Pillar 1 – Ransomware & cybercrime

What Is Ransomware? Attacks, Trends, and Real-World Cases

Ransomware has evolved into one of the most damaging and profitable forms of cybercrime. From global enterprises to small businesses, no organisation is immune. Modern ransomware attacks are no longer just about encrypting files—they involve data theft, extortion, and sophisticated intrusion techniques.

This guide explains how ransomware works, how attackers gain access, and what recent real-world cases reveal about the evolving threat landscape.

What Is Ransomware?

Ransomware is a type of malware that blocks access to systems or data -typically by encrypting files -and demands payment (a ransom) for restoration.

Modern ransomware operations often include:

Double extortion (data encryption + data leak threats)
Triple extortion (adding DDoS or customer pressure)
Ransomware-as-a-Service (RaaS) models

How Ransomware Attacks Work

A typical ransomware attack follows a structured lifecycle:

1. Initial Access

Attackers gain entry through:

Phishing emails
Compromised credentials
Exposed remote services (e.g., RDP)
Malicious USB devices or downloads

2. Privilege Escalation & Lateral Movement

Once inside, attackers:

Escalate privileges
Move across the network
Disable security controls

3. Data Exfiltration

Sensitive data is stolen before encryption begins.

4. Encryption & Ransom Demand

Files are encrypted, and victims are pressured to pay—often in cryptocurrency.

Common Entry Points for Ransomware

Remote Access Exploits

RDP vulnerabilities remain a top ransomware entry vector
Weak configurations and phishing via .rdp files increase risk

Physical & Hardware-Based Attacks

Malicious USB devices can deliver payloads
Hardware-level attacks can bypass traditional defenses

Related: USB security risks

Network-Based Attacks

Man-in-the-middle (MITM) attacks can intercept credentials
Wi-Fi exploitation can lead to initial access

Related: AirSnitch Wi-Fi attack

Exploit Kits & Malware Delivery

Advanced exploit kits target vulnerabilities across devices
Often used as initial infection vectors for ransomware

Related: Coruna iOS exploit kit

Real-World Ransomware: LockBit Case Study

LockBit is one of the most active ransomware groups in recent years and a prime example of how modern ransomware operates.

Key characteristics:

Operates as a RaaS platform
Uses automated attack tooling
Targets large enterprises and infrastructure
Frequently leaks stolen data to increase pressure

Lessons from LockBit attacks:

Speed and automation are increasing
Data theft is now standard practice
Even large organisations are vulnerable

Ransomware in the Wider Threat Landscape

Government and law enforcement reports consistently highlight ransomware as a top-tier threat.

Key trends include:

Growth in organised cybercrime groups
Increased targeting of critical infrastructure
Expansion of cybercrime marketplaces

Related: NCA Strategic Assessment

How to Protect Against Ransomware

Effective ransomware defence requires a layered approach:

Technical Controls

Patch systems regularly
Disable unnecessary remote access
Use endpoint detection and response (EDR)

Identity & Access Security

Adopt passwordless authentication (passkeys)
Enforce multi-factor authentication (MFA)
Monitor for credential misuse

Network Security

Segment networks
Monitor traffic for anomalies
Restrict lateral movement

Backup & Recovery

Maintain offline backups
Test recovery procedures regularly

The Future of Ransomware

Ransomware is evolving toward:

Fully automated attack chains
AI-assisted phishing and exploitation
Increased targeting of supply chains
Greater use of stealth and persistence

Defending against ransomware requires continuous adaptation, not one-time fixes.

Final Thoughts

Ransomware is no longer just a technical issue – it’s a business risk, a national security concern, and a constantly evolving threat.

By understanding how attacks work – and learning from real-world cases – you can significantly reduce your risk.