In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack that resulted in a reported $1.6 billion direct cost in Q1 2024, covering recovery efforts, business disruption, and legal fees. This incident, attributed to the ALPHV/BlackCat ransomware group, highlights the severe financial and operational consequences these digital attacks can have, especially as incidents increased by 23% in 2025 compared to 2024, according to Sophos's 'State of Ransomware 2026' report. The average total cost of a ransomware incident reached $2.1 million in 2025, as reported by IBM Security's 'Cost of a Data Breach Report 2025'.
What Is Ransomware?
Ransomware is malicious software that encrypts a victim's files or locks their entire system, demanding a payment—typically in cryptocurrency—to restore access. The Cybersecurity and Infrastructure Security Agency (CISA) identifies ransomware as a significant threat to critical infrastructure sectors, primarily impacting data confidentiality and system availability. It directly assaults an organization's ability to operate, turning digital assets into liabilities until a ransom is paid.
Ransomware falls under the MITRE ATT&CK framework's 'Impact' tactic, specifically techniques like T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery). A successful ransomware campaign is rarely a single act; it involves a complex kill chain. Attackers often spend days or weeks inside a target network, moving stealthily through various MITRE ATT&CK tactics, from initial reconnaissance and access to credential theft, lateral movement, and data collection, all before the encryption payload is deployed. This pre-encryption activity allows attackers to identify and target an organization's most valuable data and critical systems, including backups, to ensure their ransom demand has the most impact.
How Ransomware Works
Ransomware attacks follow a sophisticated, multi-stage kill chain that mirrors a planned heist, not just a smash-and-grab. This methodical approach is precisely why ransomware is so effective.
1. Initial Access & Foothold
Attackers gain entry into a target network, often through spear-phishing emails containing malicious attachments or links, exploiting unpatched vulnerabilities in public-facing applications (e.g., VPNs, RDP servers), or using compromised credentials. Once inside, they establish a persistent presence, often by creating new user accounts (T1136) or modifying startup items (T1547), and then work to escalate privileges (T1068) to gain administrative control, disable security controls (T1562.001), or bypass detection.
2. Reconnaissance & Evasion
With elevated privileges, attackers perform internal reconnaissance, mapping the network to identify critical systems, data shares, and backup solutions. They use tools like Mimikatz to harvest more credentials (T1003) and PowerShell scripts (T1059.001) for discovery. During this phase, they actively evade defenses by clearing logs (T1070), disabling antivirus software, or using legitimate administrative tools for malicious purposes (T1036).
3. Lateral Movement & Data Staging
Once they understand the network layout, attackers spread across the network, moving laterally from one system to another. They often use tools like PsExec or exploit remote services like RDP (T1021.001) and SMB. They identify and stage sensitive data for exfiltration (T1041), gathering it into temporary storage locations before siphoning it out to their controlled servers via command and control channels (T1071). This data theft forms the basis of "double extortion."
4. Impact & Extortion
This is the final, visible stage: encryption of files (T1486) on infected systems, including network shares, databases, and often, critical backups. Attackers frequently delete shadow copies and other recovery mechanisms (T1490) to prevent easy restoration. A ransom note appears, detailing payment instructions and threatening to publish exfiltrated data if the ransom isn't paid within a specified timeframe, applying immense pressure on the victim. This entire process can take days or weeks, allowing attackers to maximize their destructive potential.
Types of Ransomware
While the core goal of demanding payment for data access remains the same, ransomware has evolved into several distinct forms, each with specific characteristics and real-world implications.
Locker Ransomware
This less common variant locks users out of their entire computer system, often displaying a full-screen ransom note without encrypting individual files. Victims can't access any applications or data. Early examples, like the Reveton malware that posed as law enforcement, demonstrated this method before crypto-ransomware became dominant.
Crypto Ransomware
The most prevalent and damaging form, crypto ransomware encrypts specific files on a victim's system, making them inaccessible without the unique decryption key. It typically uses strong encryption algorithms like AES-256 or RSA-2048. Once encrypted, files often have a new extension, and a ransom note appears. Modern strains, such as those from the Ryuk or Conti families, frequently employ this method.
Double Extortion Ransomware
This type adds an additional layer of pressure: attackers not only encrypt data but also exfiltrate sensitive information from the victim's network. If the ransom isn't paid, they threaten to publicly release the stolen data on leak sites or sell it to competitors. Over 80% of ransomware attacks in 2025 used these double extortion tactics, according to Coveware's 'Ransomware Report Q4 2025'. Groups like BlackCat (ALPHV) and LockBit 3.0 are notorious for employing this strategy, significantly increasing the stakes for victims.
Ransomware-as-a-Service (RaaS)
RaaS is a business model where ransomware developers create the malicious software and then lease it to "affiliates" who carry out the actual attacks. The developers provide the malware, infrastructure, and sometimes even support, taking a percentage of successful ransom payments. This model has lowered the barrier to entry for cybercriminals, leading to a proliferation of attacks and making groups like REvil and DarkSide particularly effective due to their distributed network of affiliates.
Real-World Examples
Ransomware isn't a theoretical threat; it's a persistent reality with staggering financial and operational consequences. The past few years have seen high-profile incidents that illustrate the scope and severity of these attacks.
Change Healthcare (2024)
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack attributed to the ALPHV/BlackCat ransomware group. This incident caused widespread disruption across the US healthcare system, impacting pharmacies, patient care, and billing operations for weeks. UnitedHealth Group reported a direct cost of $1.6 billion in Q1 2024 related to the attack, covering recovery efforts, business disruption, and legal fees. A $22 million Bitcoin ransom was reportedly paid, as reported by BleepingComputer and SecurityWeek, though full system restoration remained a significant challenge for UnitedHealth. Initial access was gained through a compromised login credential for a remote access system that notably lacked multi-factor authentication.
MGM Resorts International (2023)
In September 2023, casino giant MGM Resorts International was targeted by the Scattered Spider threat group, also operating under the ALPHV/BlackCat umbrella. The attack disrupted hotel and casino operations for over 10 days, forcing manual processes, disabling digital room keys, and shutting down slot machines. MGM estimated a financial hit of approximately $100 million due to lost revenue and recovery costs, according to KrebsOnSecurity and the Wall Street Journal. The initial access method involved social engineering an IT help desk employee to gain network credentials, highlighting the human element in successful breaches.
Royal Mail (2023)
In January 2023, the UK's postal service, Royal Mail, was hit by an attack from the LockBit 3.0 ransomware group. The incident severely impacted the company's international export services for weeks, causing significant delays and operational disruption, particularly for businesses relying on international shipping. While specific financial figures for the ransom payment or total recovery costs weren't publicly disclosed in detail, BleepingComputer and BBC News reported substantial operational disruption and reputational damage. The attack vector was identified as an exposed perimeter device, underscoring the importance of robust vulnerability management.
How to Detect Ransomware
Early detection is paramount to limiting the damage of a ransomware attack. Security teams use a combination of technologies and monitoring practices to identify suspicious activity before encryption occurs.
- EDR (Endpoint Detection and Response) Alerts: Look for alerts signaling unusual file encryption activities, suspicious modification or deletion of shadow copies (T1490), execution of known ransomware processes or files (e.g.,
encrypt.exe), or abnormal API calls to encryption libraries. An EDR like CrowdStrike Falcon can identify these behavioral anomalies. - Network Indicators: Monitor for high outbound network traffic volumes (T1041), which could indicate data exfiltration. Also, watch for connections to known command and control (C2) infrastructure IP addresses or domains (T1071), and unusual internal network scanning (e.g., port scans, SMB enumeration).
- Log Event IDs: Regularly review Windows Event Logs for specific IDs:
- 4663 (An attempt was made to access an object) or 4656 (A handle to an object was requested) showing rapid file access/modification patterns.
- 4624 (An account was successfully logged on) or 4720/4726 (A user account was created/deleted) indicating suspicious new accounts or privilege escalation (T1098).
- Linux audit logs for file operations or unauthorized privilege changes.
- Honeypots/Canaries: Deploy "lure files" (honeypot files) on network shares or endpoints. Alerts generated from access attempts on these specially crafted files can provide an early warning of an intruder's presence and activity.
- Backup System Alerts: Configure alerts for any unusual deletion attempts, modification, or high-volume access on backup volumes and snapshot systems, as attackers often target these to cripple recovery options.
How to Prevent Ransomware
Preventing ransomware requires a multi-layered defense strategy, integrating both technical controls and robust operational practices. Make your digital fortress so unappealing to break into that attackers move on to easier targets.
Identity & Access Management
Implement multi-factor authentication (MFA) on all remote access services (AC-17) and privileged accounts (IA-2, IA-5). It is a fundamental barrier against stolen credentials (T1110.003). Implement the principle of least privilege (AC-6), ensuring users and systems only have the access they absolutely need, and regularly review account permissions (AC-2).
Configuration & Patch Management
Maintain strict security configurations across all systems (CM-6), disabling unnecessary services and ports (CM-7). Establish a robust and consistent patch management program (SI-2) for operating systems, applications, and firmware to close known vulnerabilities that attackers frequently exploit for initial access (T1190, T1195.002).
Security Awareness Training
Regularly train employees on phishing recognition, safe browsing, and reporting suspicious activity. Many initial access attempts, like the social engineering attack on MGM Resorts, succeed because of human vulnerabilities, emphasizing the need for continuous education (T1566.001, T1566.002, T1204.002).
Data Protection & Recovery
Implement a comprehensive backup strategy with immutable, isolated backups stored offline or in a segregated environment that ransomware can't reach. Regularly test your recovery procedures (IR-4) to ensure you can restore critical data quickly. Solutions like Veeam Backup & Replication offer immutable storage and instant recovery capabilities, critical for mitigating encryption impact. Encrypt data at rest and in transit (SC-8) to protect it even if exfiltrated (T1567).
Endpoint Protection
Deploy advanced Endpoint Detection and Response (EDR) solutions, such as CrowdStrike Falcon, alongside robust antivirus software with real-time scanning capabilities (SI-3). These tools detect and block malicious code execution (T1203) and anomalous behaviors indicative of ransomware. Ensure continuous monitoring of endpoints for threats (SI-4, CA-7).
Network Segmentation
Segment your networks to isolate critical assets and limit lateral movement (SC-7) in the event of a breach. This means attackers can't easily spread from one compromised system to another, containing the blast radius of an attack. This directly combats techniques like T1021.001.
Vulnerability Management
Conduct regular vulnerability scans and penetration tests (RA-5), promptly remediating identified weaknesses. This proactive approach helps discover and fix security gaps before attackers can exploit them.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Average total cost of an attack | $2.1 million | IBM Security |
| Average ransomware payment | $650,000 | Chainalysis |
| Attack frequency increase (2025) | 23% compared to 2024 | Sophos |
| Double extortion prevalence (2025) | Over 80% of attacks | Coveware |
| Annual increase in global attacks | 18-25% (2023-2025) | Cybersecurity Ventures |
| Top 3 targeted industries (2025) | Manufacturing, Healthcare, Education | Palo Alto Networks Unit 42 |
The CVEDaily Take
The $22 million ransom reportedly paid by UnitedHealth Group to ALPHV/BlackCat in 2024, despite the organization's initial statements about not paying, raises serious questions about the actual costs and pressures faced by victims. We think this contradiction underscores the limited transparency in these incidents and suggests that official breach cost figures often understate the full financial and operational impact. Organizations face an impossible choice, and the public narrative rarely captures the desperation that leads to such payments.
How would your organization account for a ransom payment when publicly reporting breach costs?
FAQ
Q: What is ransomware?
A: Ransomware is a type of malicious software that locks or encrypts a victim's files and systems, demanding a ransom payment, usually in cryptocurrency, to restore access. It essentially holds your digital assets hostage.
Q: How does ransomware work?
A: Ransomware attacks typically involve multiple stages: initial access (e.g., phishing or exploiting vulnerabilities), establishing a foothold, moving laterally across the network, exfiltrating sensitive data, and finally, encrypting files and demanding payment. This multi-step process often spans days or weeks for maximum impact.
Q: How can organizations protect against ransomware?
A: Effective protection against ransomware involves a multi-layered approach, including implementing multi-factor authentication (MFA), regular security awareness training for employees, robust patch management, strong endpoint detection and response (EDR) solutions, network segmentation, and, critically, maintaining isolated, immutable, and regularly tested backups for rapid recovery.
