrency. The IBM 2024 Cost of a Data Breach Report puts the global average breach at $4.88 million, with ransomware-class incidents averaging $5.13 million once business interruption, ransom payment, and recovery costs are counted. Sophos' State of Ransomware 2024 study reports that 59% of surveyed organizations were hit in the prior year and only 24% recovered through backups alone.
Modern ransomware does not stop at encryption. Attackers steal data first and then encrypt, a pattern called double extortion that keeps leverage even when the victim has clean backups. Some crews now run triple extortion, adding DDoS pressure or direct outreach to the victim's customers and regulators. The Ransomware Task Force and CISA both flag double extortion as the dominant model since 2020, with named leak sites operated by groups like LockBit, BlackCat/ALPHV, Cl0p, Akira, Black Basta, and Play.
The economic engine is ransomware-as-a-service (RaaS). A core team builds the encryptor, runs the leak site, and recruits affiliates who handle intrusions in exchange for 70 to 80% of the take. The model is resilient, which is why takedowns rarely end the threat. Operation Cronos, the UK National Crime Agency-led action against LockBit in February 2024, seized 34 servers and 200 cryptocurrency wallets, but spinoff brands and former affiliates absorbed most of the operational base within months. The US-led BlackCat/ALPHV disruption in December 2023 produced a similar pattern of fragmentation.
Recent attacker evolution matters for defenders. Akira, a 2023 spinoff that targets VPN appliances and weak MFA, reached more than 250 victims in its first year per the FBI joint advisory. Cl0p ran the 2023 MOVEit Transfer mass-exploitation campaign that hit 2,700-plus organizations in a single quarter. Black Basta moved into the LockBit gap and has been linked to the Change Healthcare and Ascension intrusions. The names rotate, the playbook does not.
How a ransomware attack unfolds
Initial access
Most ransomware intrusions begin with one of four vectors: phishing or malicious attachment, exposed remote services like RDP and unpatched VPN appliances, exploitation of known vulnerabilities (the CISA Known Exploited Vulnerabilities catalog tracks the live ones), or a compromise upstream in the supply chain. Affiliates often buy access from initial-access brokers who sell working VPN, RDP, or Citrix sessions for between $1,000 and $10,000. The Verizon 2024 DBIR notes that vulnerability exploitation as an initial vector grew 180% year over year.
Persistence and reconnaissance
Once inside, the attacker plants quiet persistence and starts mapping the environment. Cobalt Strike beacons, Sliver, and Brute Ratel run alongside legitimate tools like AnyDesk, ScreenConnect, Atera, and Splashtop, a tactic called living off the land. Median dwell time before encryption fell to 5 days in Mandiant M-Trends 2024, but reconnaissance and mapping still happen in that window. The attacker reads file shares, identifies the backup vendor, and notes which controls are likely to fire.
Privilege escalation and Active Directory compromise
The next move is domain dominance. Affiliates dump credentials with Mimikatz, abuse Kerberoasting to harvest service-account hashes, and target the Active Directory domain controller. Once a Domain Admin token is captured, the attacker can push the ransomware payload to thousands of endpoints in a single GPO or scheduled task. Microsoft Incident Response data attributes more than 90% of large ransomware events to AD takeover. Tier-0 protections, LAPS, and Protected Users group enrollment slow this stage materially.
Data exfiltration and double extortion staging
Before encryption fires, the affiliate stages data for theft. Common tools are Rclone to sync to cloud storage like MEGA or pCloud, FileZilla and WinSCP for SFTP, and 7-Zip for archive splitting. Volumes range from a few hundred gigabytes to several terabytes, often staged through a single jump host to keep traffic patterns simple. The exfiltrated data feeds the leak site if the victim refuses to pay. Cl0p's 2023 MOVEit campaign proved that attackers can skip encryption entirely and still extort with leak-site posting alone.
Encryption deployment
Encryption is fast and loud. LockBit Black, Akira, Phobos, and Black Basta variants chain across a SMB share or a remote-execution tool, encrypt files in parallel, and drop a ransom note in every directory. Most modern encryptors use AES for file content with an RSA-wrapped key, which makes brute-force decryption infeasible. Shadow copies, Windows Volume Shadow Service, and connected backups are deleted or encrypted in the same pass. CISA's StopRansomware joint advisories detail current variant behavior and indicators.
Negotiation and leak-site posting
The ransom note points to a Tor-hosted negotiation portal. Affiliates use cloned playbooks: a 72-hour countdown, a sample of stolen data published to the leak site as proof of theft, and graduated pressure that may include direct outreach to executives, customers, regulators, or journalists. Coveware quarterly reports show median ransom demands above $500,000 and median paid ransoms north of $200,000 across 2024. Even when the victim pays, full data return is not guaranteed; Sophos found only 4% of paying victims recovered all data.
Real-world ransomware case studies
Change Healthcare, BlackCat/ALPHV, February 2024
BlackCat/ALPHV affiliates breached Change Healthcare, a UnitedHealth Group subsidiary that processes roughly a third of US healthcare claims, after exploiting a Citrix portal that lacked MFA. The attackers exfiltrated 6 TB of patient and claims data, encrypted core systems, and forced UnitedHealth into a $22 million ransom payment that the affiliate then disputed with the BlackCat core team. Pharmacies, providers, and hospitals across the US lost claims processing for weeks. UnitedHealth's Q1 2024 disclosure put financial impact above $870 million in the quarter, with full-year cost guidance reaching $2.3 billion. The HHS Office for Civil Rights opened the largest healthcare breach investigation in US history.
MGM Resorts, Scattered Spider plus ALPHV, September 2023
Scattered Spider, a financially motivated group of mostly English-speaking affiliates, social-engineered an MGM Resorts IT help-desk worker to reset MFA on a privileged Okta account. Within hours the affiliates pivoted to VMware vCenter, deployed BlackCat/ALPHV ransomware to ESXi hosts, and encrypted slot machines, hotel keys, restaurant POS, and reservation systems across the Las Vegas Strip. MGM disclosed a $100 million hit to Q3 results and a 10-day operational outage. The Caesars Entertainment intrusion the same week followed the same playbook and ended with a reported $15 million ransom payment. Both incidents validated CISA warnings about help-desk social engineering as a top-tier ransomware vector.
Cl0p MOVEit Transfer, May to July 2023
Cl0p exploited CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer file-transfer product, in a coordinated burst that hit more than 2,700 organizations and exposed data on roughly 95 million individuals. Victims included the US Department of Energy, Shell, BBC, British Airways, Ernst & Young, the State of Maine, and dozens of US universities. Cl0p notably skipped encryption and ran a pure-extortion campaign through its leak site, demanding payments based solely on the stolen data. Emsisoft estimated direct costs above $12 billion. The campaign reset industry expectations about managed file transfer software as a high-value target.
How to defend against ransomware
Phishing-resistant MFA on every remote-access path
Require FIDO2 security keys or passkeys on VPN, RDP, Citrix, VDI, and admin consoles. SMS and push-approval MFA fall to phishing kits like EvilProxy and to MFA fatigue. The Change Healthcare and MGM intrusions both began on accounts where strong MFA was missing or could be bypassed via help-desk reset. CISA Binding Operational Directive 22-09 and the joint StopRansomware guidance both list phishing-resistant MFA as the highest-impact control.
Immutable, offline-tested backups (3-2-1-1-0)
Maintain three copies of data, on two media, with one offsite, one immutable or offline, and zero errors on the last verified restore. Test full-stack restore monthly, including domain controllers and identity systems, not just file shares. Sophos found that organizations with tested backups recovered in 4 days at median, versus 16 days without. Avoid backups that share credentials with production; affiliates target backup consoles in the first 24 hours of dwell.
Network segmentation and tier-0 isolation
Isolate Active Directory, identity providers, backup infrastructure, OT networks, and crown-jewel data behind segmented zones with explicit allow rules. Disable lateral movement aids like SMBv1, unconstrained Kerberos delegation, and broad PsExec rights. The CISA Zero Trust Maturity Model and Microsoft Tier-0 guidance map a phased approach. Segmentation does not stop the intrusion, but it materially shrinks blast radius once the attacker is in.
EDR with rollback and 24x7 monitoring
Deploy a modern EDR or XDR platform on every endpoint and server, including hypervisors and ESXi hosts which Akira and BlackCat now target directly. Tune for living-off-the-land patterns: Cobalt Strike beacons, Rclone exfiltration, vssadmin shadow-copy deletion, and bursts of file rename activity. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Sophos Intercept X all ship rollback features that recover from limited encryption. Without 24x7 SOC coverage, the median 5-day dwell becomes 50.
Privileged access management and just-in-time admin
Eliminate standing Domain Admin and cloud-admin rights. Use a privileged access workstation, vault credentials in CyberArk, BeyondTrust, or Azure PIM, and require approval plus MFA for every elevation. Enforce the Microsoft Tier-0 protections: LAPS, Protected Users, restricted admin mode, and credential guard. Most ransomware events that reach domain controller stage failed at this control specifically.
Patching cadence aligned to CISA KEV
Subscribe to the CISA Known Exploited Vulnerabilities catalog and patch listed bugs inside the federal-aligned timelines (commonly 14 to 21 days). Edge devices (firewalls, VPN concentrators, file-transfer servers, RMM platforms) are the highest-risk surface; the MOVEit, Citrix Bleed, Fortinet, and Ivanti Connect Secure CVEs all became ransomware initial-access vectors within days of disclosure. Track an SBOM so exposure to a new CVE can be answered in hours.
Vendor and supply-chain monitoring
Treat third-party SaaS vendors, MSPs, and software supply chains as part of the attack surface. Require SOC 2 Type II evidence, breach-notification SLAs, and least-privilege scopes on every B2B connection. Run third-party risk reviews against the suppliers most likely to host ransomware impact: payroll, identity providers, MSPs, file-transfer platforms, and EHRs. The Kaseya, MOVEit, and Change Healthcare incidents all rippled through customer environments because vendor controls were the soft point.
Tested incident response runbook with ransom-decision logic
Write runbooks for the top ransomware scenarios (encryption in production, data-only extortion, dual encryption + leak site) and rehearse them quarterly. Include legal counsel, OFAC sanctions screening before any payment, regulator notification timing, cyber-insurance carrier engagement, and customer comms templates. The IBM 2024 study found that organizations with a tested IR plan and an IR team saved $2.66 million per breach. Decisions made under a 72-hour countdown are worse than decisions rehearsed in advance.
Employee training on initial-access lures
Most ransomware enters through a person, not a packet. Train every employee on phishing, callback phishing, voice impersonation, MFA fatigue, help-desk social engineering, and incident-reporting reflex. The reporting rate (how fast a suspicious email reaches the SOC) is the strongest leading indicator of resilience. Generic annual e-learning does not change behavior; hands-on simulations that put employees inside the attacker pretext do.
How RansomLeak trains employees to prevent ransomware
RansomLeak runs the front-line, human-side defense that pairs with EDR, MFA, and backups. The /exercises/ransomware/ scenario drops a learner into the moments before encryption: the suspicious attachment, the macro prompt, the credential-harvesting redirect, and the decision to report or proceed. Learners practice the same recognition pattern that would have changed the outcome at Change Healthcare, MGM, and dozens of smaller breaches where one alert email a few hours earlier would have stopped lateral movement.
The ransomware exercise sits inside a coordinated set of initial-access drills. /exercises/phishing/, /exercises/spear-phishing/, /exercises/business-email-compromise/, /exercises/social-engineering/, and /exercises/callback-phishing/ each close a different vector that affiliates rely on. /exercises/general-incident-reporting/ rehearses the 90-second window in which a worried employee decides whether to escalate. /exercises/mfa-setup-best-practices/ and /exercises/privileged-access-basics/ harden the credential layer that ransomware crews target inside hour one.
Every exercise ships as a SCORM 1.2 and SCORM 2004 package that drops into Cornerstone, SAP SuccessFactors, Workday Learning, Docebo, Moodle, or any compliant LMS without modification. Completion status, score, and time-spent values flow into the LMS reports compliance and SOC 2 auditors already read. Content refreshes monthly, so when a new pattern lands (Akira's VPN exploitation, Scattered Spider's help-desk pretexts, Cl0p's leak-site-only extortion) the training catches up in weeks, not the 12-month annual refresh cycle competitors run on.
What is ransomware and how does it impact businesses?
Ransomware is malware that encrypts company files and systems and demands a cryptocurrency payment for the decryption key. Modern crews stack single extortion with double extortion (data theft and a leak site) and triple extortion (DDoS or direct outreach to customers and regulators). IBM 2024 puts the average breach at $4.88M, with ransomware-class incidents averaging $5.13M once business interruption is counted.
The ecosystem runs on ransomware-as-a-service: a core team builds the encryptor and recruits affiliates for 70 to 80% revenue share. Operation Cronos disrupted LockBit in February 2024, but spinoffs absorbed the affiliate base. Akira targets unpatched VPN appliances, Cl0p ran the 2023 MOVEit campaign hitting 2,700+ organizations, and Scattered Spider used help-desk social engineering against MGM Resorts and Caesars.
Effective defense combines technical controls and human training. Technical: phishing-resistant MFA on every remote-access path, immutable offline-tested backups (3-2-1-1-0), network segmentation, EDR with rollback, privileged access management, CISA KEV-aligned patching, and a rehearsed runbook. Human: ransomware, phishing, spear-phishing, BEC, MFA, and incident-reporting drills that close the initial-access vectors affiliates exploit.
Recommended exercises
Scenario-based simulations from the 100+ catalogue.
Ransomware exercise
Drops the learner into the moments before encryption: the suspicious attachment, the macro prompt, and the report-or-proceed decision.
Try the exercisePhishing exercise
Closes the most common ransomware initial-access vector with hands-on detection of attachments, links, and credential-harvesting pages.
Try the exerciseSpear phishing exercise
Targets the high-value-account pattern that affiliates use against finance, IT, and executive roles before privilege escalation.
Try the exerciseBusiness email compromise exercise
Trains the wire-and-vendor-payment workflow that ransomware affiliates pivot into once they hold a corporate mailbox.
Try the exerciseSocial engineering exercise
Rehearses the help-desk and pretext patterns that Scattered Spider used against MGM Resorts and that Akira affiliates run on Tier-1 support.
Try the exerciseIncident reporting exercise
Builds the 90-second reporting reflex that turns a worried employee into the alert that stops lateral movement before encryption fires.
Try the exerciseFurther reading
Deeper guides on adjacent topics.
Related glossary terms
Quick definitions for the terms in this pillar.
Frequently Asked Questions
What security leaders ask about this threat.
What is the difference between ransomware and a regular cyberattack?
Should businesses pay the ransom?
How long does ransomware recovery take?
What is double extortion ransomware?
How do attackers usually get into a network?
What does CISA recommend for ransomware preparation?
Sources & further reading
Primary sources cited above and adjacent guidance.
- Cost of a Data Breach Report 2024 — IBM Security
- The State of Ransomware 2024 — Sophos
- Stop Ransomware Resource Hub — CISA
- Akira Ransomware Joint Cybersecurity Advisory (AA24-109A) — FBI / CISA
- Operation Cronos disruption of LockBit — UK National Crime Agency
- 2024 Data Breach Investigations Report — Verizon
Train Your Team Against This Threat
Book a 30-minute walkthrough. We will scope the exercise sequence and rollout timeline.