Ransomware

Type: Malicious software / extortion tool
Primary vectors: Phishing, RDP exploitation, software vulnerabilities, supply-chain compromise

Key Facts

  • Encrypts victim files or locks systems; decryption key released upon payment (typically cryptocurrency)
  • Ransomware-as-a-Service (RaaS) model: developers lease ransomware to affiliates who conduct attacks; affiliates receive 70–80% of ransom
  • Dark web infrastructure: leak sites (“double extortion”) publish stolen data to pressure payment; negotiations via .onion addresses
  • Major threat actors: LockBit (disrupted Feb 2024 Operation Cronos), BlackCat/ALPHV, Cl0p, Royal, Black Basta
  • State nexus: North Korean Lazarus Group uses ransomware for revenue generation; Russian GRU/FSB tolerate/use ransomware-adjacent actors

Strategic Significance

  • Primary dark-web-era revenue model for organized cybercrime
  • Critical infrastructure targeting (hospitals, pipelines — Colonial Pipeline 2021, Change Healthcare 2024) has elevated to national security concern
  • Estimated global annual losses: $30B+ (Cybersecurity Ventures 2023)

Key Connections

  • Tor Network — ransomware C2 infrastructure and leak sites predominantly operate via Tor hidden services; .onion addresses are the standard negotiation channel
  • Dark Web Methodology — dark web collection covers Tor-based leak site monitoring for ransomware victim tracking and group attribution
  • Cyber Threat Intelligence — ransomware group tracking is a primary CTI use case; threat feed analysis drives attribution and proactive defense posture
  • DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization — DPRK Lazarus Group ransomware operations (WannaCry, hospital targeting, crypto theft) are the primary state-nexus ransomware model
  • Spearphishing — spearphishing is the most common initial access vector for ransomware delivery; RDP exploitation is second
  • Cyberspace Operations — state-tolerant/state-nexus ransomware actors blur the line between cybercrime and state-directed cyberspace operations

Sources

  • FBI Internet Crime Complaint Center (IC3). Internet Crime Report (annual). Fact, High — primary US government ransomware victim reporting dataset.
  • CISA. StopRansomware advisories (cisa.gov/stopransomware, ongoing). Fact, High — primary technical indicators and actor attribution for major ransomware groups.
  • Verizon. Data Breach Investigations Report (annual). Fact, High — empirical dataset on ransomware initial access vectors and victim sector distribution.
  • Mandiant (Google Cloud). M-Trends (annual). Assessment, High — threat intelligence on state-nexus ransomware actors including DPRK Lazarus and Russia-tolerant criminal ecosystem.