Ransomware
Malware that encrypts victim files and demands cryptocurrency ransoms, now present in 44% of global data breaches and the primary revenue engine for state-linked criminal networks.
リストに追加
リストはまだありません。
What it is
Ransomware is malicious software that encrypts a victim's files or systems and withholds the decryption key until a ransom is paid, almost always in cryptocurrency. Developers sell or lease the malware and supporting infrastructure to affiliates who conduct the actual attacks, splitting proceeds roughly 70-30 in the affiliate's favor. This ransomware-as-a-service (RaaS) model made large-scale extortion accessible to less technically sophisticated actors and drove most of the volume growth from 2016 onward. Primary targets have shifted from individual consumers to enterprises, hospitals, and critical infrastructure operators, where encryption means operational paralysis and the pressure to pay is highest. Ransom demands range from tens of thousands to tens of millions of US dollars per incident.
History
The first ransomware, the AIDS Trojan written by biologist Joseph Popp, appeared on floppy disks distributed at a 1989 WHO conference in Stockholm and demanded US$189 sent to a Panama post-office box. The mechanism lay dormant for two decades. CryptoLocker, launched in September 2013, was the first modern iteration: RSA-2048 encryption, Bitcoin payment, an estimated US$3m in revenue before its botnet infrastructure was seized in May 2014 by a US-led international operation.
WannaCry in May 2017 became the first ransomware with formal government attribution. The US and UK governments blamed North Korea's Lazarus Group for weaponizing EternalBlue, a US National Security Agency exploit stolen and leaked by the Shadow Brokers, which encrypted more than 200,000 machines in 150 countries and hit the UK National Health Service hard. NotPetya followed in June 2017, attributed to Russia's GRU, technically a destructive disk wiper disguised as ransomware, deployed via a Ukrainian accounting software update and causing an estimated US$10bn in global damage.
Double extortion, threatening to publish stolen data on a "leak site" alongside encrypting it, was pioneered by the Maze criminal group in late 2019. Landmark incidents include Colonial Pipeline (May 2021, US$4.4m paid to DarkSide, US East Coast fuel supply disrupted for six days) and JBS Foods (June 2021, US$11m paid to REvil). LockBit was disrupted in February 2024 under Operation Cronos, a US FBI and UK National Crime Agency action coordinated by Europol.
Current state
As of mid-2026, ransomware is reconsolidating after years of fragmentation. The top 10 criminal groups drove 71.1% of all attributed victims in Q1 2026, the highest concentration since early 2024, per ランサムウェアがQilinと『The Gentlemen』を中心に再集約、医療セクターが標的に. Qilin led with 338 victims for the quarter; "The Gentlemen" (tracked as LARVA-368) emerged as the fastest-scaling newcomer, a Qilin splinter that claimed nearly 300 victims across 66 countries since its mid-2025 founding. The Verizon 2025 Data Breach Investigations Report found ransomware present in 44% of all confirmed breaches globally, a 37% rise year-on-year. The US FBI Internet Crime Complaint Center received 3,611 ransomware reports in 2025. The median ransom paid was US$115,000, and 64% of victims refused to pay. Healthcare is the sector under the most acute pressure, with attacks rising roughly 10% year-on-year.
Relationships
Ransomware depends on an upstream supply chain of credential-stealing loaders and infostealers, including Amadey and StealC, which supply the initial-access credentials affiliates buy to enter target networks; that supply chain was disrupted in June 2026 by Operation Endgame, a Europol-coordinated action that took down 326 servers and froze EUR 41m in criminal cryptocurrency. Extortion proceeds route through cryptocurrency exchanges; the Russia-linked Garantex and its Grinex successor served as a primary off-ramp for ransomware affiliates until US Treasury sanctions and an alleged hack forced Grinex to halt in April 2026. North Korea's state apparatus runs ransomware both as a revenue tool and alongside direct cryptocurrency heists, tracked in 北朝鮮ラザルスの暗号資産窃取が20億ドル超に、米財務省はIT労働者の資金洗浄業者を標的に. The dominant groups in 2026 operate from Russian-speaking jurisdictions, shielded by the absence of extradition treaties and historic Russian state tolerance of cybercrime against Western targets.
What to watch
Whether Operation Endgame-style disruptions of infostealer infrastructure raise affiliate costs structurally or whether new loaders reconstitute within months. The growth trajectory of Qilin splinter groups through H2 2026. Proposed US and EU legislation mandating ransom-payment reporting, which would close the significant gap between IC3-reported losses and true economic damage. Healthcare victim counts, where operational disruption endangers patients directly. Whether cryptocurrency laundering routes reconstitute after the Garantex/Grinex collapse and what successor platforms emerge.