Ransomware: Types, detection, and defense

In Q3 2025, 85 ransomware groups operated simultaneously, the highest count ever recorded, while damages reached $57 billion globally (Check Point Research, 2025; Cybersecurity Ventures, 2025). In March 2026 alone, three groups, Qilin, Akira, and DragonForce, accounted for 40% of 672 recorded incidents in a single month (Infosecurity Magazine, 2026).

This guide provides security professionals, SOC analysts, and CISOs with current intelligence on how ransomware works, which threat actors pose the greatest risk, and what defensive measures actually reduce exposure. Whether you are building detection capabilities, refining incident response procedures, or briefing leadership on organizational risk, the information here reflects threat research and defensive best practices from the FBI, CISA, and MITRE ATT&CK.

ランサムウェアとは何か？

Ransomware is a type of malicious software that encrypts files on a victim's device or network and demands a ransom payment, typically in cryptocurrency — to restore access. According to the FBI, ransomware prevents access to computer files, systems, or networks until payment is made.

CISA defines ransomware as malware  that encrypts files on a device, rendering the files and the systems that depend on them unusable. The operational consequence goes beyond locked files, ransomware disrupts the business processes that depend on that data.

According to Cybersecurity Ventures, global ransomware damages reached $57 billion in 2025,  approximately $156 million per day. These costs extend far beyond ransom payments to include business disruption, recovery expenses, reputational damage, and regulatory penalties.

Modern ransomware operators conduct reconnaissance, establish persistence, and exfiltrate sensitive data before deploying encryption. This transforms each ransomware incident into a potential data breach with long-term consequences for affected organizations.

ランサムウェアが他のマルウェアと異なる点 マルウェア

Ransomware differs from other malware primarily because it makes itself known to the victim. While spyware, trojans, and viruses typically operate covertly, stealing data, establishing backdoor access, or corrupting files without announcement, ransomware demands payment through explicit ransom notes. This visibility is deliberate: the cyberattack must be recognized before the victim can be pressured to pay.

Each malware type differs in purpose, visibility, and how attackers profit from it.

Financial incentive drives constant adaptation, the shift from phishing-dominated entry in 2023 to compromised VPN credentials accounting for 48% of attacks by Q3 2025 shows how quickly operators change methods when defenders close one vector.

ランサムウェアの仕組み

Modern ransomware attacks follow a five-stage sequence, and defenders can disrupt each one. Mapping detection controls to each stage is what separates organizations that catch attackers before encryption from those that discover the damage after.

典型的なランサムウェア攻撃は、以下の5段階で進行する：

1. Initial access — attackers gain entry through phishing, compromised credentials, or exploited vulnerabilities
2. ラテラルムーブ—malware ネットワーク全体にmalware しながら、追加の認証情報を収集する
3. 特権昇格— 攻撃者が影響を最大化するために管理者権限を取得する
4. データ窃取— 機密情報が暗号化前に盗まれ、二重恐喝の手段として利用される
5. 暗号化と身代金要求— ファイルが暗号化され、被害者は支払い指示を受け取る

Ransomware attack vectors and initial access

According to HIPAA Journal, compromised VPN credentials accounted for 48% of ransomware attacks in Q3 2025, up from 38% in Q2. This represents a fundamental change from earlier years when phishing dominated initial access.

Credential-based entry has overtaken phishing, exploitation, and every other ransomware delivery method

The shift reflects both the widespread availability of stolen credentials on criminal marketplaces and the effectiveness of initial access brokers, specialists who compromise systems and sell access to ransomware operators. These brokers use infostealers to harvest credentials at scale.

External service exploitation accounts for another 23% of attacks, with recent campaigns targeting vulnerabilities in VPN appliances (CVE-2024-40766 in SonicWall), Citrix NetScaler devices (CVE-2025-5777), and enterprise software like Oracle E-Business Suite (CVE-2025-61882).

ラテラルムーブとデータ漏洩

Once inside a network, ransomware operators begin moving laterally within 48 minutes on average. The fastest observed cases show full network propagation in just 18 minutes (Vectra AI research). Defenders have less than an hour, sometimes less than 20 minutes, to detect and contain the spread before the attacker controls the environment.

Attackers use legitimate administrative tools and credentials to move laterally, making their activity difficult to distinguish from normal network operations without behavioral analysis.

According to Deepstrike, 76% of 2025 ransomware attacks involved data exfiltration before encryption, making nearly every ransomware incident a data breach by the time encryption begins. This enables double extortion: even if victims restore from backups, attackers threaten to publish stolen data.

情報漏洩フェーズで観察される一般的なツールには以下が含まれる：

• クラウドストレージ転送のためのRcloneとRsync
• Cobalt Strike コマンド&コントロール用
• Mimikatz for credential harvesting
• FTP/SFTPによる大量データ転送

MITRE ATT&CK mapping for ransomware

MITRE ATT&CK catalogs the specific techniques ransomware operators use, from credential abuse (T1078) to encryption for impact (T1486). The primary ransomware technique is T1486, Data Encrypted for Impact, categorized under the Impact tactic.

Six techniques appear in the majority of ransomware operations, spanning from initial credential abuse through defense evasion to final encryption.

Over 70 ransomware families are mapped to specific ATT&CK techniques. Running this mapping against deployed detections reveals exactly where coverage exists and where it does not, a process that enables focused threat hunting against known gaps.

ランサムウェアの種類

Ransomware now comes in several distinct categories, each with different encryption methods, extortion tactics, and business models.

Encrypting ransomware vs. locker ransomware

Ransomware splits into two primary categories: encrypting ransomware (crypto-ransomware) and locker ransomware.

Encrypting ransomware encrypts individual files and data on infected devices. According to Keeper Security, victims can still use their devices but cannot access encrypted files without the decryption key. Modern encrypting ransomware uses strong encryption algorithms including AES-256, ChaCha20, and RSA-2048 that are computationally infeasible to break.

Locker ransomware (screen lockers) takes a different approach, locking users out of their entire systems rather than encrypting individual files. According to Check Point, locker variants prevent any access to the device until payment is made. While locker ransomware was more common in ransomware's early history, encrypting ransomware dominates today due to its greater impact and harder recovery path.

Recovery, response, and backup strategies differ significantly between the two.

Double and triple extortion ransomware

Most ransomware attacks now combine encryption with data theft, and some add DDoS attacks and third-party threats on top.

Double extortion ransomware combines data encryption with data theft. Attackers first exfiltrate sensitive information, then encrypt systems. If victims restore from backups without paying, attackers threaten to publish or sell the stolen data. According to Arctic Wolf, 96% of ransomware incident response cases in 2025 involved data exfiltration, making double extortion the norm rather than the exception.

Triple extortion ransomware adds additional pressure tactics beyond encryption and data theft:

• 被害者の顧客、取引先、または患者に対して、情報漏洩について連絡すると脅す
• 被害者のインフラに対するDDoS攻撃を仕掛ける
• 盗まれたデータに基づく恐喝要求を第三者に対して行うこと

The result is overlapping harm, operational disruption from encryption, breach notification obligations from exfiltration, and reputational damage from public leak threats, all applied simultaneously.

What is ransomware-as-a-service (RaaS)?

According to IBM, ransomware-as-a-service (RaaS) is a business model where ransomware developers sell or lease their malware to affiliates who conduct the actual attacks. The model has industrialized ransomware, turning it from a technical crime into a franchise operation.

RaaS事業者は提携先に以下を提供します：

• すぐに展開可能なランサムウェアペイロード
• 被害者管理のための管理パネル
• 決済処理インフラ
• 交渉支援および被害者コミュニケーションツール
• 技術サポートと更新

In exchange, affiliates share ransom proceeds with the RaaS operators. According to Flashpoint, typical affiliate revenue shares range from 70–85% of ransom payments, with Qilin offering an industry-leading 85% share to attract affiliates.

Criminals with no technical expertise can now deploy professional-grade ransomware, which is why the number of active groups hit 85 in Q3 2025.

The ransomware threat landscape

A record 85 ransomware groups operated simultaneously in Q3 2025. Between January and September, 4,701 incidents were recorded globally, a 46% increase over the same period in 2024. The fragmentation follows law enforcement disruptions of major groups and reflects the ease with which new groups can launch using RaaS infrastructure.

In March 2026 alone, 672 ransomware incidents were reported, with just three groups (Qilin, Akira, and DragonForce) responsible for 40% of the total.

2025年に最も活発なランサムウェアグループ

Qilin emerged as the dominant ransomware group, processing over 75 victims monthly by Q3 2025. The group's 85% affiliate revenue share, higher than competitors, has attracted skilled affiliates from disbanded operations. Notably, North Korean threat actors deployed Qilin payloads in March 2025, indicating nation-state collaboration with criminal ransomware operations.

Akira accumulated $244.17 million in proceeds as of late September 2025, according to CISA advisories. The group targets SMBs and critical infrastructure across manufacturing, education, IT, healthcare, and financial services.

LockBit re-emerged with version 5.0 in September 2025 despite significant law enforcement pressure including Operation Cronos. While diminished from its peak, the group's persistence demonstrates the resilience of well-established RaaS operations.

注目度の高い事例研究

Change Healthcare (2024–2025): The ALPHV/BlackCat attack on Change Healthcare represents the largest healthcare data breach in U.S. history. According to AHA, approximately 192.7 million individuals were affected, with total costs estimated at $3 billion. The root cause was compromised credentials for a Citrix server without multi-factor authentication, a basic security control failure with catastrophic consequences.

Qilin "Korean Leaks" Campaign (September 2025): According to The Hacker News, Qilin compromised a single managed service provider (GJTec) and used that access to attack 28 downstream organizations, including 24 in South Korea's financial sector. Over 1 million files and 2TB of data were exfiltrated. This supply chain attack demonstrates how a single MSP compromise can amplify ransomware impact exponentially.

Clop Oracle EBS Campaign (November 2025): According to Z2Data, the Clop ransomware group exploited CVE-2025-61882 (CVSS 9.8) in Oracle E-Business Suite to compromise over 100 companies including Broadcom, Estee Lauder, Mazda, Canon, Allianz UK, and the Washington Post. The campaign followed the same mass-exploitation playbook Clop used against MOVEit in 2023, same group, same tactic, different vulnerability.

業界への影響に関する統計

Healthcare was the top ransomware target in 2025, with 460 attacks and 182 data breaches reported to the FBI, a combined 642 cyber events (IC3 2025 Annual Report, published April 2026). Financial services was the second-highest sector at 447 total events.

The concentration of attacks on specific industries reflects both the value of the data they hold and the operational pressure that makes victims more likely to pay.

According to Verizon DBIR analysis, 88% of data breaches at SMBs involve ransomware, compared to 39% for large organizations. Without dedicated security resources and incident response capabilities, 60% of attacked small businesses close within six months.

How to detect and prevent ransomware

Three distinct control layers, prevention, detection, and response, separate organizations that recover from ransomware from those that do not. Prevention is the cheapest layer. Detection and response determine the outcome once an attacker is already inside.

12 essential ransomware prevention controls

CISA's #StopRansomware Guide defines the baseline controls every organization should deploy. These 12 controls address the most common attack vectors and reduce exposure across the ransomware kill chain.
‍

Priority controls (implement immediately):

1. Prioritize remediating known exploited vulnerabilities focus on CISA KEV catalog entries
2. 有効化および強制 フィッシング- 外部向けサービスすべてに耐フィッシング型多要素認証を導入し、適用する
3. 定期的なオフラインでの暗号化バックアップを維持し、復元手順をテストする

追加の技術的制御：

4. Implement zero trust architecture principles for network access
5. ネットワークをセグメント化してラテラルムーブ機会を制限する
6. SMBv1を無効化し、暗号化機能を備えたSMBv3へアップグレードする
7. Centralize logging with SIEM and minimum 12-month retention
8. グループポリシーによるPowerShellの実行制限
9. Deploy EDR, NDR, or XDR solutions with real-time detection capabilities
10. パスワードは15文字以上とする
11. 管理用アカウントと日常利用アカウントを分離する
12. Reduce attack surface by disabling unnecessary services
    ‍

The 48% share of attacks using compromised VPN credentials makes three actions urgent: audit VPN configurations, enforce MFA on all remote access, and evaluate zero-trust network access as a VPN replacement.

ランサムウェア対策のためのバックアップ戦略

The 3-2-1-1-0 backup rule, as detailed by Veeam, provides ransomware-resilient data protection:

• データの3つのコピー(プライマリ＋2つのバックアップ)
• 2種類の異なる記憶媒体タイプ
• 1部オフサイト保管
• 1コピー不変またはエアギャップ
• 検証テスト後、エラーは0件

Immutable storage converts backups to write-once, read-many (WORM) format that cannot be overwritten, changed, or deleted, even by administrators with full credentials. This protects against ransomware that specifically targets backup systems.

Untested backups are not backups. Verifying restoration procedures at least quarterly — and documenting actual recovery times against stated objectives, is the difference between a backup that works and one that merely exists.

Ransomware detection indicators

Every stage of the ransomware attack chain produces network artifacts that signature-based tools miss. Network detection and response reveals the lateral movement, exfiltration, and command and control traffic that endpoint agents never see.

前駆体 マルウェア 監視対象:

• バンブルビー、ドライドックス、エモテット、クアクボット、アンカーローダーは、ランサムウェア展開に先行することが多い
• これらの脅威の検知は、直ちに調査を開始すべきである

ランサムウェア活動のネットワーク指標：

• いずれかのポートからの異常なデータ送信(情報漏洩)
• Rclone、Rsync、FTP/SFTPなどのツールによる大容量データの移動
• C2 callbacks to unknown infrastructure
• ラテラルムーブパターン(異常な認証、サービスアカウントの悪用)
• DNSトンネリングの試み
• ARPスプーフィング活動

When a service account authenticates at 3 AM, an admin session transfers 40 GB to an external host, or a user accesses file shares they have never touched, those deviations are the signal.

See how Vectra AI detects and contains ransomware attacks

What to do if you are hit by ransomware

If your organization is hit by ransomware, CISA provides immediate response guidance:

1. 直ちに隔離する— 感染拡大を防ぐため、影響を受けたシステムをネットワークから切断する
2. 再起動または再起動しないでください— これにより追加の損害が発生したり、フォレンジック証拠が破壊される可能性があります
3. 安全なバックアップ— バックアップシステムを切断して暗号化を防止する
4. すべてを記録する— 身代金要求メッセージをスクリーンショットで保存し、システムの状態を保持する
5. 範囲の評価— 影響を受けるシステムと暗号化の程度を特定する
6. 当局に連絡する— FBI、CISA、および地元の法執行機関に通知する
7. Check for free decryptors — the No More Ransom Project provides free decryption tools for 100+ ransomware families

Acting within the first hour determines whether the attack stays contained to one segment or spreads across the network.

According to Sophos, 56% of organizations recovered within one week in 2025 — up from 33% in 2024. The gap between organizations that recover in days and those that take months is narrowing.

‍Should you pay a ransomware ransom?

FBIとCISAは身代金の支払いを推奨していません。データはこの立場を支持しています：

• 身代金を支払った組織のうち、データを回復できたのはわずか46％である(CSO Online)
• 有料サービスの利用者の93％は、依然としてデータが盗まれ、潜在的に漏洩する危険にさらされていた
• 支払いを行った組織の約80％がその後攻撃を受けた
• 支払いは犯罪組織に資金を提供し、将来の攻撃を助長する

Victim behavior reflects this guidance. According to Sophos, 63% of ransomware victims refused to pay in 2025, up from 59% in 2024. Meanwhile, 97% of organizations successfully recovered their data through backups or other means, demonstrating that payment is not necessary for recovery.

If you are considering payment, legal counsel and law enforcement engagement should precede any decision. Some payments may violate sanctions regulations, and authorities may have intelligence about the specific threat actor that changes the calculus.

Ransomware compliance and regulatory requirements

NIS2, NIST IR 8374, and proposed UK legislation now mandate ransomware-specific controls and incident reporting timelines. Mapping existing controls to these framework requirements, and generating audit-ready evidence, is an operational necessity, not a governance exercise.

フレームワークマッピング

NIST IR 8374 — Ransomware Risk Management Profile: This NIST publication applies the Cybersecurity Framework's five core functions (Identify, Protect, Detect, Respond, Recover) specifically to ransomware risk. Updated for CSF 2.0 in January 2025, it provides actionable guidance aligned with ISO/IEC 27001:2013 and NIST SP 800-53 Rev. 5.

MITRE ATT&CK Framework: Version 18 of ATT&CK (October 2025) documents over 70 ransomware families and their techniques. Organizations can use ATT&CK to validate detection coverage against known ransomware behaviors and identify capability gaps.

NIS2 Directive (EU): The NIS2 Directive requires essential and important entities across 18 critical sectors to implement ransomware-specific controls. Key requirements include 24-hour early warning for significant incidents and penalties up to EUR 10 million or 2% of global revenue for non-compliance

Each framework maps to different compliance requirements and operational needs

‍

Cyber insurance and ransomware

The average ransomware insurance claim reached $1.18 million in 2025, a 17% increase year-over-year (Resilience, 2025). Ransomware accounts for 76% of incurred losses despite representing 56% of claims.

Insurers denied approximately 40% of cyber insurance claims in 2024, often citing "failure to maintain security" exclusions (HIPAA Journal). They are scrutinizing vulnerability management, practices, MFA deployment, and backup procedures when evaluating claims.

An emerging concern: the Interlock ransomware group has been observed stealing cyber insurance policies from victims to benchmark ransom demands against coverage limits. When attackers know your coverage ceiling, adequate insurance without corresponding security improvements becomes a liability.

How Vectra AI detects ransomware

Vectra AI approaches ransomware defense through Attack Signal Intelligence, detecting attacker behaviors across the entire attack chain rather than relying on signatures or known indicators. By analyzing network traffic, cloud activity, and identity signals, the platform identifies lateral movement, privilege escalation, and data exfiltration patterns that precede ransomware deployment.

The "Assume Compromise" model starts from the premise that preventive controls will fail, and focuses detection on what happens after initial access. The window between initial access and encryption, often as little as 18 minutes, is where behavioral threat detection catches what signatures miss.

AI-driven detection identifies novel ransomware behaviors without requiring prior knowledge of specific variants. When attackers develop new evasion techniques, behavioral analysis continues to flag the underlying patterns, credential abuse, unusual data access, lateral connection attempts, that remain consistent across campaigns.

Without visibility across identity, cloud, and network layers, attackers reach the encryption stage undetected.

Where most ransomware defenses fall short

Ransomware groups reorganize within weeks of law enforcement disruption, shift attack vectors within quarters, and adopt new extortion tactics within months. Organizations that implement MFA, maintain tested immutable backups, segment networks, and deploy behavioral detection recover faster and avoid paying ransoms.

The path forward starts with honest assessment:

• Do you have continuous visibility into lateral movement across your hybrid environment?
• Can your current tools detect credential abuse and privilege escalation before encryption begins?
• Are your backups truly immutable — and have you tested restoration within the last 90 days?
• Do you know which MITRE ATT&CK techniques your detection stack covers and where the gaps are?
• Can you demonstrate compliance readiness with evidence, not documentation alone?

結論

2025年のランサムウェアは、成熟し洗練され、かつ高度に分断された脅威であり、いかなる組織も無視できない。活動中のグループは85、世界的な被害額は570億ドル、暗号化とデータ窃取を常套手段とする攻撃が横行する中、その危険性はかつてないほど高まっている。

データは、予防策と準備が効果的であることを示している。多要素認証(MFA)を導入し、テスト済みの不変バックアップを維持し、ネットワークをセグメント化する組織は、復旧が早く身代金の支払いを回避できる。検知能力、特にネットワークベースの振る舞い 投資する組織は、暗号化が始まる前に攻撃者を捕捉する。

今後の道筋には継続的な進化が不可欠である。ランサムウェア攻撃者が新たな手法を開発し新たな脆弱性を悪用するにつれ、防御側も適応せねばならない。MITRE ATT&CK に基づく検知範囲の定期的な検証、継続的なセキュリティ意識向上トレーニング、四半期ごとのバックアップ復元テストが、強靭な運用基盤を構築する。

ランサムウェア防御の強化を目指す組織にとって、Vectra AI の Attack Signal Intelligence アプローチは、攻撃チェーン全体にわたる検出を提供し、特定のマルウェアの亜種や回避手法に関係なく、ランサムウェアの展開に先立つ動作を識別します。

出典および方法論

Statistics and threat intelligence cited in this guide are drawn from the following sources:

• FBI IC3 2025 Annual Report (published April 2026) — sector-level ransomware attack data
• Check Point Research, Q3 2025 — active ransomware group counts and attack volumes
• Infosecurity Magazine, April 2026 — March 2026 incident volumes and group attribution
• HIPAA Journal, Q3 2025 — initial access vector distribution
• Sophos State of Ransomware 2025 — recovery times, payment rates, victim behavior
• Cybersecurity Ventures, 2025 — global damage projections
• Arctic Wolf, 2025 — double extortion prevalence in incident response cases
• Verizon DBIR 2025 — SMB ransomware exposure data
• Resilience Cyber Risk Report, 2025 — insurance claim averages and denial rates
• Flashpoint, 2025 — RaaS affiliate revenue share data
• CISA #StopRansomware Guide — prevention controls and incident response guidance
• MITRE ATT&CK v18 (October 2025) — technique mapping and ransomware family documentation
• NIST IR 8374 (updated January 2025) — ransomware risk management profile

Named incidents (Change Healthcare, Qilin Korean Leaks, Clop Oracle EBS) are sourced from AHA, The Hacker News, and Z2Data respectively.