Ransomware Explained: Understanding the Ransomware Ecosystem

Ransomware

Explained

Understanding the Ransomware Ecosystem – From RaaS Operators to Ransom Demands to How Ransomware Attacks Work

While its origins stretch back decades, it’s only in more recent years that ransomware has become a major threat for organizations of all sizes and industries, with ransomware-as-a-service (RaaS) operators and affiliates dominating the threat landscape.

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees — is the key to defending against it.

Even when a company employs leading-edge security tools and robust processes throughout its organization, it still is at risk. But exploring the world of ransomware and the motives of threat actors can help you better understand where your organization may be vulnerable and how you can protect it more effectively.

Table of Contents

01

The History of Ransomware

The ransomware we know today began decades ago with a floppy disk. Since then, it’s seen evolution after evolution, driven by technological advances such as email, bitcoin, and the dark web.

The highlights include:

1980s AND 90s
1989

First Recorded Attack

Ransomware has existed since the 1980s, with the first recorded attack occurring in 1989. This first strain of ransomware — the AIDS Trojan — was easy to remove, rendering it ineffective.
Read More

EARLY 2000s
2006

Archievus Appears

The first strain to use advanced RSA encryption —Archievus — appears.

2010s
2010

Cryptocurrencies

Bitcoin, along with other cryptocurrencies, gain popularity, giving threat actors an avenue for collecting often untraceable, digital payment.

 
2012

Ransomware-as-a-service Arrives

The first instance of ransomware-as-a-service (RaaS) occurs with Reveton ransomware. The malware would impersonate local law enforcement, threatening victims with arrest or criminal charges if they did not pay.

 
2017

WannaCry Impact

WannaCry ransomware hits hundreds of thousands of devices across more than 150 countries, making it one of the biggest ransomware attacks in history.

 
2018

Data Exfiltration

Ransomware starts to utilize data exfiltration, first executed with the GrandCrab strain, which was integrated with a file-stealing malware.

 
2019

Dark Web Leak Sites

Leak sites begin to pop up on the dark web, exposing victims to further financial and reputational losses, as well as allowing for stolen credentials and personally identifiable information (PII) to be used in future attacks.

VIEW FULL TIMELINE

Want to explore ransomware’s dark history in full?

See our complete timeline.

View Full Timeline

02

Ransomware Groups Behind Dominant Ransomware Variants in 2023

Focusing on engagements in which the Arctic Wolf Incident Response team confidently attributed an attack to a particular ransomware variant, the five variants we encountered the most in 2023 were BlackCat (AlphV), LockBit 3.0, Akira, Royal, and BlackBasta.

Group Name

BlackCat

(AlphVM or AlphV)

First Observed

2021

Victims in 2023

401

Preferred Initial Access Method

Compromised Credentials

Full Breakdown

BlackCat(AlphVM or AlphV)

icon

First Observed:

2021

icon

Claimed Victims in 2023:

401

icon

Preferred Initial Access Method:

Compromised Credentials

Key Traits

May be a rebranding of DarkSide, the ransomware code is written in Rust, and, as a RaaS group, is known for paying affiliates a large share. Deploys .alphVM and .alphV ransomware strains.

Notable Moments:

Launched one of the first public data leak sites and, in September 2023, used their leak site to take credit for the MGM Resorts International attack;1 In February 2024, U.S. Department of State issued rewards totaling up to $15 million USD for information leading to the arrest and/or conviction of individuals participating in BlackCat/AlphV ransomware attacks.

Sources

Group Name

LockBit 3.0

Initially “ABCD,” changed name to LockBit in 2020

First Observed

2019

Victims in 2023

926

Preferred Initial Access Method

Varies The group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.

Full Breakdown

LockBit 3.0

icon

First Observed:

2019Initially “ABCD,” changed name to LockBit in 2020

icon

Claimed Victims in 2023:

926

icon

Preferred Initial Access Method:

VariesThe group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.

Key Traits

Known for targeting critical infrastructure, LockBit 3.0 functions as an RaaS model and often extorts data while demanding extremely high ransoms. They also tend to publish data to dark web leak sites before payment,1 promising to delete the data upon payment.

Notable Moments:

LockBit 3.0 is one of the most prolific groups operating and is responsible for more than 1,700 attacks since 2020, taking in over $91 million USD in ransoms.2 In February 2024, the National Crime Agency (NCA) of Britain and the Federal Bureau of Investigation (FBI) announced the seizure of the group’s infrastructure (including their leak site), 34 servers, the closure of 14,000 rogue accounts, and the freezing of 200 cryptocurrency accounts, as well as five indictments against members of the group.

Sources

Group Name

Akira

First Observed

2023

Victims in 2023

133

Preferred Initial Access Method

Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access.

Read Blog

Full Breakdown

Akira

icon

First Observed:

2023

icon

Claimed Victims in 2023:

133

icon

Preferred Initial Access Method:

Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access. Read Blog

Key Traits

Akira practices multi-extortion tactics and hosts a dark site where, should a victim fail to comply with ransom demands, they are listed alongside stolen data.

Notable Moments:

Starting in October 2023, Arctic Wolf Labs has investigated several cases of Royal and Akira ransomware victims being targeted1 in follow-on extortion attacks, which have involved victims being contacted for extortion after the original compromise took place.

Sources

Group Name

Royal

First Observed

2022

Victims in 2023

199

Preferred Initial Access Method

VariesWorks with initial access brokers, which makes pattern-spotting difficult, but the group is known to use phishing emails in more than half of all recorded attacks, according to CISA reporting.

Full Breakdown

Royal

icon

First Observed:

2022

icon

Claimed Victims in 2023:

199

icon

Preferred Initial Access Method:

Varies Works with initial access brokers, which makes pattern-spotting difficult, but the group is known to use phishing emails in more than half of all recorded attacks, according to CISA reporting.

Key Traits

This group is known for their .royal or .royal_w file extensions and have drawn comparisons to Conti and Ryuk. Their known TTPs include abusing business website contact forms to spread malicious links, implanting malware files on authentic-looking download websites, and employing malvertising techniques on search engines.

Notable Moments:

Like Akira, Royal has been observed re-infecting victims or deploying follow-on extortion attacks. The group has also targeted critical infrastructure and has earned over $275 million USD1 between 2022 and 2023.

Sources

Group Name

BlackBasta

First Observed

2022

Victims in 2023

197

Preferred Initial Access Method

Spear Phishing

Full Breakdown

BlackBasta

icon

First Observed:

2022

icon

Claimed Victims in 2023:

197

icon

Preferred Initial Access Method:

Spear Phishing

Key Traits

BlackBasta is known for their .basta file extension and often first attacks anti-virus products. This group will leave a “readme.txt” file on victims’ desktops and utilize double-extortion techniques. They will often leak data to leak sites as soon as it’s exfiltrated, and they are thought to have arisen from the now-defunct Conti group.

Notable Moments:

Has extorted at least $107 million USD1 since 2022.

Sources

The Blurred Lines of the Ransomware Ecosystem

While ransomware variants originate from specific ransomware operators, behind the scenes, the ransomware ecosystem has blurred lines:
Alliance icon
Individual ransomware groups often work with many different affiliates
Incognito icon
Affiliates may use several different ransomware variants — from different groups — concurrently
The ransomware groups behind some of the most in-use variants have made claim to some of the biggest attacks in recent memory, including:

The U.K. Royal Mail and Boeing By: Lockbit

The City of DallasBy: Royal

Rheinmetall By: BlackBasta

Caesars and MGM casinos By: BlackCat / AlphV

Nissan Australia By: Akira

LockBit, and a handful of other ransomware groups, dominated the ransomware-as-a-service space in 2023, as they did the year prior. This demonstrates both the continuing effectiveness of their operating models and their ability to evade law enforcement — or at least it did.

Law Enforcement Gains Success Striking Back

Despite some of the more prolific groups that have remained active over multi-year periods, international law enforcement operations are having success taking down ransomware operations,1 shuttering dark web marketplaces,2 and closing cryptocurrency mixers/tumblers3 that facilitate laundering of ransomware proceeds.

Hive

One of the most active ransomware operators of 2022, Hive, was infiltrated and taken down in January 2023, as announced by Europol and the U.S. Department of Justice.4
The RaaS group’s payment and data leak sites were seized as part of the international law enforcement operation. This operation captured the group’s decryption keys and offered them to victims worldwide, saving victims over $130 million in potential ransom payments.

AlphV

AlphV, also known as BlackCat, made headlines multiple times in late 2023. First, with their move to file a with the Securities and Exchange Commission (SEC) against a victim company5 as a new pressure tactic, outing the victim for not filing a disclosure in response to becoming one of the group’s latest victims.
By December, AlphV found themselves in the crosshairs of international law enforcement, when the FBI disrupted its operations and released a decryption tool that allowed compromised victims to recover their data. In response to an escalating game of tug-of-war with law enforcement, AlphV promptly moved victim notifications to a different site.6 To date, the new AlphV-owned site continues to post victims.
During this period, which (at least for now) appears to be a temporary setback, AlphV offered incentives to retain its criminal affiliates, who were likely feeling the heat from the close call with the FBI. The FBI operation also gave other ransomware groups like LockBit an opportunity to poach AlphV affiliates.7
In February 2024, the pressure on many of these groups only intensified as the U.S. Department of State announced $15 million USD bounties on three of the most prolific RaaS operators: AlphV, LockBit, and Hive.8 A reward of up to $10 million USD is available for information leading to the identification or location of any individual(s) who hold a key leadership position in these transnational organized crime groups, along with a reward of up to $5 million USD for information leading to the arrest and/or conviction of any individual conspiring to participate in, or attempting to participate in, the three named group’s ransomware activities.

What does this mean for the threat landscape facing today’s organizations?

More groups are competing for the attention and allegiance of more affiliates, with affiliates responding to economic incentives by aligning with groups that have the most reliable tools, strongest track record of fulfilling their agreements, and greatest ability to evade law enforcement.
As the saying goes, no animal is more dangerous than when it’s cornered, and right now ransomware groups are feeling cornered. We expect to see more ambitious ransoms, stricter negotiations, more aggressive naming and shaming, and further experimentation with new tactics throughout 2024.
It’s also possible that some operators will decide to retire altogether or shift to an alternative form of cybercrime, like business email compromise (BEC).
The Big Business of Cybercrime

Explore the different threat actors that comprise the online criminal ecosystem, their business models and attack methods, as well as the threat they represent to organizations worldwide.

Download Guide
The Big Business of Cybercrime

03

What Is the True Cost of Ransomware?

According to Chainalysis, ransomware payments in 2023 surpassed the $1 billion USD mark, the highest number ever observed, and the average cost of a ransomware attack reached $5.13 million USD according to the 2023 IBM Cost of a Data Breach report, up 13% from the average cost of $4.54 million USD in the 2022 report.

And while most in the cybersecurity community have grown accustomed to seeing these massive ransom payment figures, most of the costs incurred from ransomware attacks have nothing to do with the ransom demanded. Lost productivity and the recovery time required to get IT systems running and back to normal operating levels are significant expenses incurred by organizations in the aftermath of a ransomware attack.

Common Costs Associated with a Ransomware Attack

View a detailed breakdown of expected ransomware costs estimated against an organization’s annual revenue.

Organizations with $0-$25M Annual Revenues

Well-Known Costs:

  • Forensics
  • Incident Response Legal Counsel
  • Restoration & Recovery
  • Notifications to Customers and Vendor Costs
  • PR Costs
  • Regulatory Fines

$409K

Lesser-Known Costs:

  • Ransom Payment
  • Lawsuits
  • Data Mining
  • Credit Monitoring

$1.4M

Where insurance coverage (typically) ends

$338K

Revenue
Downtime
22 days of lost profits1

$61K

Wasted
Payroll

50% of employees not producing for 22 days

$140K

Loss of Future
Revenues
10% drop in profits from lost revenues for the following 3 months 2,4

$972K

Company Valuation
Decline
3% lower stock price after 6 months3,4

Should You Pay the Ransom?

While the FBI does NOT recommend negotiating or paying ransom, the 2023 IBM Cost of Data Breach Report presents some interesting insights regarding how paying or not paying ransom impacts the overall cost of a ransomware event. Organizations that paid the ransom during a ransomware attack achieved only a small difference in total cost, paying $110,000 or 2.2% less compared to victim organizations that didn’t succumb to ransom demands.

However, this data doesn’t include the cost of the ransom itself. With the high cost associated with most ransom demands, organizations that did make payments likely ended up paying more than organizations that didn’t pay the ransom.

How Do Threat Actors Determine Ransom Demands?

Threat actors use a variety of factors to determine an initial ransom demand. Some items that factor into those demands include:

Organization Size icon

The victim organization’s size and financial position, which threat actors use to estimate the organization’s ability to pay.

Industry icon

The victim organization’s industry, which influences their sensitivity to disruption and negative press.

Attack Size icon

The scope of the attack, which typically influences the victim’s ability to recover and the impact to their operations.

icon-orange-gradient-79.png

The victim’s insurance coverage. Some ransomware groups actively seek out cyber insurance policies in a victim’s environment to better inform their ransom demands, typically asking up to the maximum the insurance policy will cover.

Our Recomendation

Arctic Wolf recommends working with a vetted incident response vendor that has experience with ransomware threat actor negotiations. On average, Arctic Wolf Incident Response customers have seen up to 92% reductions from the original ransom request.*

*All cases are different, and ransom reductions are not guaranteed. It is also never a guarantee that threat actors will live up to their word in a ransom situation.

2025 Threat Report image thumbnail

Report Available

The 2025 Arctic Wolf Threat Report

Explore why three types of cyber incidents account for 96% of incident response cases, which industries may be more prone to specific incidents, and how your organization can stop threats before they escalate by calling in the professionals.

Download Report

04

Which Industries Are Most Targeted by Ransomware?

Ransomware groups tend to be opportunistic but still favor particular industries. The five most represented industries in Arctic Wolf Incident Response engagements are:

  • 1:

    Healthcare

  • 2:

    Education and nonprofit 

  • 3:

    Manufacturing

  • 4:

    Construction

  • 5:

    Legal and Government
The median initial ransom demand associated with incidents investigated by Arctic Wolf Incident Response grew to $600,000 USD — a 20% increase over last year’s figure of $500,000 USD.

Top 10 Industries Appearing in Leak Sites

A major way industry frequency is determined is through ransomware group leak sites, however that method comes with a caveat. Namely that payments have a significant impact on which victims are named on the dark web, as leak sites skew towards victims that refuse to pay or are perceived by threat actors as stalling.

Graph of Top 10 Industries Appearing in Leak Sites

Manufacturing

Manufacturing organizations have more representation on leak sites than any other industry, and threat actors target them aggressively, recognizing that these organizations have little tolerance for production downtime. However, manufacturers can often maintain production without paying ransom, which may cause them to appear more frequently on leak sites.

Healthcare

Healthcare organizations are under regulatory pressure to protect the sensitive data they handle, so they may pay a ransom, removing them from leak sites. Similar pressure applies to legal and governmental entities.
Why These Industries?
The five industries listed above have two major traits in common that make them strong targets for ransomware groups.
They run on legacy software:
When it’s difficult for organizations to regularly update or patch, threat actors gain an opportunity to take advantage of old vulnerabilities to initiate exploits.
They have a low tolerance for downtime:
Threat groups aim to take advantage of the pressure these organizations are under to meet deadlines and produce deliverables, hoping this will lead them to pay quickly and in full. Lost revenue streams from operational downtime can also push organizations to concede to ransom demands.

05

How Does Ransomware Work?

Root Point of Compromise: Gaining Initial Access
In the modern cybersecurity world of cloud environments and hybrid work, threat actors have become adept at evading security solutions by pivoting rapidly and employing multiple paths to value. Research from the Arctic Wolf Labs 2024 Threat Report shows the two major ways most ransomware attacks begin: external exposure and user action.

External Exposure

In over two-thirds of the ransomware cases we investigated, threat actors gained initial access to victim environments through external exposure — a system exposed, whether knowingly or inadvertently, to the public Internet.

In 2023, threat actors leveraged external remote access in 39% of cases.
In 2023, threat actors leveraged external remote access in 39% of cases.
Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.
Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.

External Exposure

External Remote Access

This form of external exposure typically involves identity-based attacks aimed at breaching an organization’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network. External remote access attacks can take a few different forms, including:
Remote Desktop icon
Compromising servers with Remote Desktop Protocol (RDP)
Microsoft Active Directory icon
Compromising servers with Microsoft Active Directory
Using valid credentials purchased from an initial access broker (IAB) on a dark web marketplace

External Exposure

External Exploits

External exploits, however, involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment.
More than a quarter of non-business email compromise (BEC) incidents we investigated — of which the vast majority were ransomware — exploited a known (i.e., not a zero-day) vulnerability.
In theory, an effective patching program could have mitigated the attack or at least forced the threat actor into a different course of action.

Zero-Day Vulnerability

3.4%

While zero-days get all the headlines, they make up a small percentage of cases — just 3.4% of the non-BEC incidents investigated by Arctic Wolf, a majority of which are ransomware.
0 %

User Action

While comprising a smaller section of attacks, user action still accounts for nearly one-quarter of all initial access vectors in ransomware attacks.
The team at Arctic Wolf Labs has identified four major ways that user action can lead to a ransomware attack:
0 %

Phishing: T1566

A user clicks on a malicious link and is tricked into sharing credentials or downloading and executing a malicious attachment within an email.
0 %

Previously compromised credentials: T1078

The threat actor uses credentials that are known to be part of a data breach or credential dump — but that have not yet been deactivated by the victim organization (i.e., user inaction).
0 %

Malicious software download: T1204.002

A user falls prey to a drive-by attack or downloaded software containing hidden malicious functionality.
0 %

Other social engineering

A user is tricked by a tech support scam or some other social engineering attack besides phishing.
It’s important to note that hardening your environment to protect against ransomware will pay deep dividends against all forms of cyber attack, as the same initial access attack vectors are used in many other forms of cyber attack, including BEC and malware attacks.

06

How to Defend Against Ransomware

Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components.
Our Recommendation

By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.​

Number 01

Conduct Basic File Backups

As ransomware evolves, threat actors are now regularly exfiltrating data in the early stages of attack, threatening to release it to the dark web if payment isn’t met (double extortion).

In 71% of Arctic Wolf Incident Response engagements for ransomware, the victim organization was able to leverage backups in some capacity to restore their environment.

It’s best to follow the 3-2-1 principle of file backup, meaning an organization has:
3 copies of data
1 primary, 2 backup
2 copies stored
At separate locations
1 off-site storage
In a secure private cloud
Number 02

Secure The Cloud

With the shared responsibility model, it’s important for organizations to understand where their responsibility lies when keeping their cloud environment safe. A security incident originating from within your organization that destroys or disrupts your cloud data is your responsibility, and many cloud security incidents can be traced back to misconfigurations and/or overly permissive access policies.
Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there (through lateral movement or privilege escalation) to encrypt and/or exfiltrate data.
Number 03

Enforce Identity & Access Controls

Be it through social engineering, the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy malware into critical parts of the network.
Proactive and reactive measures security teams can take to improve credential security include:
  • Implementing MFA
  • Conducting dark web monitoring
  • Hardening Active Directory using tools like PingCastle for visibility
  • Embracing the principle of least privilege access (PolP), supported by a zero-trust access model, role-based access control, and privileged access management (PAM)
  • Delivering comprehensive user security training
Number 04

Ongoing Vulnerability Management

While zero-days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organization goes a long way in hardening their attack surface.
A full vulnerability management program prioritizes continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
aw-bandaid-icon-white-lg.png

Vulnerability remediation

The act of removing a vulnerability through patching or another process
Secure Strategy icon

Vulnerability mitigation

The act of developing a strategy to minimize a threat’s impact if remediation is not possible
Number 05

Employ a 24x7 monitoring, detection, and response solution

Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper endpoint monitoring and detection, unusual behavior in those programs would go unnoticed.
In addition, swift detection and response capabilities allow your organization to stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.

History Shows That Ransomware Groups Aren’t Slowing Down.

If tools alone were enough to solve the problem, they would have by now.

This is an operational problem that needs to be solved, and that’s what Arctic Wolf delivers. Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry.