Ransomware: Tactics, Impact, and Response
Ransomware represents one of the most consequential categories of malicious software operating against US public and private infrastructure, combining data encryption, extortion, and increasingly, data exfiltration into a single attack chain. This page covers the mechanics of ransomware deployment, the causal factors driving its prevalence, classification distinctions between variant families, and the structured response phases recognized by federal cybersecurity authorities. The scope spans technical structure, regulatory context, and operational considerations relevant to incident responders, risk professionals, and organizational decision-makers navigating this threat landscape.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
Definition and Scope
Ransomware is a class of malicious software that denies access to data, systems, or networks by encrypting files or locking devices, then demands payment — typically in cryptocurrency — in exchange for a decryption key or system restoration. The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as malware designed to encrypt files on a device, rendering those files and the systems that rely on them unusable.
The scope of ransomware extends beyond single-machine infections. Enterprise-scale attacks traverse Active Provider Network environments, pivot through network segments, and may persist for weeks before encryption is triggered. The FBI's Internet Crime Complaint Center (IC3) recorded 2,385 ransomware complaints in 2023, with adjusted losses exceeding $34.3 million — figures that substantially undercount actual incident volume due to underreporting.
Federal regulatory frameworks treat ransomware as a national security concern. The Department of Homeland Security's CISA Ransomware Guide, co-authored with the Multi-State Information Sharing and Analysis Center (MS-ISAC), establishes ransomware response as a structured discipline distinct from general malware remediation. Sector-specific obligations under the Health Insurance Portability and Accountability Act (HIPAA), enforced by HHS, and requirements under the Gramm-Leach-Bliley Act (GLBA), enforced by the FTC, impose notification and incident response duties when ransomware results in unauthorized access to protected data.
Core Mechanics or Structure
A ransomware attack proceeds through a sequence of phases that align with the MITRE ATT&CK framework's enterprise attack lifecycle. MITRE ATT&CK catalogs ransomware-associated techniques under Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Discovery (TA0007), Lateral Movement (TA0008), Exfiltration (TA0010), and Impact (TA0040).
Initial Access is achieved through phishing email delivery (T1566), exploitation of public-facing applications (T1190), or valid credential abuse through Remote Desktop Protocol (RDP) — CISA identified RDP as the attack vector in approximately 70–80% of ransomware incidents examined in joint advisories.
Execution and Privilege Escalation typically involve scripting environments — PowerShell, WMI, or cmd.exe — along with exploitation of unpatched local privilege escalation vulnerabilities. Threat actors frequently abuse legitimate tools such as PsExec, Cobalt Strike, and AnyDesk in what NIST SP 800-83 categorizes as living-off-the-land (LotL) technique deployment.
Lateral Movement and Discovery precede encryption. Attackers enumerate domain controllers, backup systems, and high-value data repositories. Shadow copy deletion — typically via vssadmin delete shadows /all /quiet — occurs before encryption is triggered to eliminate native Windows recovery options.
Encryption is performed using a hybrid cryptographic model: symmetric encryption (commonly AES-256) encrypts file contents at speed, while the symmetric key itself is encrypted with an asymmetric key pair (RSA-2048 or higher) held by the attacker. Without the attacker's private key, brute-force decryption of AES-256 is computationally infeasible with present hardware.
Exfiltration now precedes encryption in double-extortion models, copying data to attacker-controlled infrastructure before the encryption payload runs.
Causal Relationships or Drivers
The persistence of ransomware as a dominant attack category is driven by a convergent set of structural, economic, and operational factors documented across federal threat assessments.
Ransomware-as-a-Service (RaaS) infrastructure has lowered the technical barrier to attack execution. Under the RaaS model, developers lease encryptors and backend infrastructure to affiliates who conduct intrusions and receive 60–80% of ransom proceeds. This affiliate structure, documented in CISA Alert AA23-061A, has expanded the attacker pool to actors without advanced malware development capability.
Cryptocurrency payment infrastructure enables pseudonymous ransom collection that is difficult to reverse. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has issued sanctions against ransomware-linked entities including Evil Corp and Suex, identifying crypto laundering channels as a systemic enabler.
Unpatched vulnerability exposure remains the most operationally significant technical driver. The CISA Known Exploited Vulnerabilities (KEV) Catalog identifies vulnerabilities actively exploited in ransomware campaigns; as of 2024, the catalog contains over 1,000 entries, with ransomware actors responsible for exploitation of 15 of the top 20 most exploited vulnerabilities identified in the 2023 CISA Top Routinely Exploited Vulnerabilities advisory.
Organizational recovery gap — the difference between recovery time objectives and actual recovery capability — amplifies ransom payment rates. When backup systems are compromised alongside production systems, organizations face restoration timelines measured in weeks, creating economic pressure toward payment regardless of policy.
Classification Boundaries
Ransomware variants are classified by encryption scope, extortion mechanism, and operational model. Conflating these categories produces incorrect threat assessments and misaligned response strategies.
Crypto-ransomware encrypts user and system files while leaving the OS functional enough to display a ransom note. This is the dominant category and includes LockBit, BlackCat/ALPHV, Cl0p, and Royal.
Locker ransomware locks the user out of the device interface without encrypting file contents — common in mobile device attacks and older Windows-targeted campaigns. File contents remain intact but inaccessible through normal means.
Wiper malware disguised as ransomware presents ransom demands but performs irreversible file destruction, with no functional decryption mechanism. NotPetya (2017) is the canonical example; the White House attribution statement identified it as a destructive cyberweapon deployed by Russian military intelligence (GRU), not economically motivated ransomware.
Double-extortion ransomware combines encryption with exfiltration, threatening public data release if payment is not made. This model was established at scale by Maze (2019–2020) and is now standard among major ransomware groups.
Triple-extortion ransomware adds a third pressure vector: direct contact with the victim organization's customers, partners, or regulators to amplify reputational and regulatory consequences.
Ransomware-as-a-Service (RaaS) is an operational model, not a technical variant. LockBit 3.0, ALPHV/BlackCat, and Akira all operated as RaaS programs with affiliate structures, as documented in CISA joint advisory AA23-325A.
Tradeoffs and Tensions
Payment versus non-payment is the central contested decision in ransomware response. CISA and the FBI formally advise against paying ransoms, citing that payment incentivizes further attacks and does not guarantee data recovery or system restoration. However, OFAC's advisory on ransomware payments (OFAC FAQ 900) acknowledges that payment may be necessary in life-safety situations while noting potential sanctions exposure if payments reach designated entities.
Decryption tool reliability introduces operational uncertainty. Even when decryption keys are provided, reconstruction of large encrypted environments using attacker-supplied tools is slow, error-prone, and often incomplete. The tradeoff between paying for an unreliable key and rebuilding from backup — when backups are intact — requires assessment of actual recovery capability rather than assumed capability.
Law enforcement engagement versus confidentiality creates tension for affected organizations. Reporting to the FBI or CISA provides access to threat intelligence, potential decryption tools from seized infrastructure, and legal guidance on sanctions risk. The FBI's ransomware page explicitly encourages reporting. Organizations may resist disclosure due to reputational concern, contractual obligations, or uncertainty about mandatory notification timelines.
Backup segmentation versus backup accessibility reflects an operational design tension: highly isolated, air-gapped backup systems are resistant to ransomware propagation but may require longer recovery times. Partially connected backup systems restore faster but present attack surface.
Common Misconceptions
Misconception: Paying the ransom ends the incident.
Ransomware groups frequently maintain persistent access after payment. A 2022 Cybereason ransomware survey found that 80% of organizations that paid a ransom experienced a second attack — in 46% of those cases, from the same threat actor. Remediation of the initial access vector and full forensic review are required regardless of payment.
Misconception: Small organizations are not targeted.
The 2023 Verizon Data Breach Investigations Report (DBIR) found that small and medium-sized businesses account for the majority of ransomware victims by volume. RaaS affiliate programs automate targeting and scale attacks across organizations regardless of size.
Misconception: Antivirus software reliably stops ransomware.
Modern ransomware employs code obfuscation, LotL techniques using signed Windows binaries, and timestomping to evade signature-based detection. NIST SP 800-83 Rev. 1 notes that detection capability against novel malware variants requires behavioral analysis, not solely signature matching.
Misconception: Cloud storage is immune to ransomware.
Ransomware variants including Ryuk and LockBit target cloud-mapped drives and synchronize encrypted files to cloud storage, overwriting clean versions. Without versioning enabled and protected, cloud-stored files are vulnerable.
Misconception: Ransomware is purely a technical problem.
CISA's #StopRansomware guidance consistently identifies organizational factors — inadequate access controls, absent multi-factor authentication, unpatched systems, and lack of tested incident response plans — as primary enablers, not technical exploitation sophistication.
Checklist or Steps (Non-Advisory)
The following represents the incident response phase structure documented in the CISA-MS-ISAC Ransomware Guide and aligned with NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide).
Preparation Phase
- Maintain offline, encrypted, and tested backups of critical systems
- Implement network segmentation to limit lateral movement pathways
- Deploy multi-factor authentication on all remote access and privileged accounts
- Establish an incident response plan with defined roles and communication channels
- Register with CISA's free Cyber Hygiene Vulnerability Scanning service
Detection and Analysis
- Identify indicators of compromise (IOCs) using endpoint detection and response (EDR) telemetry
- Cross-reference alerts against CISA KEV Catalog entries and FBI ransomware IOC notifications
- Determine attack vector, affected systems, and whether data exfiltration occurred
- Preserve forensic artifacts — do not reboot compromised systems before imaging where feasible
Containment
- Isolate affected systems from the network (disconnect, do not power off)
- Disable compromised accounts and revoke active sessions
- Block known attacker command-and-control (C2) infrastructure at perimeter controls
- Notify legal counsel and initiate records preservation for potential regulatory notification obligations
Eradication
- Identify and remove all malware components including persistence mechanisms
- Patch or mitigate the initial access vulnerability
- Rotate all credentials that may have been exposed
Recovery
- Restore systems from known-clean, pre-incident backups
- Validate system integrity before returning to production
- Monitor restored systems for re-infection indicators for a minimum of 30 days
Post-Incident Activity
- Submit an incident report to the FBI's IC3 and/or notify CISA via [email protected]
- Assess mandatory notification obligations under HIPAA (45 CFR §164.400–414), applicable state breach notification statutes, or the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) when finalized rulemaking applies
Reference Table or Matrix
| Ransomware Type | Encryption Applied | Data Exfiltration | Decryption Possible | Primary Target Profile | Example Groups |
|---|---|---|---|---|---|
| Crypto-ransomware (single extortion) | Yes — AES + RSA hybrid | No | Yes (if key provided) | Enterprise, SMB, government | Early LockBit, Dharma |
| Double-extortion ransomware | Yes | Yes — prior to encryption | Yes (if key provided) | Enterprise, healthcare, critical infrastructure | LockBit 3.0, BlackCat/ALPHV, Cl0p |
| Triple-extortion ransomware | Yes | Yes | Yes (if key provided) | Healthcare, financial services | BlackCat/ALPHV, AvosLocker |
| Locker ransomware | No — screen/UI lock only | No | Yes — lock removal | Consumer devices, older Windows | Reveton, WinLocker |
| Wiper (ransomware-disguised) | Destructive overwrite | Sometimes | No | Nation-state targets, critical infrastructure | NotPetya (GRU-attributed), HermeticWiper |
| RaaS (operational model) | Varies by affiliate payload | Varies | Varies | Any — affiliate-selected | LockBit, Akira, Hive (disrupted) |
Regulatory Notification Triggers by Sector
| Sector | Governing Regulation | Enforcing Agency | Notification Trigger |
|---|---|---|---|
| Healthcare | HIPAA Breach Notification Rule (45 CFR §164.400) | HHS Office for Civil Rights | Unauthorized access to protected health information (PHI) |
| Financial services | GLBA Safeguards Rule (16 CFR Part 314) | FTC | Security breach affecting customer financial data |
| Public companies | SEC Cybersecurity Disclosure Rules (17 CFR 229.106) | SEC | Material cybersecurity incident |
| Critical infrastructure | CIRCIA (pending final rule) | CISA | Covered cyber incident within 72 hours; ransom payment within 24 hours |
| Federal contractors | DFARS 252.204-7012 | DoD / CMMC | Cyber incident affecting covered defense information |
For an orientation to how