Ransomware
Ransomware is malware that encrypts a victim’s data or locks their systems and demands a ransom to unlock them. It is one of the most costly cyber threats worldwide.
Table of Contents (6 sections)
Ransomware is a category of malicious software (malware) designed to encrypt files or entire systems and then demand a ransom for the decryption key. Modern ransomware groups operate with professional corporate structures, support teams, and even service level agreements (SLAs) guaranteeing decryption upon payment.
History
1989 - AIDS Trojan (PC Cyborg) The first documented ransomware spread via floppy disk at AIDS research conferences. It encrypted filenames and demanded $189 be sent to a post office box address in Panama.
2013 - CryptoLocker The beginning of the modern ransomware era. CryptoLocker was the first to use strong RSA-2048 encryption and Bitcoin for anonymous payments. Within a few months, several million dollars were extorted.
2017 - WannaCry The most devastating global ransomware attack to date. WannaCry exploited the NSA’s EternalBlue exploit for the SMB protocol vulnerability (CVE-2017-0144) and infected over 200,000 systems in 150 countries within hours—including the UK’s NHS and Deutsche Bahn.
2017 - NotPetya Technically disguised as ransomware, but actually a wiper (sabotage). NotPetya caused an estimated $10 billion in damages—the most expensive cyberattack in history.
2019–present – Ransomware-as-a-Service (RaaS) Professionalization of the business model: Developers (core teams) provide their ransomware platforms to affiliates, who carry out the actual attacks and pay a share (typically 20–30%) of the ransom payments.
Technical Process of a Ransomware Attack
Step 1: Initial Access
Most common entry points:
- Phishing emails with malware attachments or links to drive-by downloads
- Exploitation of public services: RDP ports (3389), VPN gateways with known vulnerabilities
- Compromised credentials: Purchased or leaked credentials for VPNs and remote access systems
- Supply chain compromise: Attacks via software updates (as in the SolarWinds case)
Step 2: Persistence and Privilege Escalation
After gaining initial access, attackers establish persistent backdoors and escalate their privileges to the domain administrator level. This typically occurs via:
- Exploitation of Active Directory vulnerabilities (Pass-the-Hash, Kerberoasting)
- Misuse of legitimate tools (LOLBins: PowerShell, WMI, PsExec)
- Lateral movement: spreading to other systems on the network
Step 3: Discovery and Exfiltration (Double Extortion)
Modern ransomware groups exfiltrate sensitive data before encryption. This enables double extortion: payment for the decryption key AND for the non-publication of the data.
Step 4: Impact - Encryption
Encryption is performed using modern algorithms (AES-256 for files, RSA-2048/4096 for key exchange). Targets are carefully selected:
- Shadow copies and backups are specifically deleted
- Domain controllers are encrypted last (maximum impact)
- High-value file types (databases, email archives, CAD files) are prioritized
Ransomware-as-a-Service (RaaS)
The RaaS model has democratized ransomware: Technically less-savvy attackers (affiliates) can rent professional malware and use infrastructure for payment processing, negotiations, and decryption.
Notable RaaS groups (historical):
- LockBit (2019–2024): Largest known ransomware group, up to 1,000 victims per month
- BlackCat/ALPHV (2021–2024): First major group with Go-based, cross-platform ransomware
- Cl0p (2019–present): Known for exploiting zero-days in MOVEit and GoAnywhere
- REvil/Sodinokibi (2019–2021): Responsible for the Kaseya attack ($70 million ransom demanded)
Protective Measures
Technical
- Offline backups (3-2-1 rule): 3 copies, 2 different media types, 1 offsite – and regular recovery testing
- Network segmentation: Microsegmentation prevents lateral movement
- Patch management: Critical CVEs must be patched within 72 hours
- MFA on all remote access: Compromised credentials alone are then insufficient
- Privilege minimization: No standard user requires domain administrator rights
- EDR/XDR solutions: Endpoint Detection and Response for behavioral analysis
- Email filtering: Anti-phishing, DMARC/DKIM/SPF enforcement
Organizational
- Incident Response Plan: Documented in writing, practiced regularly (Tabletop Exercises)
- Security Awareness: Employee training and simulated phishing tests
- Crisis Management Team: Who decides whether to pay or not in an emergency?
Should you pay the ransom?
Official recommendation from BSI, BKA, and Europol: No. Reasons:
- Payment funds further criminal activities
- No guarantee of decryption (approx. 20% never receive working keys)
- Statistical probability of a follow-up attack increases
- Potential violation of OFAC sanctions if payment is made to listed groups
In practice, approx. 46% of affected organizations pay (Coveware 2024). The average ransom demand in 2024 was $2.73 million.
In the Event of an Attack: Immediate Actions
- Disconnect systems from the network – do not shut them down (preserve forensic evidence)
- Notify BSI/BKA (mandatory for KRITIS operators under NIS2)
- Activate the Incident Response Team (internal or external)
- Check backups – have they been compromised?
- Do not negotiate on your own – consult specialists
Further information: AWARE7 Emergency Assistance for Cyberattacks
Sources & References
- [1] BSI-Lagebericht zur IT-Sicherheit in Deutschland 2024 - Bundesamt für Sicherheit in der Informationstechnik
- [2] Ransomware Task Force - Comprehensive Framework for Action - Institute for Security and Technology
- [3] ENISA Threat Landscape 2024 - European Union Agency for Cybersecurity
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.
11 Publikationen
- Understanding Regional Filter Lists: Efficacy and Impact (2025)
- Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem (2025)
- A Platform for Physiological and Behavioral Security (2025)
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
- Sharing is Caring: Towards Analyzing Attack Surfaces on Shared Hosting Providers (2024)
- On the Similarity of Web Measurements Under Different Experimental Setups (2023)
- People, Processes, Technology — The Cybersecurity Triad (2023)
- Social Media Scraper im Einsatz (2021)
- Digital Risk Management (DRM) (2020)
- New Work — Die Herausforderungen eines modernen ISMS (2024)
