What is Ransomware? Definition, Types & Protection

Ransomware is malicious software designed to encrypt or block access to data until a ransom is paid, typically in cryptocurrency. The term covers both traditional encrypting ransomware and pure extortion attacks that do not encrypt files but threaten to publish stolen data unless the victim pays.

Attackers most often gain initial access through phishing emails, stolen or brute-forced credentials, unpatched vulnerabilities, or compromised remote services such as RDP. Once inside, they perform reconnaissance, move laterally, disable backups, and then deploy ransomware to maximize disruption. The 2025 DBIR, which analyzed over 22,000 incidents and 12,195 confirmed breaches from November 2023 through October 2024, confirmed that stolen credentials (22%) and exploited vulnerabilities (20%) were the two most common initial access vectors during that period.

A ransomware attack can halt operations, expose sensitive data, and generate regulatory and legal consequences that outlast the technical recovery. Key impacts include:

•       Financial loss: the median ransom payment in 2024 was $115,000, down from $150,000 in 2023, with 95% of payments falling under $3 million (Verizon DBIR 2025). These figures represent the median across all incidents; high-profile attacks regularly exceed these amounts by orders of magnitude.

•       Data theft: most active ransomware groups steal data before encryption and threaten to publish it if the ransom is not paid. Paying does not guarantee deletion, as the Change Healthcare case demonstrated.

•       Operational downtime: ransomware can disable operations for days or weeks. SMBs face disproportionate risk: the 2025 DBIR found that 88% of breaches at small and medium-sized businesses involved ransomware, compared to 39% of breaches at large organizations. These figures reflect the share of breaches within each size segment that contained ransomware.

•       Reputational damage: publicly leaked data and extended service outages erode trust with customers, partners, and regulators.

Most ransomware campaigns follow a predictable sequence:

1.     Infection: attackers deliver ransomware via phishing emails, malicious attachments, cracked software downloads, or by exploiting unpatched systems. Stolen credentials (22%) and exploited vulnerabilities (20%) were the top initial access vectors in breaches analyzed by the 2025 DBIR. [INTERNAL LINK: phishing]

2.     Execution: the malware executes silently, encrypting files, disabling backup agents, and often deleting volume shadow copies to eliminate easy recovery paths.

3.     Extortion: after encryption, a ransom note demands payment and typically threatens to publish stolen data if the deadline is missed.

4.     Remediation: 64% of organizations refused to pay ransoms in 2024, up from 50% in 2022 (Verizon DBIR 2025). Victims who had isolated, tested backups were able to restore without paying. Those without such backups faced the choice between paying and extended downtime.

Ransomware-as-a-service (RaaS)

Ransomware-as-a-service is a criminal business model in which a core operator builds and maintains ransomware infrastructure, then licenses it to affiliates who conduct the actual attacks. Affiliates typically receive 70-80% of each ransom payment, with the remainder going to the developer. RaaS has significantly lowered the barrier to entry: attackers no longer need to write their own malware to execute sophisticated campaigns. A separate layer of criminal specialization has also emerged, with initial access brokers (IABs) who compromise networks and sell that access to ransomware affiliates, further accelerating the attack pipeline. Most major ransomware groups active since 2020, including LockBit, ALPHV/BlackCat, and RansomHub, operate or operated on the RaaS model.

Extortion models

Ransomware groups have evolved their extortion approach over time:

•       Single extortion: encryption only. The attacker encrypts files and demands payment for the decryption key. This model is largely obsolete among major groups because victims with good backups could recover without paying.

•       Double extortion: encrypt and steal. The attacker exfiltrates sensitive data before encrypting, then threatens to publish it on a dedicated leak site. This became the standard model for major ransomware groups starting around 2019-2020.

•       Triple extortion: double extortion plus a DDoS attack against the victim, or direct threats targeting the victim's customers or partners to apply additional pressure. ALPHV/BlackCat was notable for using this tactic.

•       Data-theft-only extortion: some groups, including Clop in several campaigns and Karakurt, exfiltrate data and threaten to publish it without encrypting anything. This is harder to detect because there is no encryption event to trigger alerts, and no backup will resolve the threat.

Ransomware is not a single program but a constantly evolving collection of families and operations. The following entries cover the most significant groups by victim count, impact, or current activity level. [INTERNAL LINK: attack groups]

Akira: An active ransomware group targeting enterprises across multiple sectors since mid-2022, known for double-extortion tactics and exploitation of VPN vulnerabilities. [INTERNAL LINK: Akira ransomware — dedicated Threat Catalog entry]

LockBit: The most prolific ransomware group by victim count through 2024, operating on a RaaS model with hundreds of affiliates. In February 2024, an international law enforcement operation (Operation Cronos) seized LockBit infrastructure, arrested operators, and recovered over 1,000 decryption keys. The group's administrator was identified as Dmitry Yuryevich Khoroshev. LockBit partially resumed operations but its reputation and affiliate network were significantly damaged by the takedown.

ALPHV / BlackCat: A technically sophisticated RaaS operation written in Rust, active from November 2021. Known for double and triple extortion, ALPHV was the second most prolific group before its collapse. In December 2023, the FBI disrupted ALPHV infrastructure and released decryption keys for some victims. In March 2024, ALPHV conducted an exit scam following the Change Healthcare attack, disappearing after reportedly receiving a $22 million ransom payment without distributing the affiliate's share. The group has not resumed operations as of early 2025.

RansomHub: Emerged in February 2024 and quickly became the most active ransomware group in the second half of 2024, absorbing affiliates from the disrupted LockBit and ALPHV operations. By August 2024, the group had claimed over 210 victims, prompting a joint CISA/FBI advisory. RansomHub operates a RaaS model and its malware has been adopted by other threat actors including Scattered Spider.

Clop: Responsible for large-scale exploitation campaigns targeting managed file transfer products, including GoAnywhere MFT in 2023 and MOVEit Transfer in 2023, affecting hundreds of organizations. Clop frequently uses a data-exfiltration-first model, in some campaigns skipping encryption entirely and relying purely on the threat of data publication. Currently active.

Black Basta: An enterprise-focused ransomware group active since April 2022, associated with the use of QakBot for initial access and delivery. Known for targeting critical infrastructure and using fast double-extortion operations. CISA and FBI have issued advisories on Black Basta activity.

Play: Active since mid-2022, Play has targeted critical infrastructure sectors in the US, Canada, and Europe. CISA and the FBI issued an advisory in December 2023, updated in 2025, noting that Play operates as a closed group rather than a RaaS and has compromised hundreds of organizations.

Ryuk: Known for high-impact campaigns against hospitals and municipalities from 2018 to 2022, Ryuk used manual lateral movement and targeted large organizations capable of paying large ransoms. Ryuk is widely considered to have evolved into or merged with Conti-affiliated operations.

WannaCry: A worm-ransomware hybrid that caused a global outbreak in May 2017, exploiting the EternalBlue vulnerability in Windows SMB. WannaCry infected over 200,000 systems in 150 countries within days, including large portions of the UK National Health Service. The attack highlighted the consequences of unpatched vulnerabilities at scale. WannaCry is no longer a primary threat vector but the underlying lesson remains: known vulnerability exploitation is still among the top two initial access methods today.

Conti: An affiliate-driven RaaS franchise that operated from 2020 to 2022, known for rapid encryption and a prolific dedicated leak site. Conti disbanded following a major internal data leak in 2022. Former Conti members are widely believed to have migrated into successor groups including Black Basta and Royal.

The following cases illustrate the real-world consequences of ransomware attacks and the defensive lessons each produced. All details are sourced from official company disclosures, government announcements, or established news sources.

Colonial Pipeline (May 2021)

Group: DarkSide. Method: stolen credential used to access a legacy VPN account that lacked multi-factor authentication (confirmed by Colonial Pipeline CEO Joseph Blount in Senate testimony). The attack shut down the largest refined products pipeline in the US for six days, disrupting fuel supply across 17 Eastern states and prompting a federal emergency declaration. Colonial paid $4.4 million in Bitcoin; the US Department of Justice later recovered approximately $2.3 million. DarkSide ceased operations shortly afterward under law enforcement pressure.

Defensive lesson: disable or secure all remote access accounts with MFA. Legacy VPN profiles that are no longer in active use but remain enabled present a low-visibility, high-value entry point.

MGM Resorts (September 2023)

Groups: Scattered Spider and ALPHV/BlackCat. Method: Scattered Spider used a phone-based social engineering attack (vishing) to impersonate an MGM employee and convince the IT help desk to reset credentials. Access was obtained in a reported ten-minute call. ALPHV then deployed ransomware against more than 100 ESXi hypervisors in MGM's environment. MGM refused to pay the ransom. The disruption affected slot machines, digital room keys, reservation systems, and ATMs across more than 30 properties. MGM disclosed an estimated $100 million negative impact on Q3 2023 adjusted earnings in an SEC 8-K filing. [INTERNAL LINK: social engineering]

Defensive lesson: IT help desk identity verification is a high-value attack surface. Social engineering attacks that bypass technical controls can be stopped by strict callback procedures, out-of-band verification, and role-based authentication requirements before credentials are reset.

Change Healthcare (February 2024)

Group: ALPHV/BlackCat. Method: attackers accessed Change Healthcare systems through a server not protected by multi-factor authentication, as confirmed by UnitedHealth Group CEO Andrew Witty in Senate testimony (May 2024). The attack disrupted healthcare payment processing across the US for weeks. UnitedHealth paid approximately $22 million in Bitcoin to ALPHV. ALPHV then conducted an exit scam, disappeared without paying the affiliate who conducted the attack, and the affiliate subsequently moved the stolen data to RansomHub, which demanded additional payment. In January 2025, UnitedHealth confirmed 190 million Americans were affected, making this the largest healthcare data breach in US history. Total costs to UnitedHealth Group exceeded $1.5 billion.

Defensive lesson: paying a ransom does not guarantee data deletion or prevent further extortion, particularly in RaaS operations where the operator and affiliate may have a fractured relationship. External-facing systems must enforce MFA without exception.

Detection signals

The key to minimizing damage is identifying ransomware activity before encryption begins. Ransomware deployments rarely happen immediately after initial access. Attackers typically spend days or weeks in an environment before triggering encryption, which creates detection opportunities at multiple stages.

High-priority signals to monitor:

•       Presence of offensive tools including Cobalt Strike, Mimikatz, or AnyDesk in environments where they have no authorized purpose. These tools indicate post-compromise staging activity and are used for credential harvesting and lateral movement before encryption begins. [INTERNAL LINK: ClickFix]

•       Volume shadow copy deletion commands (vssadmin delete shadows, wmic shadowcopy delete). This is a near-universal pre-encryption step because it removes the easiest recovery path.

•       Rapid, high-volume file modification or rename events across shared drives or file servers, particularly involving extensions being appended to existing files.

•       Attempts to disable or uninstall endpoint protection software or backup agents. Ransomware operators frequently target security tooling before deploying the final payload.

•       Lateral movement using PsExec, WMI, or RDP in environments where this is not standard administrative practice.

•       Outbound connections to unexpected external infrastructure or Tor exit nodes, which may indicate command-and-control communication or data exfiltration in progress.

•       Precursor malware detections: QakBot, Bumblebee, and Emotet have historically served as delivery mechanisms for ransomware deployments. Detecting these infections should trigger escalated investigation, not just routine remediation.

Incident response steps

When ransomware is confirmed or suspected, speed and sequence matter. Do not power off affected systems if forensic memory analysis is required.

1.     Isolate: immediately disconnect affected systems from the network. Disable wireless connections on any affected endpoint if possible. Do not shut down unless memory preservation is not required; powered-on systems preserve volatile memory evidence.

2.     Snapshot: in cloud or virtualized environments, take snapshots of affected instances before isolation to preserve forensic state.

3.     Triage: identify which systems are encrypted versus still clean using your asset inventory. Prioritize by business criticality when determining restoration sequence.

4.     Verify backups: before restoring, confirm backup integrity. If backups were connected to the network during the attack window, they may have been targeted. Do not restore from a backup that cannot be confirmed as clean.

5.     Contain communications: restrict distribution of the ransom note to the incident response team. Broad internal distribution can cause panic and may accelerate premature payment decisions.

6.     Notify: report to CISA (cisa.gov/report), the local FBI field office, and IC3 (ic3.gov). Preserve evidence before beginning remediation. Contact your cyber insurance carrier before authorizing any payment, as coverage terms and payment obligations vary.

7.     Restore: rebuild from clean images using approved baseline configurations. Confirm that the initial access vector is closed before restoring any system. Do not reimage without first patching the exploited entry point.

 For double extortion victims: even after full technical recovery, the data leak component requires separate attention. Paying the ransom does not guarantee stolen data is deleted, and a second extortion demand from a different actor is possible, as the Change Healthcare case illustrates.

Technical controls

Block the primary initial access vectors. Email filtering, phishing-resistant multi-factor authentication (MFA) on all external-facing systems, and a patching program that prioritizes internet-facing and remote-access infrastructure are the three highest-return defensive investments. The 2025 DBIR confirmed that 34% of perimeter device vulnerabilities were not fully remediated within a year. Edge devices and VPN appliances require particular attention as ransomware operators increasingly target them for initial access.

Data protection

The most critical recovery control is maintaining isolated, immutable, and tested backups. Backups connected to the production network during an attack can be targeted by ransomware. Backup integrity must be verified through regular restoration tests. Critically, backups address the encryption component of a ransomware attack but do not resolve the data theft component in double or triple extortion scenarios. Attackers who have already exfiltrated data can still threaten to publish it regardless of whether the victim restores from backup.

Policy

Law enforcement agencies including CISA and the FBI strongly discourage ransom payments. Payments fund criminal operations, mark paying organizations as higher-value targets for repeat attacks, and do not guarantee data recovery or deletion. Organizations should establish clear guidance on this before an incident occurs. Any payment must also be reviewed by legal counsel, as payments to sanctioned entities may violate US Treasury OFAC regulations.

Acronis Cyber Protect Cloud delivers integrated ransomware defense through a single agent and management console. The following capabilities are based on published product documentation.

•       AI/ML-based behavioral detection: the platform uses behavior-based detection engines, AI- and ML-trained detections, and anti-ransomware heuristics to identify and block encryption attempts in real time, including against previously unseen strains. This capability is included in the standard Acronis Cyber Protect Cloud offering.

•       Anti-malware with active protection: combines signature-based and behavior-based detection with memory protection and exploit prevention to stop known and emerging threats. The platform scans backup images for malware to reduce the risk of restoring infected data.

•       Automatic ransomware rollback: when encryption activity is detected, the platform can automatically roll back affected files to their pre-attack state without manual intervention. This capability is included in the standard offering.

•       Self-defense technology: the Acronis agent and backup storage are protected by self-defense mechanisms designed to prevent ransomware from disabling the protection software before executing its payload.

•       Vulnerability assessment: the standard Acronis Cyber Protect Cloud offering includes vulnerability assessment capabilities that identify unpatched or outdated software across managed endpoints. Patch management automation is available as part of the Advanced Management add-on and is not included in the standard offering.

•       Advanced Security add-on (EDR/XDR): full endpoint detection and response capabilities, including attack chain visualization and extended detection across Microsoft 365, are available as an Advanced Security add-on.

• What is Malware?
• What is Social Engineering?
• What are Attack Groups?

What is malware, and how does ransomware differ from other malicious software? 

Malware refers to any software created to disrupt systems, steal information or gain unauthorized access. Ransomware is a specific type of malware that encrypts files and blocks access to data until a ransom is paid. Modern attacks often involve double extortion, where attackers steal data before encryption and later threaten to publish it if the victim does not pay. This combination of disruption and data exposure creates significant risk for security, IT and compliance groups. 

What impact can a ransomware or data extortion incident have on an organization? 

A successful attack can prevent access to the systems and data needed to deliver mission-critical services. Recovery may take days or weeks, which leads to financial losses, operational downtime, customer dissatisfaction, reputational damage and regulatory challenges. The effects often continue long after technical recovery is complete. 

What trends in adversary behavior should organizations be prepared to defend against? 

Ransomware operators increasingly behave like structured and well-resourced businesses. They use automation, AI-generated phishing content and realistic social engineering to improve their success rates. Some attacks progress extremely quickly, with intrusion to lateral movement occurring in under a minute. Many incidents also rely on legitimate tools and stolen credentials, making detection more difficult. 

How does good cyber hygiene reduce ransomware risk? 

Strong cyber hygiene reduces exposure to common attack paths. Practices such as timely patching, strong authentication, removal of unnecessary services and reliable automated backups help protect critical assets. These basics significantly reduce the effectiveness of credential theft and exploitation of unpatched vulnerabilities. 

What is the most important step an organization can take to prepare for a ransomware incident? 

Maintaining encrypted, offline and regularly tested backups is essential for recovery. Because ransomware often targets connected backups, isolating backup copies is critical. Regular testing ensures that data can be restored quickly, and using multiple cloud providers helps avoid vendor lock-in. 

How should organizations manage access control to reduce the risk of compromise and lateral movement? 

Zero trust principles provide strong protection by requiring authentication and validation for every access request. Users should receive only the access needed for their role. Phishing-resistant MFA should be enforced on email, VPNs, privileged accounts and any system that supports sensitive or critical operations. 

What are the best practices for securing remote access services such as RDP and VPN? 

Organizations should limit RDP usage and enforce MFA for all remote access. Unused RDP ports should be closed, login attempts should be monitored and lockout policies should be enabled. VPN appliances and other network infrastructure must be patched promptly because outdated or misconfigured devices are frequently exploited. 

How can organizations protect against ransomware delivered through phishing or social engineering? 

Effective defense combines training with technical controls. Employees should be trained to identify suspicious messages, while email gateways should filter malicious content. Blocking dangerous attachment types, disabling untrusted macros, and enforcing DMARC policies help reduce spoofing and credential theft. 

Why is third-party and MSP risk important in ransomware prevention? 

Many ransomware incidents originate from compromised service providers or vendors. Organizations should verify the security practices of third parties, apply least privilege and separation of duties for their access, and include clear security requirements in contracts. This is especially important when MSPs handle backups or manage critical infrastructure. 

What are the first steps to take when a ransomware incident is detected? 

Teams should activate the incident response plan immediately. They should identify and isolate affected systems to stop the spread. Cloud environments should have snapshots created to preserve evidence. Recovery should begin with the systems identified as most critical in the organization’s asset inventory. 

How can organizations improve detection of sophisticated ransomware threats? 

Centralized logging through a SIEM improves visibility and helps correlate suspicious activity. Teams should watch for signs of precursor malware such as QakBot, Bumblebee or Emotet, which often precede ransomware deployment. EDR tools and application allowlisting increase the likelihood of detecting unauthorized activity before encryption begins. 

What threat-hunting activities are most important during an active incident? 

Threat hunters should look for abnormal account creation or privilege escalation in Active Directory, unusual VPN login activity, and attempts to interfere with backups. They should also check for unauthorized penetration testing tools such as Cobalt Strike or misuse of remote management utilities, since attackers often use these for persistence. 

What does full recovery and eradication require after containment? 

Recovery should involve rebuilding affected systems with approved standard images or infrastructure-as-code templates. Credentials must be reset, vulnerabilities patched, and restored data validated to avoid reinfection. Once recovery is complete, lessons learned should be documented to strengthen future controls and response processes. 

Who should organizations report ransomware incidents to? 

Organizations should follow regulatory guidance and report incidents to CISA, the local FBI field office, IC3 or the United States Secret Service. They should also notify internal leadership, managed security service providers, cyber insurance partners and any other stakeholders identified in the communication plan.