
Ransomware Case Study
Ransomware: The Silent Menace
“ They said pay the ransom or lose everything. I didn’t listen.” A Deep Dive into Ransomware
Abstract
Cybercrime has become one of the biggest challenges in today’s digital world, with attackers exploiting system vulnerabilities to steal data, disrupt services, and demand ransom. Among various cyber threats, ransomware is one of the most damaging forms of attack. It locks users out of their systems or encrypts their files, demanding payment in exchange for access restoration. In some cases, attackers threaten to leak sensitive data if their demands are not met.
Over the years, ransomware attacks have evolved significantly, using advanced encryption techniques and sophisticated attack strategies. Cybercriminals have also developed new methods, such as Ransomware-as-a-Service (RaaS), making it easier for attackers to launch ransomware campaigns without deep technical expertise.
These attacks now target individuals, businesses, and even government institutions, causing severe financial and data losses.
This study explores the growing threat of ransomware, examining its working mechanisms, common attack methods, and major ransomware groups active in recent years. It also highlights real-world case studies to understand how attackers exploit system vulnerabilities and the consequences faced by victims. Additionally, this study discusses effective preventive measures, security strategies, and response plans to help individuals and organizations defend against ransomware attacks.
Keywords: Cybercrime, Cybersecurity, Ransomware, Attack, Threat, Data Security, Encryption, Prevention, Vulnerability.
Introduction
With the increasing reliance on digital infrastructure, cybercrime has become a significant global threat. One of the most dangerous cyber threats is ransomware, a form of malware that locks a system or encrypts files, preventing users from accessing their data unless a ransom is paid. Cybercriminals use this method to extort money from individuals, businesses, and government institutions. Ransomware attacks have evolved significantly over the years, making them more destructive and financially damaging.
How Ransomware Works
Ransomware is designed to infiltrate a system through various attack vectors, such as phishing emails, malicious downloads, software vulnerabilities, or unauthorized remote access. Once inside, it encrypts critical files or locks the entire system, displaying a ransom note demanding payment, often in cryptocurrency, to maintain anonymity. If the victim fails to comply, the encrypted files remain inaccessible, and in some cases, attackers threaten to leak sensitive data.
Types of Ransomware
Ransomware can be classified into different categories based on its mode of attack:
- Scareware – Displays fake security warnings claiming the system is infected with malware and urges the user to pay for fake antivirus software. While annoying, scareware does not actually harm files.
- Screen Lockers – Locks the entire screen and displays messages claiming illegal activity has been detected. The user is unable to access their system unless they pay the demanded fee.
- Encrypting Ransomware (Crypto-Ransomware) – The most dangerous type, it encrypts files and demands payment to provide the decryption key. Without the key, recovering the files is nearly impossible.
- Mobile Ransomware – Targets smartphones and tablets by locking the screen or encrypting It spreads through malicious apps or phishing links, demanding a ransom to unlock the device.
Evolution of Ransomware Attacks
Ransomware has evolved from simple extortion tactics to sophisticated multi-layered attacks. Initially, attackers encrypted data and demanded ransom for decryption (single extortion). Later, they began exfiltrating sensitive data before encrypting it, threatening to leak it if the ransom was not paid (double extortion). In triple extortion, attackers not only encrypt and steal data but also launch a Distributed Denial-of-Service (DDoS) attack on the victim’s network, causing severe disruption.
Major Ransomware Variants
These ransomware variants have had a significant impact globally, affecting everything from individual users to large-scale organizations and government infrastructure. Here’s a quick summary of the major ones you mentioned:
- GoldenEye: Disrupted critical infrastructure in Ukraine, especially in the energy sector, causing widespread system outages.
- WannaCry (2017): Exploited a Windows vulnerability, affecting hospitals, businesses, and government systems across 150+ countries. It used the EternalBlue exploit, which was later patched.
- CryptoLocker: Pioneered the modern ransomware model, encrypting files and demanding payment via Bitcoin for decryption It is known for being one of the first to generate significant revenue.
- Locky: Spread primarily through phishing emails with malicious Known for its use of advanced encryption techniques to lock files.
- Petya: Unlike most ransomware, Petya targeted the Master Boot Record (MBR), preventing systems from booting. It also used a worm-like propagation method.
- Crysis: A more targeted strain, attacking businesses and encrypting multiple file formats, often using phishing emails as a delivery mechanism.
- zCrypt: Spread quickly through network shares and removable drives, often infecting multiple systems once one device was compromised.
- PowerWare: Relied on PowerShell scripts, bypassing the need for a malicious executable and making it harder to detect using traditional antivirus tools.
- HydraCrypt: A ransomware strain that was cracked by security researchers, allowing some victims to recover their files without paying the ransom.
- Cerber: Ransomware-as-a-Service (RaaS), where cybercriminals could rent out Cerber’s tools to carry out attacks on their behalf.
- RAA Ransomware: Written in JavaScript, making it more difficult to detect, and ran through web-based vectors like malicious ads and websites.
- CryptoWall: Another widespread strain that caused extensive financial It was part of a long-running ransomware campaign, evolving into multiple versions.
Common Attack Vectors
Ransomware can infiltrate systems through multiple methods, including:
- Phishing Emails & Social Engineering: Attackers send fraudulent emails that appear legitimate, tricking users into clicking malicious links or downloading infected attachments.
- Malvertising & Drive-By Downloads: Malicious advertisements on legitimate websites deliver ransomware when users click on them or visit infected pages.
- Exploiting System Vulnerabilities: Outdated or unpatched software can be exploited by attackers to inject ransomware into a system.
- Stolen Credentials: Weak passwords and compromised login credentials allow hackers to gain unauthorized access to deploy ransomware.
- Remote Desktop Protocol (RDP) Exploitation: Cybercriminals exploit weak RDP configurations to gain control over systems and execute ransomware
- Malware Distribution: Some ransomware is spread through existing malware such as trojans, which act as delivery mechanisms.

Facts About Ransomware
- Most ransomware uses RSA-2048 encryption, which is practically impossible to crack without the decryption key. An average computer would take approximately 4 quadrillion years to break RSA-2048 encryption.
- CryptoLocker and its variants (like CryptoWall) generated over $325 million in ransom payments within just 18 months, with the majority of victims located in the United States.
- Ransomware has impacted schools, hospitals, police departments, and businesses worldwide, including incidents where police departments in Maine, Massachusetts, and Chicago had to pay ransoms to regain access to their files.
WannaCry Ransomware Attack (2017)
The WannaCry ransomware outbreak in May 2017 was one of the most devastating cyberattacks. It exploited a vulnerability in Microsoft Windows known as EternalBlue, originally discovered by the U.S. National Security Agency (NSA) and later leaked by a hacking group.
Systems Affected by WannaCry:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8 & 1
- Windows 10
- Windows Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016
Following the attack, Microsoft released emergency patches for outdated systems, including Windows XP, which was no longer supported at the time. These patches
helped mitigate further infections, but many systems remained vulnerable due to delayed updates.

Figure 1 Ransomware screen

Figure 2 Wannacry Graph
The Biggest Cyber-Attacks in History
As technology has advanced, so have the frequency and scale of cyber-attacks, impacting individuals, corporations, and entire nations. Here are five of the most significant cyber-attacks in history:
Google China (2009)
A sophisticated attack targeting Google’s systems in China, attributed to Chinese hackers, aimed at stealing intellectual property and accessing Gmail accounts of human rights activists.
Heartbleed (2012-2014)
A critical vulnerability in OpenSSL, which affected millions of websites and allowed attackers to access sensitive information such as passwords and private keys, putting the internet at risk.
PlayStation Network (2011)
A massive breach where Sony’s PlayStation Network (PSN) was compromised, exposing the personal data of over 77 million accounts, including credit card information.
Sony Pictures Entertainment (2014)
A cyber-attack attributed to the North Korean hacking group “Lazarus,” which crippled Sony Pictures’ networks, leaked sensitive data, and caused financial and reputational damage.
Yahoo (2012-2014)
The largest data breach in history, affecting all 3 billion Yahoo accounts. Personal information such as email addresses, passwords, and security questions were exposed, and it went undetected for years.
WannaCry Ransomware (2017)
The WannaCry ransomware attack affected over 230,000 computers across 150+ countries. It exploited a vulnerability in Windows, encrypting files and demanding ransom payments in Bitcoin.
2024 Ransomware Landscape: Key Statistics and Trends
The 2024 ransomware landscape continued to evolve with increasing sophistication, as cybercriminal groups targeted both small businesses and large enterprises. Here’s an overview of the key trends and the impact these groups had in 2024:
2024 Ransomware Statistics:
- Total number of leak site posts: 5,939
- Number of active ransomware groups: 75
- Average ransom payment in Q3 2024: $479,237
- Median ransom payment in Q3 2024: $200,000
Median percentage of companies that pay: 32%
These statistics underline how expansive and financially impactful ransomware attacks have become. With 75 active groups in operation and a significant amount of revenue generated, the scope of ransomware activity in 2024 was alarming.
Top 10 Ransomware Groups in 2024:

1. RansomHub
RansomHub is one of the most prolific ransomware groups in 2024. Known for leveraging multiple methods of extortion, including encrypting data and threatening to leak it, they focus on high-volume attacks targeting various organizations.
2. LockBit
LockBit remains one of the most notorious and active ransomware groups. It is famous for its double-extortion tactics: encrypting files and threatening to release sensitive information unless a ransom is paid. Despite significant law enforcement actions, LockBit continued its operations and expanded its affiliate network.
3. Play
Play has emerged as a highly active group in 2024, particularly targeting high-profile enterprises. They use data leakage as a tool for extortion, demanding large ransoms for not releasing sensitive or proprietary information.
4. Akira
Akira is a relatively newer ransomware group that has quickly gained prominence. Known for targeting large organizations, Akira uses ransomware to lock files and threatens to expose data unless the victim pays the ransom.
5. Hunters
Hunters is an aggressive ransomware group that targets a variety of industries. They are particularly effective in exploiting vulnerabilities and using ransomware not only for encryption but also as a means to demand payments to avoid additional attacks, including DDoS threats.
6. Medusa
Medusa is a group that has been very active, particularly known for exploiting weaknesses in company infrastructure. They deploy ransomware to lock systems and then use extortion tactics, such as threatening to release stolen data if the ransom is not paid.
7. Qilin
Qilin is a smaller, but rapidly growing group that targets organizations across various sectors. They are known for exploiting vulnerabilities and using ransomware to encrypt systems, followed by ransom demands for decryption keys.
8. Black Basta
Black Basta is notorious for its efficiency in targeting large corporations and organizations. This group follows the double-extortion strategy, encrypting data and threatening to leak it unless a ransom is paid. They have a strong presence on ransomware leak sites.
9. Cactus
Cactus is a lesser-known group that has nonetheless caused significant disruptions in 2024. Similar to other ransomware groups, it locks systems and demands payments for decryption, targeting both large and small organizations.
10. BianLian
BianLian is a group known for targeting critical infrastructure and large enterprises. They use ransomware to encrypt systems, steal data, and threaten its exposure unless the ransom is paid. Their operations are typical of ransomware-as-a-service (RaaS) models, where affiliates help spread their attacks.
Estimated Financial Impact:
Based on the number of victims (represented by the posts) and the estimated ransom payments, these groups could have collectively generated over $380 million in 2024 alone. The estimates suggest:

Key Trends in Ransomware:
Proliferation of Groups: With more than 75 active groups, the ease of entry into ransomware campaigns has lowered, resulting in a fragmented landscape of attackers that are harder to track.
Persistent Dominance: Groups like RansomHub, Akira, and Fog continue to dominate the landscape, employing sophisticated extortion strategies and growing their affiliate networks.
Increased Transparency: More organizations are disclosing ransomware attacks, both to comply with regulations and to maintain trust. However, not all attacks become public, making it difficult to gauge the full scale of ransomware threats.
Double and Triple Extortion: Ransomware groups are demanding payments for multiple aspects, such as encrypted data, decryption keys, and even to avoid additional attacks like DDoS or direct contact with clients and partners.
Law Enforcement and International Efforts:
Despite continuous law enforcement efforts against groups like LockBit, which remained active throughout 2024, international cooperation is proving critical. For example, a Russian-Israeli national was charged with developing and running the LockBit ransomware operation, marking a significant step in cross-border efforts to combat ransomware.
Key Takeaways for Organizations:
- Defense in Depth: Implement proactive security measures, such as strong access controls, regular patching, and secure backups.
- Threat Intelligence: Stay informed about new ransomware groups and their tactics, focusing on those targeting your industry.
- Managing Attack Surface: Regularly scan and monitor your external-facing services, manage cloud environments, and prioritize patches for known vulnerabilities to limit attackers’ opportunities.
How to Protect Against Ransomware Attacks
1. Keep Software Updated
Ensure that all your software, including operating systems and applications, is regularly updated. This helps to patch known vulnerabilities that could be exploited by ransomware attackers.
2. Install Antivirus Software
Having reputable antivirus software installed on all devices provides an additional layer of defense by identifying and blocking malicious programs before they can cause harm.
3. Be Cautious with Emails and Pop-Ups
Ransomware often spreads through phishing emails or malicious pop-ups. Avoid clicking on unknown links or opening attachments from unfamiliar sources. Be skeptical of emails that ask for personal information or offer unsolicited deals.
4. Create Regular Backups
Ensure that your data is regularly backed up, preferably to an external or cloud storage service that is disconnected from your primary network. This is crucial for restoring your files in case of an attack.
5. Develop a Security Plan for Your Business
It’s essential for businesses to have a comprehensive cybersecurity plan that includes employee training, defined roles in the event of an attack, and quick response protocols.
What to Do If You’re Already Infected
If you fall victim to a ransomware attack, the first thing to do is to disconnect the infected device from the network to prevent the ransomware from spreading. Then,
report the incident to local law enforcement, as they may be able to help with the investigation.
Consider consulting with a data recovery expert who specializes in ransomware attacks. There may be new decryption tools available that can help unlock your files.
While paying the ransom is sometimes considered, it’s important to note that paying does not guarantee that you will regain access to your files, and many ransomware groups may ignore your requests even after payment. For example, with the WannaCry attack, many victims who paid did not get their data back due to overwhelming demand on the cybercriminals.
Preventive Measures and Incident Response
Ransomware attacks typically begin with gaining access to a system, followed by identifying valuable data and credentials to spread across the network. The attackers then encrypt the data and often delete backups to make recovery more difficult, leaving a ransom note behind.
Protective Measures:
- Defense in Depth: Implement multiple layers of protection to safeguard against
- Secure Email and Web Gateways: These help block phishing attempts and malicious web traffic.
- Network and Server Monitoring: Regularly monitor for any unusual activity or anomalies that could indicate an attack.
- Backup Practices: Always have tested backups stored on devices disconnected from the network, ensuring recovery in case of an attack.
- Regular Patching: Stay up to date with the latest security patches for all software and hardware.
- Security Awareness Training: Educate employees about common attack vectors and best security practices.
Steps for Responding to a Ransomware Attack:
If you become a victim of ransomware, swift action is critical to limit damage and restore operations. Follow these steps:
- Isolate the Infected Device: Disconnect the infected device from the network to prevent the spread of the malware.
- Disconnect Other Suspicious Devices: Any other devices showing signs of infection should be disconnected immediately.
- Assess the Damage: Take stock of all affected systems to understand the full scope of the attack.
- Identify the Entry Point: Check for alerts from monitoring systems and identify the specific ransomware strain involved.
- Report to Authorities: In most regions, reporting a ransomware attack is mandatory. Authorities may assist with investigations.
- Prioritize System Restoration: Focus on restoring the most critical systems first, ensuring any active threats are removed.
- Restore from Backup: If backups are available, restore the affected If not, look for decryption options.
- Rebuild if Necessary: In the absence of backups or decryption keys, you may need to rebuild your systems from scratch.
By being proactive with security measures and having a plan for responding to incidents, businesses and individuals can reduce the risk and impact of ransomware attacks.
Conclusion
Ransomware attacks have significantly evolved over time, becoming more sophisticated and targeting larger organizations rather than just individuals. Initially, these attacks focused on single extortion methods, but now, many ransomware groups use triple extortion techniques, demanding not only payment for data decryption but also threatening to release or sell stolen data. As attackers have shifted their focus to high-value organizations with large amounts of sensitive data, the frequency and severity of these attacks have escalated.
The rise of ransomware incidents has been exponential, especially in recent years. Although there was a slight decrease in attacks in 2022, the damage caused by these attacks has grown. The volume of data compromised and the ransom demands continue to increase as attackers target more valuable entities.
To counter these threats, various detection methods are being developed, including analyzing API calls and utilizing machine learning to identify malicious patterns. Different ransomware groups employ distinct tactics and focus on different types of organizations, each adding complexity to the threat landscape.
However, despite the challenges, the key to preventing ransomware attacks lies in proactive security measures and awareness. Regular updates, backup practices, and employee training are essential to reduce the risk of falling victim to these attacks. In conclusion, while ransomware attacks continue to pose a significant risk to both individuals and organizations, a combination of proper security measures, awareness, and response protocols can mitigate the potential damage. The WannaCry ransomware attack of 2017 remains one of the most catastrophic examples of how devastating these attacks can be when the right preventive measures are not in place.

