Ransomware: Types, detection, and defense

In Q3 2025, 85 ransomware groups operated simultaneously, the highest count ever recorded, while damages reached $57 billion globally (Check Point Research, 2025; Cybersecurity Ventures, 2025). In March 2026 alone, three groups, Qilin, Akira, and DragonForce, accounted for 40% of 672 recorded incidents in a single month (Infosecurity Magazine, 2026).

This guide provides security professionals, SOC analysts, and CISOs with current intelligence on how ransomware works, which threat actors pose the greatest risk, and what defensive measures actually reduce exposure. Whether you are building detection capabilities, refining incident response procedures, or briefing leadership on organizational risk, the information here reflects threat research and defensive best practices from the FBI, CISA, and MITRE ATT&CK.

Was ist ransomware?

Ransomware is a type of malicious software that encrypts files on a victim's device or network and demands a ransom payment, typically in cryptocurrency — to restore access. According to the FBI, ransomware prevents access to computer files, systems, or networks until payment is made.

CISA defines ransomware as malware  that encrypts files on a device, rendering the files and the systems that depend on them unusable. The operational consequence goes beyond locked files, ransomware disrupts the business processes that depend on that data.

According to Cybersecurity Ventures, global ransomware damages reached $57 billion in 2025,  approximately $156 million per day. These costs extend far beyond ransom payments to include business disruption, recovery expenses, reputational damage, and regulatory penalties.

Modern ransomware operators conduct reconnaissance, establish persistence, and exfiltrate sensitive data before deploying encryption. This transforms each ransomware incident into a potential data breach with long-term consequences for affected organizations.

Wie ransomware von anderer malware ransomware

Ransomware differs from other malware primarily because it makes itself known to the victim. While spyware, trojans, and viruses typically operate covertly, stealing data, establishing backdoor access, or corrupting files without announcement, ransomware demands payment through explicit ransom notes. This visibility is deliberate: the cyberattack must be recognized before the victim can be pressured to pay.

Each malware type differs in purpose, visibility, and how attackers profit from it.

Financial incentive drives constant adaptation, the shift from phishing-dominated entry in 2023 to compromised VPN credentials accounting for 48% of attacks by Q3 2025 shows how quickly operators change methods when defenders close one vector.

So funktioniert ransomware

Modern ransomware attacks follow a five-stage sequence, and defenders can disrupt each one. Mapping detection controls to each stage is what separates organizations that catch attackers before encryption from those that discover the damage after.

Ein typischer ransomware verläuft in fünf Phasen:

1. Initial access — attackers gain entry through phishing, compromised credentials, or exploited vulnerabilities
2. Seitliche Bewegung – malware im Netzwerk und sammelt dabei zusätzliche Anmeldedaten.
3. Privilegienerweiterung – Angreifer verschaffen sich Administratorzugriff, um die Auswirkungen zu maximieren.
4. Datenexfiltration – sensible Informationen werden vor der Verschlüsselung gestohlen, um doppelte Erpressung zu ermöglichen.
5. Verschlüsselung und Lösegeldforderung – Dateien werden verschlüsselt und die Opfer erhalten Zahlungsanweisungen.

Ransomware attack vectors and initial access

According to HIPAA Journal, compromised VPN credentials accounted for 48% of ransomware attacks in Q3 2025, up from 38% in Q2. This represents a fundamental change from earlier years when phishing dominated initial access.

Credential-based entry has overtaken phishing, exploitation, and every other ransomware delivery method

The shift reflects both the widespread availability of stolen credentials on criminal marketplaces and the effectiveness of initial access brokers, specialists who compromise systems and sell access to ransomware operators. These brokers use infostealers to harvest credentials at scale.

External service exploitation accounts for another 23% of attacks, with recent campaigns targeting vulnerabilities in VPN appliances (CVE-2024-40766 in SonicWall), Citrix NetScaler devices (CVE-2025-5777), and enterprise software like Oracle E-Business Suite (CVE-2025-61882).

Seitliche Bewegung und Datenexfiltration

Once inside a network, ransomware operators begin moving laterally within 48 minutes on average. The fastest observed cases show full network propagation in just 18 minutes (Vectra AI research). Defenders have less than an hour, sometimes less than 20 minutes, to detect and contain the spread before the attacker controls the environment.

Attackers use legitimate administrative tools and credentials to move laterally, making their activity difficult to distinguish from normal network operations without behavioral analysis.

According to Deepstrike, 76% of 2025 ransomware attacks involved data exfiltration before encryption, making nearly every ransomware incident a data breach by the time encryption begins. This enables double extortion: even if victims restore from backups, attackers threaten to publish stolen data.

Zu den häufigsten Tools, die in der Exfiltrationsphase beobachtet werden, gehören:

• Rclone und Rsync für cloud transfers
• Cobalt Strike für Befehl und Kontrolle
• Mimikatz for credential harvesting
• FTP/SFTP für die Übertragung großer Datenmengen

MITRE ATT&CK mapping for ransomware

MITRE ATT&CK catalogs the specific techniques ransomware operators use, from credential abuse (T1078) to encryption for impact (T1486). The primary ransomware technique is T1486, Data Encrypted for Impact, categorized under the Impact tactic.

Six techniques appear in the majority of ransomware operations, spanning from initial credential abuse through defense evasion to final encryption.

Over 70 ransomware families are mapped to specific ATT&CK techniques. Running this mapping against deployed detections reveals exactly where coverage exists and where it does not, a process that enables focused threat hunting against known gaps.

Arten von ransomware

Ransomware now comes in several distinct categories, each with different encryption methods, extortion tactics, and business models.

Encrypting ransomware vs. locker ransomware

Ransomware splits into two primary categories: encrypting ransomware (crypto-ransomware) and locker ransomware.

Encrypting ransomware encrypts individual files and data on infected devices. According to Keeper Security, victims can still use their devices but cannot access encrypted files without the decryption key. Modern encrypting ransomware uses strong encryption algorithms including AES-256, ChaCha20, and RSA-2048 that are computationally infeasible to break.

Locker ransomware (screen lockers) takes a different approach, locking users out of their entire systems rather than encrypting individual files. According to Check Point, locker variants prevent any access to the device until payment is made. While locker ransomware was more common in ransomware's early history, encrypting ransomware dominates today due to its greater impact and harder recovery path.

Recovery, response, and backup strategies differ significantly between the two.

Double and triple extortion ransomware

Most ransomware attacks now combine encryption with data theft, and some add DDoS attacks and third-party threats on top.

Double extortion ransomware combines data encryption with data theft. Attackers first exfiltrate sensitive information, then encrypt systems. If victims restore from backups without paying, attackers threaten to publish or sell the stolen data. According to Arctic Wolf, 96% of ransomware incident response cases in 2025 involved data exfiltration, making double extortion the norm rather than the exception.

Triple extortion ransomware adds additional pressure tactics beyond encryption and data theft:

• Drohung, die Kunden, Partner oder Patienten des Opfers über den Verstoß zu informieren
• Durchführung von DDoS-Angriffen auf die Infrastruktur des Opfers
• Erpressungsforderungen gegenüber Dritten auf Grundlage gestohlener Daten

The result is overlapping harm, operational disruption from encryption, breach notification obligations from exfiltration, and reputational damage from public leak threats, all applied simultaneously.

What is ransomware-as-a-service (RaaS)?

According to IBM, ransomware-as-a-service (RaaS) is a business model where ransomware developers sell or lease their malware to affiliates who conduct the actual attacks. The model has industrialized ransomware, turning it from a technical crime into a franchise operation.

RaaS-Betreiber bieten ihren Partnern Folgendes:

• Einsatzbereite ransomware
• Verwaltungsgremien für das Opfermanagement
• Zahlungsabwicklungsinfrastruktur
• Unterstützung bei Verhandlungen und Kommunikationsinstrumente für Opfer
• Technischer Support und Updates

In exchange, affiliates share ransom proceeds with the RaaS operators. According to Flashpoint, typical affiliate revenue shares range from 70–85% of ransom payments, with Qilin offering an industry-leading 85% share to attract affiliates.

Criminals with no technical expertise can now deploy professional-grade ransomware, which is why the number of active groups hit 85 in Q3 2025.

The ransomware threat landscape

A record 85 ransomware groups operated simultaneously in Q3 2025. Between January and September, 4,701 incidents were recorded globally, a 46% increase over the same period in 2024. The fragmentation follows law enforcement disruptions of major groups and reflects the ease with which new groups can launch using RaaS infrastructure.

In March 2026 alone, 672 ransomware incidents were reported, with just three groups (Qilin, Akira, and DragonForce) responsible for 40% of the total.

ransomware aktivsten ransomware im Jahr 2025

Qilin emerged as the dominant ransomware group, processing over 75 victims monthly by Q3 2025. The group's 85% affiliate revenue share, higher than competitors, has attracted skilled affiliates from disbanded operations. Notably, North Korean threat actors deployed Qilin payloads in March 2025, indicating nation-state collaboration with criminal ransomware operations.

Akira accumulated $244.17 million in proceeds as of late September 2025, according to CISA advisories. The group targets SMBs and critical infrastructure across manufacturing, education, IT, healthcare, and financial services.

LockBit re-emerged with version 5.0 in September 2025 despite significant law enforcement pressure including Operation Cronos. While diminished from its peak, the group's persistence demonstrates the resilience of well-established RaaS operations.

Bekanntes Fallstudien

Change Healthcare (2024–2025): The ALPHV/BlackCat attack on Change Healthcare represents the largest healthcare data breach in U.S. history. According to AHA, approximately 192.7 million individuals were affected, with total costs estimated at $3 billion. The root cause was compromised credentials for a Citrix server without multi-factor authentication, a basic security control failure with catastrophic consequences.

Qilin "Korean Leaks" Campaign (September 2025): According to The Hacker News, Qilin compromised a single managed service provider (GJTec) and used that access to attack 28 downstream organizations, including 24 in South Korea's financial sector. Over 1 million files and 2TB of data were exfiltrated. This supply chain attack demonstrates how a single MSP compromise can amplify ransomware impact exponentially.

Clop Oracle EBS Campaign (November 2025): According to Z2Data, the Clop ransomware group exploited CVE-2025-61882 (CVSS 9.8) in Oracle E-Business Suite to compromise over 100 companies including Broadcom, Estee Lauder, Mazda, Canon, Allianz UK, and the Washington Post. The campaign followed the same mass-exploitation playbook Clop used against MOVEit in 2023, same group, same tactic, different vulnerability.

Statistiken zu den Auswirkungen auf die Industrie

Healthcare was the top ransomware target in 2025, with 460 attacks and 182 data breaches reported to the FBI, a combined 642 cyber events (IC3 2025 Annual Report, published April 2026). Financial services was the second-highest sector at 447 total events.

The concentration of attacks on specific industries reflects both the value of the data they hold and the operational pressure that makes victims more likely to pay.

According to Verizon DBIR analysis, 88% of data breaches at SMBs involve ransomware, compared to 39% for large organizations. Without dedicated security resources and incident response capabilities, 60% of attacked small businesses close within six months.

How to detect and prevent ransomware

Three distinct control layers, prevention, detection, and response, separate organizations that recover from ransomware from those that do not. Prevention is the cheapest layer. Detection and response determine the outcome once an attacker is already inside.

12 essential ransomware prevention controls

CISA's #StopRansomware Guide defines the baseline controls every organization should deploy. These 12 controls address the most common attack vectors and reduce exposure across the ransomware kill chain.
‍

Priority controls (implement immediately):

1. Prioritize remediating known exploited vulnerabilities focus on CISA KEV catalog entries
2. Aktivieren und erzwingen Sie eine phishing Multi-Faktor-Authentifizierung für alle externen Dienste.
3. Regelmäßige Offline-Backups mit Verschlüsselung durchführen und Wiederherstellungsverfahren testen

Zusätzliche technische Kontrollen:

4. Implement zero trust architecture principles for network access
5. Netzwerke segmentieren, um Möglichkeiten für seitliche Bewegungen einzuschränken
6. Deaktivieren Sie SMBv1 und aktualisieren Sie auf SMBv3 mit Verschlüsselung.
7. Centralize logging with SIEM and minimum 12-month retention
8. PowerShell-Ausführung über Gruppenrichtlinie einschränken
9. Deploy EDR, NDR, or XDR solutions with real-time detection capabilities
10. Passwörter mit mindestens 15 Zeichen erzwingen
11. Trennen Sie Verwaltungskonten von Konten für den täglichen Gebrauch.
12. Reduce attack surface by disabling unnecessary services
    ‍

The 48% share of attacks using compromised VPN credentials makes three actions urgent: audit VPN configurations, enforce MFA on all remote access, and evaluate zero-trust network access as a VPN replacement.

Backup-Strategie für ransomware

The 3-2-1-1-0 backup rule, as detailed by Veeam, provides ransomware-resilient data protection:

• 3 Kopien der Daten (Primärkopie plus zwei Sicherungskopien)
• 2 verschiedene Speichermedientypen
• 1 Kopie außerhalb des Standorts
• 1 Kopie unveränderlich oder luftisoliert
• 0 Fehler nach der Verifizierung

Immutable storage converts backups to write-once, read-many (WORM) format that cannot be overwritten, changed, or deleted, even by administrators with full credentials. This protects against ransomware that specifically targets backup systems.

Untested backups are not backups. Verifying restoration procedures at least quarterly — and documenting actual recovery times against stated objectives, is the difference between a backup that works and one that merely exists.

Ransomware detection indicators

Every stage of the ransomware attack chain produces network artifacts that signature-based tools miss. Network detection and response reveals the lateral movement, exfiltration, and command and control traffic that endpoint agents never see.

malware überwachende Vorläufer malware :

• Bumblebee, Dridex, Emotet, QakBot und Anchor Loader gehen häufig ransomware voraus.
• Die Erkennung dieser Bedrohungen sollte eine sofortige Untersuchung auslösen.

Netzwerkindikatoren für ransomware :

• Abnormale Datenausgabe an einem beliebigen Port (Exfiltration)
• Tools wie Rclone, Rsync, FTP/SFTP zum Verschieben großer Datenmengen
• C2 callbacks to unknown infrastructure
• Seitliche Bewegungsmuster (ungewöhnliche Authentifizierung, Missbrauch von Dienstkonten)
• DNS-Tunneling-Versuche
• ARP-Spoofing-Aktivität

When a service account authenticates at 3 AM, an admin session transfers 40 GB to an external host, or a user accesses file shares they have never touched, those deviations are the signal.

See how Vectra AI detects and contains ransomware attacks

What to do if you are hit by ransomware

If your organization is hit by ransomware, CISA provides immediate response guidance:

1. Sofort isolieren – betroffene Systeme vom Netzwerk trennen, um eine Ausbreitung zu verhindern
2. Starten Sie das Gerät NICHT neu oder führen Sie keinen Neustart durch – dies kann zu weiteren Schäden führen oder forensische Beweise zerstören.
3. Sichere Backups – Trennen Sie Backup-Systeme, um eine Verschlüsselung zu verhindern.
4. Dokumentieren Sie alles – machen Sie Screenshots von Lösegeldforderungen und bewahren Sie den Systemstatus auf.
5. Umfang bewerten – feststellen, welche Systeme betroffen sind und in welchem Umfang eine Verschlüsselung vorliegt
6. Behörden kontaktieren – FBI, CISA und örtliche Strafverfolgungsbehörden benachrichtigen
7. Check for free decryptors — the No More Ransom Project provides free decryption tools for 100+ ransomware families

Acting within the first hour determines whether the attack stays contained to one segment or spreads across the network.

According to Sophos, 56% of organizations recovered within one week in 2025 — up from 33% in 2024. The gap between organizations that recover in days and those that take months is narrowing.

‍Should you pay a ransomware ransom?

Das FBI und die CISA raten davon ab, Lösegeld zu zahlen. Die Daten stützen diese Position:

• Nur 46 % der Unternehmen, die Lösegeld zahlen, können ihre Daten erfolgreich wiederherstellen (CSO Online).
• 93 % der zahlenden Opfer wurden dennoch Opfer eines Datendiebstahls und sind möglicherweise gefährdet.
• Etwa 80 % der Organisationen, die gezahlt haben, wurden anschließend erneut angegriffen.
• Zahlungen finanzieren kriminelle Unternehmen und schaffen Anreize für künftige Angriffe.

Victim behavior reflects this guidance. According to Sophos, 63% of ransomware victims refused to pay in 2025, up from 59% in 2024. Meanwhile, 97% of organizations successfully recovered their data through backups or other means, demonstrating that payment is not necessary for recovery.

If you are considering payment, legal counsel and law enforcement engagement should precede any decision. Some payments may violate sanctions regulations, and authorities may have intelligence about the specific threat actor that changes the calculus.

Ransomware compliance and regulatory requirements

NIS2, NIST IR 8374, and proposed UK legislation now mandate ransomware-specific controls and incident reporting timelines. Mapping existing controls to these framework requirements, and generating audit-ready evidence, is an operational necessity, not a governance exercise.

Rahmenkartierung

NIST IR 8374 — Ransomware Risk Management Profile: This NIST publication applies the Cybersecurity Framework's five core functions (Identify, Protect, Detect, Respond, Recover) specifically to ransomware risk. Updated for CSF 2.0 in January 2025, it provides actionable guidance aligned with ISO/IEC 27001:2013 and NIST SP 800-53 Rev. 5.

MITRE ATT&CK Framework: Version 18 of ATT&CK (October 2025) documents over 70 ransomware families and their techniques. Organizations can use ATT&CK to validate detection coverage against known ransomware behaviors and identify capability gaps.

NIS2 Directive (EU): The NIS2 Directive requires essential and important entities across 18 critical sectors to implement ransomware-specific controls. Key requirements include 24-hour early warning for significant incidents and penalties up to EUR 10 million or 2% of global revenue for non-compliance

Each framework maps to different compliance requirements and operational needs

‍

Cyber insurance and ransomware

The average ransomware insurance claim reached $1.18 million in 2025, a 17% increase year-over-year (Resilience, 2025). Ransomware accounts for 76% of incurred losses despite representing 56% of claims.

Insurers denied approximately 40% of cyber insurance claims in 2024, often citing "failure to maintain security" exclusions (HIPAA Journal). They are scrutinizing vulnerability management, practices, MFA deployment, and backup procedures when evaluating claims.

An emerging concern: the Interlock ransomware group has been observed stealing cyber insurance policies from victims to benchmark ransom demands against coverage limits. When attackers know your coverage ceiling, adequate insurance without corresponding security improvements becomes a liability.

How Vectra AI detects ransomware

Vectra AI approaches ransomware defense through Attack Signal Intelligence, detecting attacker behaviors across the entire attack chain rather than relying on signatures or known indicators. By analyzing network traffic, cloud activity, and identity signals, the platform identifies lateral movement, privilege escalation, and data exfiltration patterns that precede ransomware deployment.

The "Assume Compromise" model starts from the premise that preventive controls will fail, and focuses detection on what happens after initial access. The window between initial access and encryption, often as little as 18 minutes, is where behavioral threat detection catches what signatures miss.

AI-driven detection identifies novel ransomware behaviors without requiring prior knowledge of specific variants. When attackers develop new evasion techniques, behavioral analysis continues to flag the underlying patterns, credential abuse, unusual data access, lateral connection attempts, that remain consistent across campaigns.

Without visibility across identity, cloud, and network layers, attackers reach the encryption stage undetected.

Where most ransomware defenses fall short

Ransomware groups reorganize within weeks of law enforcement disruption, shift attack vectors within quarters, and adopt new extortion tactics within months. Organizations that implement MFA, maintain tested immutable backups, segment networks, and deploy behavioral detection recover faster and avoid paying ransoms.

The path forward starts with honest assessment:

• Do you have continuous visibility into lateral movement across your hybrid environment?
• Can your current tools detect credential abuse and privilege escalation before encryption begins?
• Are your backups truly immutable — and have you tested restoration within the last 90 days?
• Do you know which MITRE ATT&CK techniques your detection stack covers and where the gaps are?
• Can you demonstrate compliance readiness with evidence, not documentation alone?

Schlussfolgerung

Ransomware 2025 stellt eine ausgereifte, hochentwickelte und stark fragmentierte Bedrohung dar, die kein Unternehmen ignorieren kann. Mit 85 aktiven Gruppen, weltweiten Schäden in Höhe von 57 Milliarden US-Dollar und Angriffen, bei denen regelmäßig Verschlüsselung mit Datendiebstahl kombiniert wird, war die Gefahr noch nie so groß wie heute.

Die Daten zeigen, dass Prävention und Vorbereitung funktionieren. Unternehmen, die MFA implementieren, getestete unveränderliche Backups pflegen und ihre Netzwerke segmentieren, erholen sich schneller und vermeiden Lösegeldzahlungen. Diejenigen, die in Erkennungsfunktionen investieren – insbesondere in netzwerkbasierte Verhaltensanalysen – fangen Angreifer ab, bevor die Verschlüsselung beginnt.

Der Weg in die Zukunft erfordert eine kontinuierliche Weiterentwicklung. Da ransomware neue Techniken entwickeln und neue Schwachstellen ausnutzen, müssen sich die Verteidiger anpassen. Regelmäßige Tests der Erkennungsabdeckung anhand des MITRE ATT&CK , fortlaufende Schulungen zum Sicherheitsbewusstsein und vierteljährliche Tests zur Wiederherstellung von Backups bilden die Grundlage für einen widerstandsfähigen Betrieb.

Für Unternehmen, die ihre ransomware verstärken möchten, Attack Signal Intelligence der Ansatz Vectra AI im Bereich Attack Signal Intelligence eine Erkennung über die gesamte Angriffskette hinweg – dabei werden die Verhaltensweisen identifiziert, die ransomware vorausgehen, unabhängig von bestimmten malware oder Umgehungstechniken.

Sources and methodology

Statistics and threat intelligence cited in this guide are drawn from the following sources:

• FBI IC3 2025 Annual Report (published April 2026) — sector-level ransomware attack data
• Check Point Research, Q3 2025 — active ransomware group counts and attack volumes
• Infosecurity Magazine, April 2026 — March 2026 incident volumes and group attribution
• HIPAA Journal, Q3 2025 — initial access vector distribution
• Sophos State of Ransomware 2025 — recovery times, payment rates, victim behavior
• Cybersecurity Ventures, 2025 — global damage projections
• Arctic Wolf, 2025 — double extortion prevalence in incident response cases
• Verizon DBIR 2025 — SMB ransomware exposure data
• Resilience Cyber Risk Report, 2025 — insurance claim averages and denial rates
• Flashpoint, 2025 — RaaS affiliate revenue share data
• CISA #StopRansomware Guide — prevention controls and incident response guidance
• MITRE ATT&CK v18 (October 2025) — technique mapping and ransomware family documentation
• NIST IR 8374 (updated January 2025) — ransomware risk management profile

Named incidents (Change Healthcare, Qilin Korean Leaks, Clop Oracle EBS) are sourced from AHA, The Hacker News, and Z2Data respectively.