Ransomware: Types, detection, and defense

In Q3 2025, 85 ransomware groups operated simultaneously, the highest count ever recorded, while damages reached $57 billion globally (Check Point Research, 2025; Cybersecurity Ventures, 2025). In March 2026 alone, three groups, Qilin, Akira, and DragonForce, accounted for 40% of 672 recorded incidents in a single month (Infosecurity Magazine, 2026).

This guide provides security professionals, SOC analysts, and CISOs with current intelligence on how ransomware works, which threat actors pose the greatest risk, and what defensive measures actually reduce exposure. Whether you are building detection capabilities, refining incident response procedures, or briefing leadership on organizational risk, the information here reflects threat research and defensive best practices from the FBI, CISA, and MITRE ATT&CK.

Qu'est-ce qu'un ransomware ?

Ransomware is a type of malicious software that encrypts files on a victim's device or network and demands a ransom payment, typically in cryptocurrency — to restore access. According to the FBI, ransomware prevents access to computer files, systems, or networks until payment is made.

CISA defines ransomware as malware  that encrypts files on a device, rendering the files and the systems that depend on them unusable. The operational consequence goes beyond locked files, ransomware disrupts the business processes that depend on that data.

According to Cybersecurity Ventures, global ransomware damages reached $57 billion in 2025,  approximately $156 million per day. These costs extend far beyond ransom payments to include business disruption, recovery expenses, reputational damage, and regulatory penalties.

Modern ransomware operators conduct reconnaissance, establish persistence, and exfiltrate sensitive data before deploying encryption. This transforms each ransomware incident into a potential data breach with long-term consequences for affected organizations.

En quoi les ransomwares diffèrent-ils des autres malware?

Ransomware differs from other malware primarily because it makes itself known to the victim. While spyware, trojans, and viruses typically operate covertly, stealing data, establishing backdoor access, or corrupting files without announcement, ransomware demands payment through explicit ransom notes. This visibility is deliberate: the cyberattack must be recognized before the victim can be pressured to pay.

Each malware type differs in purpose, visibility, and how attackers profit from it.

Financial incentive drives constant adaptation, the shift from phishing-dominated entry in 2023 to compromised VPN credentials accounting for 48% of attacks by Q3 2025 shows how quickly operators change methods when defenders close one vector.

Comment fonctionne un ransomware

Modern ransomware attacks follow a five-stage sequence, and defenders can disrupt each one. Mapping detection controls to each stage is what separates organizations that catch attackers before encryption from those that discover the damage after.

Une attaque typique par ransomware se déroule en cinq étapes :

1. Initial access — attackers gain entry through phishing, compromised credentials, or exploited vulnerabilities
2. Mouvement latéral — malware à travers le réseau tout en collectant des identifiants supplémentaires.
3. Élévation des privilèges — les attaquants obtiennent un accès administratif pour maximiser l'impact
4. Exfiltration de données — les informations sensibles sont volées avant leur chiffrement afin de permettre une double extorsion.
5. Chiffrement et demande de rançon — les fichiers sont chiffrés et les victimes reçoivent des instructions de paiement.

Ransomware attack vectors and initial access

According to HIPAA Journal, compromised VPN credentials accounted for 48% of ransomware attacks in Q3 2025, up from 38% in Q2. This represents a fundamental change from earlier years when phishing dominated initial access.

Credential-based entry has overtaken phishing, exploitation, and every other ransomware delivery method

The shift reflects both the widespread availability of stolen credentials on criminal marketplaces and the effectiveness of initial access brokers, specialists who compromise systems and sell access to ransomware operators. These brokers use infostealers to harvest credentials at scale.

External service exploitation accounts for another 23% of attacks, with recent campaigns targeting vulnerabilities in VPN appliances (CVE-2024-40766 in SonicWall), Citrix NetScaler devices (CVE-2025-5777), and enterprise software like Oracle E-Business Suite (CVE-2025-61882).

Mouvement latéral et exfiltration de données

Once inside a network, ransomware operators begin moving laterally within 48 minutes on average. The fastest observed cases show full network propagation in just 18 minutes (Vectra AI research). Defenders have less than an hour, sometimes less than 20 minutes, to detect and contain the spread before the attacker controls the environment.

Attackers use legitimate administrative tools and credentials to move laterally, making their activity difficult to distinguish from normal network operations without behavioral analysis.

According to Deepstrike, 76% of 2025 ransomware attacks involved data exfiltration before encryption, making nearly every ransomware incident a data breach by the time encryption begins. This enables double extortion: even if victims restore from backups, attackers threaten to publish stolen data.

Les outils couramment utilisés lors de la phase d'exfiltration comprennent :

• Rclone et Rsync pour les transferts vers cloud
• Cobalt Strike pour le commandement et le contrôle
• Mimikatz for credential harvesting
• FTP/SFTP pour le transfert de données en masse

MITRE ATT&CK mapping for ransomware

MITRE ATT&CK catalogs the specific techniques ransomware operators use, from credential abuse (T1078) to encryption for impact (T1486). The primary ransomware technique is T1486, Data Encrypted for Impact, categorized under the Impact tactic.

Six techniques appear in the majority of ransomware operations, spanning from initial credential abuse through defense evasion to final encryption.

Over 70 ransomware families are mapped to specific ATT&CK techniques. Running this mapping against deployed detections reveals exactly where coverage exists and where it does not, a process that enables focused threat hunting against known gaps.

Types de ransomware

Ransomware now comes in several distinct categories, each with different encryption methods, extortion tactics, and business models.

Encrypting ransomware vs. locker ransomware

Ransomware splits into two primary categories: encrypting ransomware (crypto-ransomware) and locker ransomware.

Encrypting ransomware encrypts individual files and data on infected devices. According to Keeper Security, victims can still use their devices but cannot access encrypted files without the decryption key. Modern encrypting ransomware uses strong encryption algorithms including AES-256, ChaCha20, and RSA-2048 that are computationally infeasible to break.

Locker ransomware (screen lockers) takes a different approach, locking users out of their entire systems rather than encrypting individual files. According to Check Point, locker variants prevent any access to the device until payment is made. While locker ransomware was more common in ransomware's early history, encrypting ransomware dominates today due to its greater impact and harder recovery path.

Recovery, response, and backup strategies differ significantly between the two.

Double and triple extortion ransomware

Most ransomware attacks now combine encryption with data theft, and some add DDoS attacks and third-party threats on top.

Double extortion ransomware combines data encryption with data theft. Attackers first exfiltrate sensitive information, then encrypt systems. If victims restore from backups without paying, attackers threaten to publish or sell the stolen data. According to Arctic Wolf, 96% of ransomware incident response cases in 2025 involved data exfiltration, making double extortion the norm rather than the exception.

Triple extortion ransomware adds additional pressure tactics beyond encryption and data theft:

• Menacer de contacter les clients, partenaires ou patients de la victime au sujet de la violation
• Lancement d'attaques DDoS contre l'infrastructure de la victime
• Cibler des tiers avec des demandes d'extorsion basées sur des données volées

The result is overlapping harm, operational disruption from encryption, breach notification obligations from exfiltration, and reputational damage from public leak threats, all applied simultaneously.

What is ransomware-as-a-service (RaaS)?

According to IBM, ransomware-as-a-service (RaaS) is a business model where ransomware developers sell or lease their malware to affiliates who conduct the actual attacks. The model has industrialized ransomware, turning it from a technical crime into a franchise operation.

Les opérateurs RaaS fournissent à leurs affiliés :

• Charges utiles de ransomware prêtes à être déployées
• Comités administratifs pour la gestion des victimes
• Infrastructure de traitement des paiements
• Outils d'aide à la négociation et de communication avec les victimes
• Assistance technique et mises à jour

In exchange, affiliates share ransom proceeds with the RaaS operators. According to Flashpoint, typical affiliate revenue shares range from 70–85% of ransom payments, with Qilin offering an industry-leading 85% share to attract affiliates.

Criminals with no technical expertise can now deploy professional-grade ransomware, which is why the number of active groups hit 85 in Q3 2025.

The ransomware threat landscape

A record 85 ransomware groups operated simultaneously in Q3 2025. Between January and September, 4,701 incidents were recorded globally, a 46% increase over the same period in 2024. The fragmentation follows law enforcement disruptions of major groups and reflects the ease with which new groups can launch using RaaS infrastructure.

In March 2026 alone, 672 ransomware incidents were reported, with just three groups (Qilin, Akira, and DragonForce) responsible for 40% of the total.

Les groupes de ransomware les plus actifs en 2025

Qilin emerged as the dominant ransomware group, processing over 75 victims monthly by Q3 2025. The group's 85% affiliate revenue share, higher than competitors, has attracted skilled affiliates from disbanded operations. Notably, North Korean threat actors deployed Qilin payloads in March 2025, indicating nation-state collaboration with criminal ransomware operations.

Akira accumulated $244.17 million in proceeds as of late September 2025, according to CISA advisories. The group targets SMBs and critical infrastructure across manufacturing, education, IT, healthcare, and financial services.

LockBit re-emerged with version 5.0 in September 2025 despite significant law enforcement pressure including Operation Cronos. While diminished from its peak, the group's persistence demonstrates the resilience of well-established RaaS operations.

Études de cas très médiatisées

Change Healthcare (2024–2025): The ALPHV/BlackCat attack on Change Healthcare represents the largest healthcare data breach in U.S. history. According to AHA, approximately 192.7 million individuals were affected, with total costs estimated at $3 billion. The root cause was compromised credentials for a Citrix server without multi-factor authentication, a basic security control failure with catastrophic consequences.

Qilin "Korean Leaks" Campaign (September 2025): According to The Hacker News, Qilin compromised a single managed service provider (GJTec) and used that access to attack 28 downstream organizations, including 24 in South Korea's financial sector. Over 1 million files and 2TB of data were exfiltrated. This supply chain attack demonstrates how a single MSP compromise can amplify ransomware impact exponentially.

Clop Oracle EBS Campaign (November 2025): According to Z2Data, the Clop ransomware group exploited CVE-2025-61882 (CVSS 9.8) in Oracle E-Business Suite to compromise over 100 companies including Broadcom, Estee Lauder, Mazda, Canon, Allianz UK, and the Washington Post. The campaign followed the same mass-exploitation playbook Clop used against MOVEit in 2023, same group, same tactic, different vulnerability.

Statistiques sur l'impact de l'industrie

Healthcare was the top ransomware target in 2025, with 460 attacks and 182 data breaches reported to the FBI, a combined 642 cyber events (IC3 2025 Annual Report, published April 2026). Financial services was the second-highest sector at 447 total events.

The concentration of attacks on specific industries reflects both the value of the data they hold and the operational pressure that makes victims more likely to pay.

According to Verizon DBIR analysis, 88% of data breaches at SMBs involve ransomware, compared to 39% for large organizations. Without dedicated security resources and incident response capabilities, 60% of attacked small businesses close within six months.

How to detect and prevent ransomware

Three distinct control layers, prevention, detection, and response, separate organizations that recover from ransomware from those that do not. Prevention is the cheapest layer. Detection and response determine the outcome once an attacker is already inside.

12 essential ransomware prevention controls

CISA's #StopRansomware Guide defines the baseline controls every organization should deploy. These 12 controls address the most common attack vectors and reduce exposure across the ransomware kill chain.
‍

Priority controls (implement immediately):

1. Prioritize remediating known exploited vulnerabilities focus on CISA KEV catalog entries
2. Activer et appliquer l'authentification multifactorielle phishing sur tous les services externes.
3. Effectuez régulièrement des sauvegardes hors ligne cryptées et testez les procédures de restauration.

Contrôles techniques supplémentaires :

4. Implement zero trust architecture principles for network access
5. Segmenter les réseaux pour limiter les possibilités de mouvements latéraux
6. Désactivez SMBv1 et passez à SMBv3 avec chiffrement.
7. Centralize logging with SIEM and minimum 12-month retention
8. Restriction de l'exécution de PowerShell via la stratégie de groupe
9. Deploy EDR, NDR, or XDR solutions with real-time detection capabilities
10. Imposer des mots de passe d'au moins 15 caractères
11. Séparer les comptes administratifs des comptes utilisés quotidiennement
12. Reduce attack surface by disabling unnecessary services
    ‍

The 48% share of attacks using compromised VPN credentials makes three actions urgent: audit VPN configurations, enforce MFA on all remote access, and evaluate zero-trust network access as a VPN replacement.

Stratégie de sauvegarde pour la résilience face aux ransomwares

The 3-2-1-1-0 backup rule, as detailed by Veeam, provides ransomware-resilient data protection:

• 3 copies des données (une copie principale et deux copies de sauvegarde)
• 2 types de supports de stockage différents
• 1 copie hors site
• 1 copie immuable ou isolée
• 0 erreur après les tests de vérification

Immutable storage converts backups to write-once, read-many (WORM) format that cannot be overwritten, changed, or deleted, even by administrators with full credentials. This protects against ransomware that specifically targets backup systems.

Untested backups are not backups. Verifying restoration procedures at least quarterly — and documenting actual recovery times against stated objectives, is the difference between a backup that works and one that merely exists.

Ransomware detection indicators

Every stage of the ransomware attack chain produces network artifacts that signature-based tools miss. Network detection and response reveals the lateral movement, exfiltration, and command and control traffic that endpoint agents never see.

malware précurseur malware surveiller :

• Les chargeurs Bumblebee, Dridex, Emotet, QakBot et Anchor précèdent souvent le déploiement des ransomwares.
• La détection de ces menaces devrait déclencher une enquête immédiate.

Indicateurs réseau de l'activité des ransomwares :

• Données anormales sortantes sur n'importe quel port (exfiltration)
• Outils tels que Rclone, Rsync, FTP/SFTP pour le transfert de volumes de données importants
• C2 callbacks to unknown infrastructure
• Modèles de mouvements latéraux (authentification inhabituelle, utilisation abusive de comptes de service)
• Tentatives de tunneling DNS
• Activité d'usurpation d'adresse IP

When a service account authenticates at 3 AM, an admin session transfers 40 GB to an external host, or a user accesses file shares they have never touched, those deviations are the signal.

See how Vectra AI detects and contains ransomware attacks

What to do if you are hit by ransomware

If your organization is hit by ransomware, CISA provides immediate response guidance:

1. Isolez immédiatement — déconnectez les systèmes affectés du réseau pour empêcher la propagation.
2. NE redémarrez PAS et ne réinitialisez PAS l'appareil, car cela pourrait causer des dommages supplémentaires ou détruire des preuves médico-légales.
3. Sauvegardes sécurisées — déconnectez les systèmes de sauvegarde pour empêcher le chiffrement
4. Documentez tout — faites des captures d'écran des demandes de rançon et conservez l'état du système.
5. Évaluer la portée — déterminer quels systèmes sont concernés et l'étendue du chiffrement
6. Contactez les autorités — prévenez le FBI, la CISA et les forces de l'ordre locales.
7. Check for free decryptors — the No More Ransom Project provides free decryption tools for 100+ ransomware families

Acting within the first hour determines whether the attack stays contained to one segment or spreads across the network.

According to Sophos, 56% of organizations recovered within one week in 2025 — up from 33% in 2024. The gap between organizations that recover in days and those that take months is narrowing.

‍Should you pay a ransomware ransom?

Le FBI et la CISA déconseillent de payer les rançons. Les données corroborent cette position :

• Seules 46 % des organisations qui paient des rançons récupèrent leurs données (CSO Online)
• 93 % des victimes ayant payé ont tout de même vu leurs données volées et potentiellement exposées.
• Environ 80 % des organisations qui ont payé ont subi des attaques ultérieures.
• Le paiement finance des entreprises criminelles et encourage de futures attaques.

Victim behavior reflects this guidance. According to Sophos, 63% of ransomware victims refused to pay in 2025, up from 59% in 2024. Meanwhile, 97% of organizations successfully recovered their data through backups or other means, demonstrating that payment is not necessary for recovery.

If you are considering payment, legal counsel and law enforcement engagement should precede any decision. Some payments may violate sanctions regulations, and authorities may have intelligence about the specific threat actor that changes the calculus.

Ransomware compliance and regulatory requirements

NIS2, NIST IR 8374, and proposed UK legislation now mandate ransomware-specific controls and incident reporting timelines. Mapping existing controls to these framework requirements, and generating audit-ready evidence, is an operational necessity, not a governance exercise.

Cartographie du cadre

NIST IR 8374 — Ransomware Risk Management Profile: This NIST publication applies the Cybersecurity Framework's five core functions (Identify, Protect, Detect, Respond, Recover) specifically to ransomware risk. Updated for CSF 2.0 in January 2025, it provides actionable guidance aligned with ISO/IEC 27001:2013 and NIST SP 800-53 Rev. 5.

MITRE ATT&CK Framework: Version 18 of ATT&CK (October 2025) documents over 70 ransomware families and their techniques. Organizations can use ATT&CK to validate detection coverage against known ransomware behaviors and identify capability gaps.

NIS2 Directive (EU): The NIS2 Directive requires essential and important entities across 18 critical sectors to implement ransomware-specific controls. Key requirements include 24-hour early warning for significant incidents and penalties up to EUR 10 million or 2% of global revenue for non-compliance

Each framework maps to different compliance requirements and operational needs

‍

Cyber insurance and ransomware

The average ransomware insurance claim reached $1.18 million in 2025, a 17% increase year-over-year (Resilience, 2025). Ransomware accounts for 76% of incurred losses despite representing 56% of claims.

Insurers denied approximately 40% of cyber insurance claims in 2024, often citing "failure to maintain security" exclusions (HIPAA Journal). They are scrutinizing vulnerability management, practices, MFA deployment, and backup procedures when evaluating claims.

An emerging concern: the Interlock ransomware group has been observed stealing cyber insurance policies from victims to benchmark ransom demands against coverage limits. When attackers know your coverage ceiling, adequate insurance without corresponding security improvements becomes a liability.

How Vectra AI detects ransomware

Vectra AI approaches ransomware defense through Attack Signal Intelligence, detecting attacker behaviors across the entire attack chain rather than relying on signatures or known indicators. By analyzing network traffic, cloud activity, and identity signals, the platform identifies lateral movement, privilege escalation, and data exfiltration patterns that precede ransomware deployment.

The "Assume Compromise" model starts from the premise that preventive controls will fail, and focuses detection on what happens after initial access. The window between initial access and encryption, often as little as 18 minutes, is where behavioral threat detection catches what signatures miss.

AI-driven detection identifies novel ransomware behaviors without requiring prior knowledge of specific variants. When attackers develop new evasion techniques, behavioral analysis continues to flag the underlying patterns, credential abuse, unusual data access, lateral connection attempts, that remain consistent across campaigns.

Without visibility across identity, cloud, and network layers, attackers reach the encryption stage undetected.

Where most ransomware defenses fall short

Ransomware groups reorganize within weeks of law enforcement disruption, shift attack vectors within quarters, and adopt new extortion tactics within months. Organizations that implement MFA, maintain tested immutable backups, segment networks, and deploy behavioral detection recover faster and avoid paying ransoms.

The path forward starts with honest assessment:

• Do you have continuous visibility into lateral movement across your hybrid environment?
• Can your current tools detect credential abuse and privilege escalation before encryption begins?
• Are your backups truly immutable — and have you tested restoration within the last 90 days?
• Do you know which MITRE ATT&CK techniques your detection stack covers and where the gaps are?
• Can you demonstrate compliance readiness with evidence, not documentation alone?

Conclusion

En 2025, les ransomwares constituent une menace mature, sophistiquée et très fragmentée qu'aucune organisation ne peut se permettre d'ignorer. Avec 85 groupes actifs, 57 milliards de dollars de dommages à l'échelle mondiale et des attaques qui combinent systématiquement le chiffrement et le vol de données, les enjeux n'ont jamais été aussi élevés.

Les données montrent que la prévention et la préparation sont efficaces. Les organisations qui mettent en œuvre l'authentification multifactorielle (MFA), conservent des sauvegardes testées et immuables, et segmentent leurs réseaux se remettent plus rapidement et évitent de payer des rançons. Celles qui investissent dans des capacités de détection, en particulier l'analyse comportementale basée sur le réseau, interceptent les attaquants avant que le chiffrement ne commence.

La voie à suivre nécessite une évolution continue. À mesure que les opérateurs de ransomware développent de nouvelles techniques et exploitent de nouvelles vulnérabilités, les défenseurs doivent s'adapter. Des tests réguliers de la couverture de détection par rapport au MITRE ATT&CK , une formation continue à la sensibilisation à la sécurité et des tests trimestriels de restauration des sauvegardes constituent la base d'opérations résilientes.

Pour les organisations qui cherchent à renforcer leurs défenses contre les ransomwares, l'approche Vectra AI en matière de Attack Signal Intelligence une détection tout au long de la chaîne d'attaque, en identifiant les comportements qui précèdent le déploiement d'un ransomware, indépendamment des malware spécifiques malware ou des techniques d'évasion.

Sources et méthodologie

Statistics and threat intelligence cited in this guide are drawn from the following sources:

• FBI IC3 2025 Annual Report (published April 2026) — sector-level ransomware attack data
• Check Point Research, Q3 2025 — active ransomware group counts and attack volumes
• Infosecurity Magazine, April 2026 — March 2026 incident volumes and group attribution
• HIPAA Journal, Q3 2025 — initial access vector distribution
• Sophos State of Ransomware 2025 — recovery times, payment rates, victim behavior
• Cybersecurity Ventures, 2025 — global damage projections
• Arctic Wolf, 2025 — double extortion prevalence in incident response cases
• Verizon DBIR 2025 — SMB ransomware exposure data
• Resilience Cyber Risk Report, 2025 — insurance claim averages and denial rates
• Flashpoint, 2025 — RaaS affiliate revenue share data
• CISA #StopRansomware Guide — prevention controls and incident response guidance
• MITRE ATT&CK v18 (October 2025) — technique mapping and ransomware family documentation
• NIST IR 8374 (updated January 2025) — ransomware risk management profile

Named incidents (Change Healthcare, Qilin Korean Leaks, Clop Oracle EBS) are sourced from AHA, The Hacker News, and Z2Data respectively.