Ransomware
Type: Malicious software / extortion tool
Primary vectors: Phishing, RDP exploitation, software vulnerabilities, supply-chain compromise
Key Facts
- Encrypts victim files or locks systems; decryption key released upon payment (typically cryptocurrency)
- Ransomware-as-a-Service (RaaS) model: developers lease ransomware to affiliates who conduct attacks; affiliates receive 70–80% of ransom
- Dark web infrastructure: leak sites (“double extortion”) publish stolen data to pressure payment; negotiations via .onion addresses
- Major threat actors: LockBit (disrupted Feb 2024 Operation Cronos), BlackCat/ALPHV, Cl0p, Royal, Black Basta
- State nexus: North Korean Lazarus Group uses ransomware for revenue generation; Russian GRU/FSB tolerate/use ransomware-adjacent actors
Strategic Significance
- Primary dark-web-era revenue model for organized cybercrime
- Critical infrastructure targeting (hospitals, pipelines — Colonial Pipeline 2021, Change Healthcare 2024) has elevated to national security concern
- Estimated global annual losses: $30B+ (Cybersecurity Ventures 2023)
Key Connections
- Tor Network — ransomware C2 infrastructure and leak sites predominantly operate via Tor hidden services; .onion addresses are the standard negotiation channel
- Dark Web Methodology — dark web collection covers Tor-based leak site monitoring for ransomware victim tracking and group attribution
- Cyber Threat Intelligence — ransomware group tracking is a primary CTI use case; threat feed analysis drives attribution and proactive defense posture
- DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization — DPRK Lazarus Group ransomware operations (WannaCry, hospital targeting, crypto theft) are the primary state-nexus ransomware model
- Spearphishing — spearphishing is the most common initial access vector for ransomware delivery; RDP exploitation is second
- Cyberspace Operations — state-tolerant/state-nexus ransomware actors blur the line between cybercrime and state-directed cyberspace operations
Sources
- FBI Internet Crime Complaint Center (IC3). Internet Crime Report (annual). Fact, High — primary US government ransomware victim reporting dataset.
- CISA. StopRansomware advisories (cisa.gov/stopransomware, ongoing). Fact, High — primary technical indicators and actor attribution for major ransomware groups.
- Verizon. Data Breach Investigations Report (annual). Fact, High — empirical dataset on ransomware initial access vectors and victim sector distribution.
- Mandiant (Google Cloud). M-Trends (annual). Assessment, High — threat intelligence on state-nexus ransomware actors including DPRK Lazarus and Russia-tolerant criminal ecosystem.