Ransomware: Tactics, Impact, and Response

Ransomware represents one of the most operationally disruptive categories of malicious software in the modern threat landscape, combining cryptographic lockout, extortion mechanics, and increasingly sophisticated delivery infrastructure. This page covers the technical structure of ransomware attacks, the causal factors driving their frequency, classification distinctions across major variant families, and the regulatory frameworks governing organizational response. It is structured as a reference for security professionals, compliance officers, incident responders, and researchers navigating the ransomware threat sector.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix

Definition and scope

Ransomware is a class of malicious software that denies access to data, systems, or networks — typically through encryption — and demands payment, usually in cryptocurrency, in exchange for restoring access. The Cybersecurity and Infrastructure Security Agency (CISA) formally defines ransomware as "a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid" (CISA Ransomware Guidance).

The scope of ransomware impact extends across all 16 critical infrastructure sectors identified by CISA under Presidential Policy Directive 21, with documented incidents spanning healthcare systems, water utilities, pipeline operators, school districts, and local governments. The FBI's Internet Crime Complaint Center (IC3) logged 2,385 ransomware complaints in 2022 alone, with adjusted losses exceeding $34.3 million — a figure that significantly undercounts true losses because most incidents go unreported (FBI IC3 2022 Internet Crime Report).

Ransomware intersects with federal law under 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act) and may trigger reporting obligations under sector-specific regulations including HIPAA (45 CFR Part 164), the NYDFS Cybersecurity Regulation (23 NYCRR 500), and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) face additional notification timelines following a ransomware-related breach. The full compliance landscape is documented in the US Cybersecurity Regulations and Compliance reference.

Core mechanics or structure

Ransomware attacks follow a structured execution chain that security researchers and the MITRE ATT&CK framework document across distinct phases. Understanding this chain is prerequisite to designing effective defensive controls.

Initial Access: Attackers gain entry through phishing emails (the delivery vector in an estimated 41% of incidents per Verizon's 2023 Data Breach Investigations Report), exploitation of unpatched vulnerabilities, brute-forced Remote Desktop Protocol (RDP) credentials, or compromised managed service provider (MSP) access. MITRE ATT&CK catalogs these under Tactic TA0001.

Execution and Persistence: Once inside, ransomware payloads are delivered via PowerShell scripts, malicious macros, or dropped executables. Attackers establish persistence using scheduled tasks, registry run keys, or modified boot sectors (MITRE Tactic TA0003).

Privilege Escalation and Lateral Movement: Before encrypting files, threat actors typically escalate to domain administrator privileges and move laterally across the network to maximize the encryption footprint. Tools such as Mimikatz (credential dumping) and Cobalt Strike (lateral movement) appear in documented ransomware incident reports from groups including LockBit and ALPHV/BlackCat.

Data Exfiltration (Double Extortion): Modern ransomware operators exfiltrate sensitive data prior to encryption, creating a second extortion lever independent of backup restoration capability. This tactic, documented by CISA Alert AA22-040A, was observed in 70% of ransomware attacks analyzed by Palo Alto Networks Unit 42 in 2022.

Encryption: Ransomware deploys asymmetric encryption (commonly RSA-2048 or RSA-4096 for key exchange) combined with symmetric encryption (AES-256) for speed. The private decryption key is held by the attacker and released — or sold — upon ransom payment. NIST's National Cybersecurity Center of Excellence has published detailed encryption mechanism analysis in its Data Integrity practice guides.

Ransom Demand: Payment demands are typically denominated in Bitcoin or Monero. Ransom notes specify payment portals on Tor-based infrastructure. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has issued advisories warning that payments to sanctioned ransomware groups may violate 31 C.F.R. Part 578 (OFAC Ransomware Advisory, 2021).

The full technical taxonomy of malware delivery mechanisms relevant to this chain is covered in the Malware Types and Analysis reference.

Causal relationships or drivers

Ransomware's sustained growth as an attack category reflects converging structural factors, not isolated opportunism.

Ransomware-as-a-Service (RaaS) Ecosystem: The commoditization of ransomware into affiliate-based business models lowered the technical barrier for entry. RaaS platforms (LockBit, BlackBasta, Hive, ALPHV/BlackCat) provide ready-built payloads, negotiation portals, and payment infrastructure to affiliates in exchange for a revenue share typically ranging from 20% to 30% of collected ransoms (Europol Internet Organised Crime Threat Assessment, 2022).

Cryptocurrency Infrastructure: The pseudonymity of blockchain-based payment systems — particularly privacy coins such as Monero — enabled ransomware operators to collect payments with reduced traceability. The U.S. Department of Justice seized $2.3 million in Bitcoin following the Colonial Pipeline attack (2021), demonstrating partial recoverability but also confirming cryptocurrency as the dominant payment rail (DOJ Press Release, June 2021).

Unpatched Vulnerability Exposure: CISA's Known Exploited Vulnerabilities (KEV) catalog documents vulnerabilities actively exploited in ransomware campaigns. Many high-profile ransomware incidents exploited vulnerabilities that had patches available 30 to 90 days prior to attack, indicating a systemic patching lag in enterprise environments. The Vulnerability Management Lifecycle reference maps the remediation pipeline.

Geopolitical Permissiveness: A significant proportion of ransomware infrastructure and operator activity originates from jurisdictions where law enforcement cooperation with the U.S. is limited. The FBI and CISA jointly attribute groups including Sandworm (Russia's GRU) and APT40 (China's MSS) with ransomware-adjacent intrusion campaigns in joint advisories published under the Cybersecurity Advisory series.

Classification boundaries

Ransomware variants are classified along operational, technical, and targeting dimensions. Conflating these categories produces inaccurate threat modeling.

By Encryption Scope:
- Locker ransomware — locks the user interface or operating system without encrypting files. Less destructive; often resolved without payment.
- Crypto ransomware — encrypts files using hybrid cryptographic schemes. The dominant modern form.
- MBR (Master Boot Record) ransomware — overwrites the MBR to prevent system boot. Petya and NotPetya are documented examples.

By Targeting Model:
- Opportunistic ransomware — mass-distributed via phishing; targets any reachable system. WannaCry (2017) infected over 200,000 systems across 150 countries (NCSC WannaCry Technical Analysis).
- Big-game hunting (BGH) — targeted campaigns against high-revenue organizations. Operators conduct reconnaissance, dwell for days or weeks before deploying ransomware.

By Extortion Model:
- Single extortion — encryption only.
- Double extortion — encryption plus data exfiltration threat.
- Triple extortion — adds DDoS attacks or direct contact with victims' customers or partners to increase pressure.

By Deployment Method:
- Human-operated ransomware — hands-on-keyboard intrusion campaigns.
- Automated/worm-propagating ransomware — self-propagating via network exploits (EternalBlue in WannaCry and NotPetya).

The MITRE ATT&CK Framework provides standardized technique and procedure mappings for each classification.

Tradeoffs and tensions

The ransomware response landscape contains genuine policy and operational tensions without universally correct resolutions.

Ransom Payment vs. Deterrence: Paying ransoms restores access faster in documented cases but funds adversary operations and signals willingness to pay. CISA, the FBI, and NCSC uniformly discourage payment, yet the FBI's own guidance acknowledges organizations must weigh operational continuity. OFAC's 2021 advisory created compliance risk for organizations paying sanctioned groups, introducing legal liability as a deterrent factor independent of ethics.

Backup Integrity vs. Operational Speed: Maintaining air-gapped, immutable backups is the primary technical countermeasure against ransomware-induced data loss. However, the Recovery Time Objective (RTO) for large-scale backup restoration frequently conflicts with operational continuity requirements — particularly in healthcare environments where patient data systems must be restored within hours, not days.

Incident Disclosure vs. Negotiation Leverage: Premature public disclosure of a ransomware incident may strengthen the attacker's negotiating position or trigger regulatory scrutiny before response teams have characterized the breach. CIRCIA's mandatory reporting timelines (72 hours for covered entities under proposed CISA rulemaking) create tension with the operational reality that incident characterization takes longer than 72 hours in complex network environments.

Attribution vs. Response Speed: Accurate threat actor attribution informs recovery decisions and legal reporting obligations — particularly OFAC sanctions screening. However, attribution investigation delays the technical response. Incident response teams must operate on parallel tracks, a resource constraint documented in NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide).

Common misconceptions

Misconception: Paying the ransom guarantees data recovery.
Correction: Coveware's Q4 2022 Ransomware Report documented that 8% of organizations that paid a ransom did not receive a working decryptor, and a further percentage received decryptors that only partially restored data. Data corruption during encryption is a documented failure mode unrelated to attacker intent.

Misconception: Small organizations are not ransomware targets.
Correction: The 2022 Verizon DBIR documented that 61% of small-to-medium businesses (fewer than 1,000 employees) were breach victims in analyzed incidents. RaaS affiliate models specifically incentivize low-resistance targets, and organizations with fewer than 500 employees consistently appear in ransomware incident disclosures.

Misconception: Antivirus software reliably blocks ransomware.
Correction: Modern ransomware uses living-off-the-land (LotL) techniques — leveraging legitimate Windows tools such as PowerShell, WMI, and PsExec — to evade signature-based detection. CISA Alert AA22-265A documents LotL technique usage by ransomware affiliates as standard operational practice.

Misconception: Ransomware only affects Windows systems.
Correction: Linux-targeting ransomware (targeting VMware ESXi hypervisors) became a documented attack vector in 2022, with BlackBasta, LockBit, and ALPHV/BlackCat all releasing Linux encryptors. macOS-targeting ransomware strains have also been cataloged by the security community, though at lower frequency.

Misconception: Air-gapped backups make an organization immune to ransomware impact.
Correction: Backups address data recovery but do not prevent data exfiltration. Double-extortion attacks extract data before encryption; organizations with intact backups are still subject to data breach notification obligations under HIPAA, state breach notification laws, and GDPR (for EU-data-subject records). The Breach Notification Laws (US) reference covers applicable statutes.

Checklist or steps (non-advisory)

The following sequence reflects the operational phases documented in NIST SP 800-61 Rev. 2 and the CISA Ransomware Response Checklist, adapted for reference use. This is a structural description of the response sequence — not professional advice.

Phase 1 — Detection and Initial Triage
- [ ] Confirm ransomware activity through endpoint detection alerts, file extension anomalies, or ransom note discovery
- [ ] Identify the scope of affected systems (endpoints, servers, domain controllers, backup infrastructure)
- [ ] Determine whether data exfiltration indicators are present (unusual outbound network traffic, large compressed archive creation)
- [ ] Preserve volatile memory (RAM) on affected systems before isolation where forensically feasible

Phase 2 — Containment
- [ ] Isolate affected systems from the network (physical disconnect or VLAN quarantine) to halt lateral movement
- [ ] Disable compromised accounts; reset credentials for administrative accounts enterprise-wide
- [ ] Preserve system logs, event logs, and firewall logs before they are overwritten
- [ ] Notify legal counsel and determine OFAC sanctions screening obligations for any ransom payment consideration

Phase 3 — Reporting and Notification
- [ ] Report to FBI via IC3 (ic3.gov) and to CISA (cisa.gov/report) within operational feasibility
- [ ] Assess sector-specific notification obligations: HHS/OCR for HIPAA-covered entities (60-day statutory window under 45 CFR § 164.408); SEC Form 8-K for publicly traded companies; state attorney general notifications per applicable breach notification statutes
- [ ] Document the incident timeline for regulatory submissions

Phase 4 — Eradication and Recovery
- [ ] Identify and remediate the initial access vector before restoration begins
- [ ] Validate backup integrity and confirm backups are free of ransomware infection
- [ ] Restore systems from clean backups in priority order per business continuity plan
- [ ] Conduct threat hunting across the environment to confirm complete actor eviction

Phase 5 — Post-Incident Activity
- [ ] Conduct root cause analysis and document TTPs using MITRE ATT&CK framework notation
- [ ] Implement control improvements targeting identified gaps
- [ ] Submit technical indicators to CISA or the FBI for threat intelligence sharing under the Cybersecurity Information Sharing Act (CISA 2015)

The Incident Response Framework reference provides expanded phase-level detail for each stage of this sequence.

Reference table or matrix

Ransomware Variant Comparison Matrix