Ransomware is malware that encrypts a victim's data and demands payment to decrypt it. The modern variant adds a second threat: pay up, or we leak everything we stole on the way in.
How the modern playbook works
A typical 2025-era ransomware incident looks like this:
- Initial access — phishing email, exposed RDP, exploited VPN appliance, or buying credentials from an Initial Access Broker.
- Reconnaissance — the operator maps the network, finds backups, identifies crown jewels.
- Exfiltration — gigabytes to terabytes of sensitive data pulled out and staged on attacker-controlled infrastructure.
- Encryption — ransomware deployed across as much of the estate as possible, often Friday evening to maximise time pressure.
- Extortion — ransom note demands payment in cryptocurrency. If the victim refuses, the stolen data goes up on the group's leak site.
Double, triple, even quadruple extortion
The industry calls this layering "double extortion" (encrypt + leak threat). Some groups go further: DDoS attacks against the victim's website during negotiation (triple), or direct harassment of customers and employees whose data was stolen (quadruple).
Leak sites — the public-facing pressure
Most prolific ransomware groups run a Tor-hosted "leak site" where they post victim names with countdown timers. CTI teams monitor these continuously because:
- A new victim posting confirms the group is active and identifies their latest target.
- If your supplier or partner is posted, it's a downstream-risk warning.
- Posting patterns reveal sector targeting trends — healthcare, education, manufacturing waves are all visible from the leak-site flow.
How ThreatCluster monitors this. Our dark web stack tracks ransomware leak sites in real time, matches victim postings against your tracked domains, and alerts you the moment a supplier or partner shows up. No reseller integration — we run our own collection.
Notable groups in recent rotation
Ransomware groups rebrand and re-emerge constantly. ALPHV/BlackCat shut down in early 2024 with an apparent exit scam. Scattered Spider continues to make headlines for social-engineering casino and retail breaches. LockBit had its infrastructure seized in Operation Cronos but partial rebuilds keep surfacing. Newer entrants like RansomHub, Akira, Play, and Medusa fill the gaps.
What CTI teams track
- Active leak-site postings — for downstream-risk and sector trend signal.
- TTP shifts — what entry vectors are operators using this quarter?
- Crypto wallet addresses — for sanctions compliance and payment-trace work.
- Affiliate relationships — many ransomware "brands" are RaaS (Ransomware-as-a-Service), with shifting affiliate rosters.