Ransomware
Ransomware is malicious software that encrypts a victim's data and demands payment (typically in cryptocurrency) for the decryption key.
Continue your mission
Ransomware is malicious software that encrypts a victim's data and demands payment (typically in cryptocurrency) for the decryption key.
This is the pillar article for this topic cluster.
View cluster# Ransomware
Ransomware is malicious software that encrypts a victim's data and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations also exfiltrate data before encrypting it, enabling a second extortion threat: pay, or we publish your stolen data. Some operations add a third layer: DDoS attacks against the victim's public-facing infrastructure until the ransom is paid.
Ransomware is the apex predator of the cybersecurity threat landscape. It is the most profitable form of cybercrime in operation, generating billions of dollars in annual payments. It is specialized, evolved, and efficient. Ransomware operators (and the affiliate networks that support them) have developed an industrial model: Ransomware-as-a-Service (RaaS) platforms provide the malware, infrastructure, and negotiation services. Affiliates provide the initial access. Revenue is split between the platform and the affiliate, typically 70/30 or 80/20.
The threat is not declining. It is professionalizing. The most prolific ransomware groups (LockBit, ALPHV/BlackCat, Cl0p, Black Basta, Royal/BlackSuit) operate like businesses: they recruit talent, maintain customer support for victims, honor payment agreements to maintain their "brand reputation," and continuously improve their malware to evade detection.
A ransomware attack follows a predictable sequence, though the timeline varies from hours to weeks depending on the threat actor's sophistication and objectives.
Initial access. The attacker gains entry to the victim's network. Common vectors: phishing email with a malicious attachment or link (the most common), exploitation of a vulnerable internet-facing service (VPN appliance, RDP, web application), compromised credentials purchased from initial access brokers on dark web markets, or supply chain compromise. In the Ransomware-as-a-Service model, initial access is often provided by specialized "initial access brokers" who sell network access to ransomware affiliates.
Reconnaissance and lateral movement. The attacker maps the internal network: identifies domain controllers, file servers, backup systems, and high-value data stores. Lateral movement techniques include credential dumping (Mimikatz, LSASS memory extraction), pass-the-hash attacks, exploitation of internal vulnerabilities, and abuse of legitimate remote administration tools (PsExec, PowerShell, RDP). This phase can last days or weeks as the attacker silently expands their access.
Privilege escalation. The attacker obtains domain administrator or equivalent credentials. With domain admin access, the attacker controls the Active Directory environment, which means they control authentication, group policy, and access to every system joined to the domain.
Data exfiltration. Before encrypting, the attacker identifies and exfiltrates high-value data: financial records, customer PII, intellectual property, legal documents, employee records. The exfiltrated data enables double extortion. Exfiltration often uses legitimate cloud storage services (Mega, Google Drive, Dropbox) or custom exfiltration tools that blend with normal network traffic.
Backup targeting. Sophisticated ransomware operators specifically target backup infrastructure. They delete shadow copies (vssadmin delete shadows /all /quiet), identify and encrypt or delete backup repositories, compromise backup server credentials, and disable backup software. If the backups survive, the victim can recover without paying. Destroying backups is the most critical step in the ransomware operator's kill chain.
Encryption. The ransomware payload encrypts files across the network. Modern ransomware uses hybrid encryption: a symmetric key (AES-256 or ChaCha20) encrypts the files for speed, and the symmetric key is encrypted with the attacker's RSA or ECC public key. Only the attacker holds the corresponding private key. Encryption targets file servers, databases, endpoints, and any accessible network shares. The ransom note appears on every encrypted system.
Extortion and negotiation. The victim discovers the encryption, reads the ransom note, and must decide: pay, negotiate, or refuse. Ransom demands range from tens of thousands to tens of millions of dollars depending on the victim's size and perceived ability to pay. RaaS groups operate negotiation portals (often on Tor) with live chat support. Some groups offer "proof of decryption" by decrypting a few files for free to demonstrate they hold the key. If the victim refuses to pay for decryption, the exfiltrated data is published on the group's leak site, creating regulatory, legal, and reputational consequences.
The RaaS model transformed ransomware from a technical skill into a business operation. The RaaS operator develops and maintains the ransomware payload, the command-and-control infrastructure, the payment processing, and the negotiation platform. Affiliates (who may have minimal technical skills) provide initial access and execute the deployment. Revenue is shared.
This model means the barrier to entry for ransomware attacks has dropped to near zero. An affiliate does not need to write malware, build infrastructure, or manage cryptocurrency. They need only gain initial access to a network. The RaaS platform provides everything else.
Colonial Pipeline (May 2021). DarkSide ransomware encrypted Colonial Pipeline's billing systems, forcing the company to shut down the pipeline that supplies 45% of fuel to the U.S. East Coast. The company paid $4.4 million in Bitcoin. The DOJ recovered approximately $2.3 million. The incident triggered a national fuel shortage and prompted Executive Order 14028 on improving national cybersecurity.
JBS Foods (May 2021). REvil ransomware disrupted the world's largest meat processing company, affecting operations in the United States, Canada, and Australia. JBS paid $11 million in ransom.
MOVEit (May-June 2023). The Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit file transfer application, exfiltrating data from over 2,500 organizations and affecting approximately 90 million individuals. Cl0p did not encrypt files; it focused exclusively on data exfiltration and extortion.
Change Healthcare (February 2024). ALPHV/BlackCat ransomware disrupted the largest healthcare payment processor in the United States, affecting insurance claims processing for hospitals, pharmacies, and healthcare providers nationwide. UnitedHealth Group (Change Healthcare's parent company) paid a reported $22 million ransom and estimated total costs exceeding $1 billion.
Global ransomware damages are estimated at $20 billion annually and growing. The average ransom payment exceeded $1.5 million in 2024. But the ransom payment itself is typically a fraction of the total cost. Business interruption, incident response, legal fees, regulatory fines, customer notification, credit monitoring, reputation damage, and increased insurance premiums often exceed the ransom by multiples of five to ten.
Ransomware does not just steal data. It stops operations. Hospitals delay surgeries. Manufacturers halt production lines. Schools close. Government agencies suspend services. Courts postpone proceedings. The operational impact is often more damaging than the financial cost because it affects people directly and immediately.
Ransomware intersects with state-sponsored cyber threats. North Korea uses ransomware (WannaCry) as a state revenue mechanism. Russia tolerates ransomware groups that operate from Russian territory and do not target Russian organizations, effectively using them as deniable instruments of economic warfare. Some ransomware groups have direct ties to Russian intelligence services. Iran has used ransomware as cover for destructive attacks against critical infrastructure.
The implication for defenders: ransomware defense is not just a cybercrime concern. It is a national security concern.
Ransomware is the event that stresses every PDM domain simultaneously. It is the cybersecurity equivalent of a hurricane: it hits the coastline (VSD), floods the terrain (SPH), severs communications (TID), compromises identity infrastructure (IAT), destroys core data assets (DPS), and overwhelms governance response capabilities (RGA).
CDA's approach to ransomware defense is structural, not reactive. It operates across every domain:
DPS: Immutable backup architecture is the single most important ransomware defense. If backups survive and restoration works, the ransom demand loses its power. DPS-B04 (Backup and Recovery Architecture, 24 hours) designs the backup infrastructure. DPS-D02 (Backup Recovery Drill, 12 hours) tests it under realistic conditions. The drill is not optional. It is the proof that the architecture works.
VSD: Reduce the initial access surface. Patch internet-facing systems (VPN appliances, RDP, web applications) within 48 hours of critical vulnerability disclosure. Disable RDP on internet-facing systems entirely if possible. Conduct continuous attack surface discovery. Most ransomware initial access exploits known, patched vulnerabilities in systems that the victim failed to update.
SPH: Maintain operational hygiene that makes lateral movement and persistence difficult. Enforce endpoint detection and response (EDR) across all endpoints. Monitor for credential dumping tools. Enforce application whitelisting on critical systems. Disable macros in Microsoft Office documents from external sources. These are not advanced controls. They are baseline hygiene that prevents the majority of ransomware progression.
IAT: Implement privileged access management (PAM) to prevent the attacker from obtaining domain administrator credentials. Deploy phishing-resistant MFA (FIDO2/WebAuthn) for all administrative access. Implement just-in-time privilege elevation: no standing admin accounts. If the attacker cannot escalate to domain admin, the encryption phase is limited to the initially compromised system instead of the entire network.
TID: Deploy detection capabilities tuned to ransomware precursor activity: anomalous credential use, lateral movement patterns, mass file access, shadow copy deletion, backup service disruption. The time between initial access and encryption (the dwell time) is the detection window. Shortening mean time to detect (MTTD) directly reduces the blast radius of a ransomware event. TID-B02 (Incident Response Plan, 32 hours) ensures the response is planned before the event occurs. TID-D01 (Tabletop Exercise, Ransomware, 8 hours) rehearses the response.
RGA: Maintain the governance structures that support decision-making during a ransomware crisis. Should the organization pay? What are the legal obligations (OFAC sanctions check, breach notification requirements)? Who communicates with the board, with regulators, with customers, with media? What is the cyber insurance coverage and what are the notification requirements? These decisions must be made in advance, not during the crisis.
CDA's Predictive Defense Intelligence (PDI) methodology applies directly: "See the threat before it sees you." Ransomware is not an unforeseeable event. It follows predictable patterns. Organizations that invest in pre-positioning defenses across all six domains survive ransomware events with operational disruption. Organizations that do not invest in pre-positioning survive only by paying, and sometimes not even then.
Word count: 2,043
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.