The mechanism, briefly
A ransomware payload, once running with enough privilege, walks every reachable filesystem and encrypts each file with a fresh symmetric key (AES-256). It then encrypts that symmetric key with an asymmetric public key it carries. The private half lives only with the attacker. Without the private key, recovery is mathematically infeasible.
1. Generate fresh AES-256 key K for each file (or batch).
2. Encrypt the file's bytes with K, prepend a marker, write back.
3. Encrypt K with the attacker's RSA-2048 (or ECC-256) public key, store the result alongside the file.
4. Wipe K from memory.
To decrypt: the attacker uses their RSA private key to recover K, hands it to you (in exchange for payment). Without the private key, brute-forcing AES-256 is the same problem as brute-forcing AES-256 anywhere else: not happening.
The genius of this design — it goes back to Adam Young and Moti Yung's 1996 paper on "cryptovirology" — is that the attacker can mass-deploy the public key with the malware without weakening the scheme. Every victim can be encrypted with the same public key; only the attacker can decrypt any of them.
Why it took 20 years to become an industry
The crypto was solved in the 1990s. The reason ransomware didn't dominate then comes down to monetization. Three things had to align:
- A way to receive payment anonymously. Pre-Bitcoin attackers tried prepaid cards, Western Union, money-pack codes. All were slow, traceable, and refused by victims. Bitcoin (2009) and subsequent privacy coins like Monero made anonymous, irreversible, large-value payments routine.
- A way to reach victims at scale. Spray-and-pray email phishing, exploit kits in the 2010s, then loader-as-a-service in the late 2010s — each one made delivery cheaper.
- A way to put pressure on payment. Early ransomware just encrypted local files; many victims had backups and refused to pay. The 2019 invention of double extortion (exfiltrate the data first, threaten to publish it) made backups irrelevant. Triple extortion (call the victim's customers, DDoS the victim's site, harass the victim's employees) followed.
By 2020 all three pillars were in place. Ransomware revenue went from ~$152M in 2019 to ~$1.3B in 2024 (Chainalysis tracker figures). That number is the chain tip; real losses including downtime, ransom paid in unrecoverable form, recovery costs, regulatory fines, and reputational impact run an order of magnitude higher.
Ransomware-as-a-Service (RaaS) economics
The dominant business model since ~2019. The operator builds and maintains the ransomware itself (the encryptor binary, the leak site, the negotiation portal, the chat interface). The affiliates do the actual intrusions and choose the targets. The split is typically 70/30 in the affiliate's favor.
| Role | What they provide | Cut |
|---|---|---|
| Operator | Ransomware binary; data-leak site; negotiation infrastructure; brand & reputation that gets victims to pay. | ~20-30% |
| Affiliate (the "RaaS subscriber") | Initial access, lateral movement, deployment. Brings their own infostealer logs / phishing campaigns / VPN credentials purchased from access brokers. | ~70-80% |
| Initial Access Broker | Sells initial access (working VPN credentials, domain admin on a small business, a foothold in a major enterprise) to affiliates for flat fees ($500-$50K). | flat fee from affiliate |
| Negotiator (the victim's side) | Optional: specialized law firms / IR vendors that negotiate ransom amounts on behalf of victims. | flat or %-of-savings |
The professionalization matters because it means ransomware is structurally hard to kill. Take down an operator (LockBit, Hive, ALPHV/BlackCat have all had infrastructure seizures) and the affiliates simply migrate to whichever RaaS brand is still standing. The capability is distributed.
Watch an attack — from foothold to encryption
A composite attack drawn from real Conti/LockBit incident-response reports. Press Play and follow what happens over the typical two-week dwell time between initial access and the ransomware actually firing.
The named incidents that mattered
| Year | Incident | Operator | Damage / ransom |
|---|---|---|---|
| 2013 | CryptoLocker | Slavik / Business Club | ~500K victims; ~$3M paid before takedown. Proved the model worked. |
| 2017 | WannaCry | Lazarus Group (North Korea) | 200K+ machines, NHS shut down, ~$4B estimated damage; ~$140K actually collected (poor implementation). |
| 2017 | NotPetya | Sandworm (Russia, GRU) | Disguised as ransomware, was a wiper. Maersk, Merck, FedEx; ~$10B global damage. |
| 2019 | Maze | Maze gang | Invented double extortion (exfil first, then encrypt, then publish if no pay). Industry-changing. |
| 2020 | Travelex | REvil | ~$2.3M paid. Currency-exchange company crippled for weeks; eventually went bankrupt. |
| 2021 | Colonial Pipeline | DarkSide | $4.4M paid (~$2.3M later recovered by FBI). U.S. East Coast gasoline shortage; emergency declaration. |
| 2021 | JBS Foods | REvil | $11M paid. Largest meat producer in the world; U.S. and Australian operations down for days. |
| 2021 | Kaseya VSA | REvil | Supply-chain compromise of an MSP tool; ~1,500 downstream victims. $70M universal-decryptor demand (not paid). |
| 2023 | MGM Resorts | ALPHV/BlackCat + Scattered Spider | ~$100M in lost revenue + recovery. Vishing call to the IT help desk got the initial foothold. |
| 2023 | Caesars Entertainment | Scattered Spider | $15M paid (of $30M demanded). Same week as MGM; same threat actor. |
| 2024 | Change Healthcare | ALPHV/BlackCat | $22M paid. UnitedHealth subsidiary; U.S. healthcare payment processing crippled for weeks; affiliate then re-extorted UHG with the same data via RansomHub. |
| 2024 | CDK Global | BlackSuit | ~$25M paid. North American auto dealerships unable to sell cars for two weeks. |
To pay or not to pay
Law enforcement (FBI, CISA) recommends not paying. Cybersecurity professionals mostly agree. Insurance carriers used to underwrite payment without question; many no longer do. And yet the majority of victims still pay — because for a hospital where the choice is "pay $5M or close the ER for two weeks," the math is not actually about cybersecurity strategy. It's about patient mortality.
The arguments stack:
- Don't pay because it funds the next attack on someone else; payment doesn't guarantee recovery (~10% of paying victims don't get a working decryptor); payment doesn't guarantee non-publication of stolen data; some payments violate U.S. OFAC sanctions when the operator is sanctioned (Conti's leadership, Evil Corp's leadership).
- Pay because you have no recoverable backups; the operational cost of being down exceeds the ransom by 10x; the alternative is going out of business or harming people.
The right framework is to be in a position where you don't have to ask. Which is what the Defenses page covers.
The Ransomware Tabletop Exercise
A ransom note appeared on your CFO's laptop at 4:17 AM. You are the on-call incident commander. Detection, containment, eradication, recovery, lessons-learned — every decision branches, and some branches are right.
Open the lab →