Ransomware Explained: Understanding the Ransomware Ecosystem



Understanding the Ransomware Ecosystem – From RaaS Operators to Ransom Demands to How Ransomware Attacks Work

While its origins stretch back decades, it’s only in more recent years that ransomware has become a major threat for organisations of all sizes and industries, with ransomware-as-a-service (RaaS) operators and affiliates dominating the threat landscape.

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organisations and make off with millions in ransom payments and extortion fees — is the key to defending against it.

Even when a company employs leading-edge security tools and robust processes throughout its organisation, it still is at risk. But exploring the world of ransomware and the motives of threat actors can help you better understand where your organisation may be vulnerable and how you can protect it more effectively.

Table of Contents


Ransomware Groups Behind Dominant Ransomware Variants in 2023

Focusing on engagements in which the Arctic Wolf Incident Response team confidently attributed an attack to a particular ransomware variant, the five variants we encountered the most in 2023 were BlackCat (AlphV), LockBit 3.0, Akira, Royal, and BlackBasta.

Group Name

BlackCat(AlphVM or AlphV)

First Observed


Claimed Victims in '23


Preferred Initial Access Method

Compromised Credentials

Full Breakdown

Group Name

LockBit 3.0Initially “ABCD,” changed name to LockBit in 2020

First Observed


Claimed Victims in '23


Preferred Initial Access Method

Varies The group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.

Full Breakdown

Group Name


First Observed


Claimed Victims in '23


Preferred Initial Access Method

Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access.

Read Blog

Full Breakdown

Group Name


First Observed


Claimed Victims in '23


Preferred Initial Access Method

VariesWorks with initial access brokers, which makes pattern-spotting difficult, but the group is known to use phishing emails in more than half of all recorded attacks, according to CISA reporting.

Full Breakdown

Group Name


First Observed


Claimed Victims in '23


Preferred Initial Access Method

Spear Phishing

Full Breakdown

The Blurred Lines of the Ransomware Ecosystem

While ransomware variants originate from specific ransomware operators, behind the scenes, the ransomware ecosystem has blurred lines:

Alliance icon

Individual ransomware groups often work with many different affiliates

Incognito icon

Affiliates may use several different ransomware variants — from different groups — concurrently

The ransomware groups behind some of the most in-use variants have made claim to some of the biggest attacks in the past year, including:

The U.K. Royal Mail and Boeing By: Lockbit

The City of DallasBy: Royal

Rheinmetall By: BlackBasta

Caesars and MGM casinos By: BlackCat / AlphV

Nissan Australia By: Akira

LockBit, and a handful of other ransomware groups, dominated the ransomware-as-a-service space in 2023, as they did the year prior. This demonstrates both the continuing effectiveness of their operating models and their ability to evade law enforcement — or at least it did.

Law Enforcement Gains Success Striking Back

Despite some of the more prolific groups that have remained active over multi-year periods, international law enforcement operations are having success taking down ransomware operations,1 shuttering dark web marketplaces,2 and closing cryptocurrency mixers/tumblers3 that facilitate laundering of ransomware proceeds.


One of the most active ransomware operators of 2022, Hive, was infiltrated and taken down in January 2023, as announced by Europol and the U.S. Department of Justice.4

The RaaS group’s payment and data leak sites were seized as part of the international law enforcement operation. This operation captured the group’s decryption keys and offered them to victims worldwide, saving victims over $130 million in potential ransom payments.


AlphV, also known as BlackCat, made headlines multiple times in late 2023. First, with their move to file a with the Securities and Exchange Commission (SEC) against a victim company5 as a new pressure tactic, outing the victim for not filing a disclosure in response to becoming one of the group’s latest victims.

By December, AlphV found themselves in the crosshairs of international law enforcement, when the FBI disrupted its operations and released a decryption tool that allowed compromised victims to recover their data. In response to an escalating game of tug-of-war with law enforcement, AlphV promptly moved victim notifications to a different site.6 To date, the new AlphV-owned site continues to post victims.

During this period, which (at least for now) appears to be a temporary setback, AlphV offered incentives to retain its criminal affiliates, who were likely feeling the heat from the close call with the FBI. The FBI operation also gave other ransomware groups like LockBit an opportunity to poach AlphV affiliates.7

In February 2024, the pressure on many of these groups only intensified as the U.S. Department of State announced $15 million USD bounties on three of the most prolific RaaS operators: AlphV, LockBit, and Hive.8 A reward of up to $10 million USD is available for information leading to the identification or location of any individual(s) who hold a key leadership position in these transnational organised crime groups, along with a reward of up to $5 million USD for information leading to the arrest and/or conviction of any individual conspiring to participate in, or attempting to participate in, the three named group’s ransomware activities.

What does this mean for the threat landscape facing today’s organisations?

More groups are competing for the attention and allegiance of more affiliates, with affiliates responding to economic incentives by aligning with groups that have the most reliable tools, strongest track record of fulfilling their agreements, and greatest ability to evade law enforcement.

As the saying goes, no animal is more dangerous than when it’s cornered, and right now ransomware groups are feeling cornered. We expect to see more ambitious ransoms, stricter negotiations, more aggressive naming and shaming, and further experimentation with new tactics throughout 2024.

It’s also possible that some operators will decide to retire altogether or shift to an alternative form of cybercrime, like business email compromise (BEC).

The Big Business of Cybercrime

Explore the different threat actors that comprise the online criminal ecosystem, their business models and attack methods, as well as the threat they represent to organisations worldwide.


What Is the True Cost of Ransomware?

According to Chainalysis, ransomware payments in 2023 surpassed the $1 billion USD mark, the highest number ever observed, and the average cost of a ransomware attack reached $5.13 million USD according to the 2023 IBM Cost of a Data Breach report, up 13% from the average cost of $4.54 million USD in the 2022 report.

And while most in the cybersecurity community have grown accustomed to seeing these massive ransom payment figures, most of the costs incurred from ransomware attacks have nothing to do with the ransom demanded. Lost productivity and the recovery time required to get IT systems running and back to normal operating levels are significant expenses incurred by organisations in the aftermath of a ransomware attack.

Common Costs Associated with a Ransomware Attack

View a detailed breakdown of expected ransomware costs estimated against an organisation’s annual revenue.

Organizations with $0-$25M Annual Revenues

Well-Known Costs:

  • Forensics
  • Incident Response Legal Counsel
  • Restoration & Recovery
  • Notifications to Customers and Vendor Costs
  • PR Costs
  • Regulatory Fines


Lesser-Known Costs:

  • Ransom Payment
  • Lawsuits
  • Data Mining
  • Credit Monitoring


Where insurance coverage (typically) ends


22 days of lost profits1



50% of employees not producing for 22 days


Loss of Future
10% drop in profits from lost revenues for the following 3 months 2,4


Company Valuation
3% lower stock price after 6 months3,4

Should You Pay the Ransom?

While the FBI does NOT recommend negotiating or paying ransom, the 2023 IBM Cost of Data Breach Report presents some interesting insights regarding how paying or not paying ransom impacts the overall cost of a ransomware event. Organisations that paid the ransom during a ransomware attack achieved only a small difference in total cost, paying $110,000 (£86,000) or 2.2% less compared to victim organisations that didn’t succumb to ransom demands.

However, this data doesn’t include the cost of the ransom itself. With the high cost associated with most ransom demands, organisations that did make payments likely ended up paying more than organisations that didn’t pay the ransom.

How Do Threat Actors Determine Ransom Demands?

Threat actors use a variety of factors to determine an initial ransom demand. Some items that factor into those demands include:

Organization Size icon

The victim organisation’s size and financial position, which threat actors use to estimate the organisation’s ability to pay.

Industry icon

The victim organisation’s industry, which influences their sensitivity to disruption and negative press.

Attack Size icon

The scope of the attack, which typically influences the victim’s ability to recover and the impact to their operations.


The victim’s insurance coverage. Some ransomware groups actively seek out cyber insurance policies in a victim’s environment to better inform their ransom demands, typically asking up to the maximum the insurance policy will cover.

Our Recomendation

Arctic Wolf recommends working with a vetted incident response vendor that has experience with ransomware threat actor negotiations. On average, Arctic Wolf Incident Response customers have seen up to 92% reductions from the original ransom request.*

*All cases are different, and ransom reductions are not guaranteed. It is also never a guarantee that threat actors will live up to their word in a ransom situation.

Get an in-depth view of the factors cybercriminals use when determining initial ransom demands.

Download the Arctic Wolf Labs 2024 Threat Report.


How Does Ransomware Work?

Root Point of Compromise: Gaining Initial Access

In the modern cybersecurity world of cloud environments and hybrid work, threat actors have become adept at evading security solutions by pivoting rapidly and employing multiple paths to value. Research from the Arctic Wolf Labs 2024 Threat Report shows the two major ways most ransomware attacks begin: external exposure and user action.

External Exposure

In over two-thirds of the ransomware cases we investigated, threat actors gained initial access to victim environments through external exposure — a system exposed, whether knowingly or inadvertently, to the public Internet.

In 2023, threat actors leveraged external remote access in 39% of cases.

In 2023, threat actors leveraged external remote access in 39% of cases.

Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.

Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.

External Exposure

External Remote Access

This form of external exposure typically involves identity-based attacks aimed at breaching an organisation’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network. External remote access attacks can take a few different forms, including:

Remote Desktop icon

Compromising servers with Remote Desktop Protocol (RDP)

Microsoft Active Directory icon

Compromising servers with Microsoft Active Directory

Using valid credentials purchased from an initial access broker (IAB) on a dark web marketplace

External Exposure

External Exploits

External exploits, however, involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment.

More than a quarter of non-business email compromise (BEC) incidents we investigated — of which the vast majority were ransomware — exploited a known (i.e., not a zero-day) vulnerability.

In theory, an effective patching program could have mitigated the attack or at least forced the threat actor into a different course of action.

Zero-Day Vulnerability


While zero-days get all the headlines, they make up a small percentage of cases — just 3.4% of the non-BEC incidents investigated by Arctic Wolf, a majority of which are ransomware.

0 %

User Action

While comprising a smaller section of attacks, user action still accounts for nearly one-quarter of all initial access vectors in ransomware attacks.

The team at Arctic Wolf Labs has identified four major ways that user action can lead to a ransomware attack:

0 %

Phishing: T1566

A user clicks on a malicious link and is tricked into sharing credentials or downloading and executing a malicious attachment within an email.
0 %

Previously compromised credentials: T1078

The threat actor uses credentials that are known to be part of a data breach or credential dump — but that have not yet been deactivated by the victim organisation (i.e., user inaction).

0 %

Malicious software download: T1204.002

A user falls prey to a drive-by attack or downloaded software containing hidden malicious functionality.
0 %

Other social engineering

A user is tricked by a tech support scam or some other social engineering attack besides phishing.

It’s important to note that hardening your environment to protect against ransomware will pay deep dividends against all forms of cyber attack, as the same initial access attack vectors are used in many other forms of cyber attack, including BEC and malware attacks.


How to Defend Against Ransomware

Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components.

Our Recommendation

By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.​

Number 01

Conduct Basic File Backups

As ransomware evolves, threat actors are now regularly exfiltrating data in the early stages of attack, threatening to release it to the dark web if payment isn’t met (double extortion).

In 71% of Arctic Wolf Incident Response engagements for ransomware, the victim organisation was able to leverage backups in some capacity to restore their environment.

It’s best to follow the 3-2-1 principle of file backup, meaning an organisation has:

3 copies of data

1 primary, 2 backup

2 copies stored

At separate locations

1 off-site storage

In a secure private cloud

Number 02

Secure The Cloud

With the shared responsibility model, it’s important for organisations to understand where their responsibility lies when keeping their cloud environment safe. A security incident originating from within your organisation that destroys or disrupts your cloud data is your responsibility, and many cloud security incidents can be traced back to misconfigurations and/or overly permissive access policies.

Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there (through lateral movement or privilege escalation) to encrypt and/or exfiltrate data.

Number 03

Enforce Identity & Access Controls

Be it through social engineering, the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy malware into critical parts of the network.

Proactive and reactive measures security teams can take to improve credential security include:

  • Implementing MFA
  • Conducting dark web monitoring
  • Hardening Active Directory using tools like PingCastle for visibility
  • Embracing the principle of least privilege access (PolP), supported by a zero-trust access model, role-based access control, and privileged access management (PAM)
  • Delivering comprehensive user security training
Number 04

Ongoing Vulnerability Management

While zero-days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organisation goes a long way in hardening their attack surface.

A full vulnerability management program prioritises continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.


Vulnerability remediation

The act of removing a vulnerability through patching or another process
Secure Strategy icon

Vulnerability mitigation

The act of developing a strategy to minimise a threat’s impact if remediation is not possible

Number 05

Employ a 24x7 monitoring, detection, and response solution

Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper endpoint monitoring and detection, unusual behavior in those programs would go unnoticed.

In addition, swift detection and response capabilities allow your organisation to stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.

2023 Showed That Ransomware Groups Aren’t Slowing Down.

If tools alone were enough to solve the problem, they would have by now.

This is an operational problem that needs to be solved, and that’s what Arctic Wolf delivers. Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry.