How a ransomware attack works

One of the most devastating types of cyberattack companies face today has been around for decades — and its perpetrators have hardly had to innovate to stay profitable.

Why it matters: Ransomware — in which hackers encrypt a victims' computers until a ransom is paid — has plagued nearly every sector.

• Publicly traded companies, hospitals and schools have all faced service disruptions or had to shut down due to their impact.

By the numbers: 2024 was probably the highest-grossing year for ransomware gangs in decades.

• One company paid as much as $75 million to a ransomware gang.

Between the lines: In a cat-and-mouse game, cyber criminals constantly change their tactics as defenses against them improve.

• When businesses got better at backing up their key servers, many ransomware gangs started ditching encryption altogether, instead opting to steal companies' proprietary information or shutting down systems needed to run the businesses.

A set of indictments released as part of international law enforcement's takedown of LockBit in early 2024 provided the clearest inside view of a ransomware gang.

How it works: Many cybercriminals run what's known as a ransomware-as-a-service model.

• The gang's administrators write malware that steals files or encrypts servers, then they hire freelance hackers to break into companies' digital systems, or even just exploit common security flaws.

How LockBit operates

LockBit is a leading example of how a ransomware gang operates.

The gang had a widespread impact: The U.S. Department of Justice estimates that LockBit attacked more than 2,500 organizations worldwide, including 1,800 in the U.S.

• The group raked in more than $500 million, officials say.

The big picture: Ransomware gangs are more than just a bunch of young hackers coding in their basements.

• LockBit had hiring managers, job interview processes and even a human resources department.
• LockBit even built its own administrative portals to communicate with freelancers.

Zoom in: A 31-year-old Russian man who went by the moniker, "LockBitSupp," ran the LockBit gang, according to a May indictment.

• Other alleged members include a father-son duo who were arrested in Ukraine and a 38-year-old man in Warsaw, Poland.

LockBit became far bigger and more destructive than those before them, experts tell Axios.

• Investigators estimate nearly 200 online personas worked for LockBit.
• LockBit was the top ransomware variant attacking U.S. critical infrastructure in 2023, according to the FBI, accounting for 14% of reported attacks.
• "They were targeting schools, hospitals, emergency services, critical infrastructure, among other private sector companies," Brett Leatherman, deputy assistant director of FBI's cyber operations, tells Axios.

LockBit had two things other ransomware gangs didn't: an untouchable reputation and a "control panel" that made it easy to onboard and track hundreds of freelancers.

• Freelancers got tattoos to show their allegiance to the group, and LockBit was known to lie about whom it had attacked, often claiming bigger targets than was the case.
• Right after last year's law enforcement operation, LockBit required freelancers to invest roughly one bitcoin, worth at least $61,000 at the time, in the operation before getting access to the coveted control panel, per Tim Mitchell, a security researcher at cybersecurity company SecureWorks.

Flashback: The FBI Newark field office started investigating LockBit in early 2020 as the gang attacked more U.S. organizations, Leatherman said.

• Through conversations with international partners, the FBI realized that while its offices had a great view of the direct impact of these attacks and who was being hit, its U.K. counterpart, the National Crime Agency, had the best visibility into LockBit's technical infrastructure.
• "We were able to have a much greater impact because of that part," Leatherman said.

The intrigue: To take down LockBit, the FBI and its private sector partners couldn't just focus on the technical takedowns: seizing databases and web domain names. They also had to cause irreparable damage to the gang's reputation.

• "Why do people drink one soda over another? Because the brand is so strong," says Robert McArdle, a director on Trend Micro's cybercrime research team at Trend Micro, which helped in the investigation. "And if you can destroy that you're left with soda water."

• In similar takedowns, international law enforcement would seize the infrastructure the night before, release a press release in the morning and hold a press conference to share a few more details.
• In the LockBit operation, investigators went a step further: For weeks, they placed countdowns on a dark-web leak site they had seized, to troll LockBit's supporters. Each one promised to divulge new information — the identity of LockBitSupp, the release of a free decryption tool to help victims, and links to the press releases about the operation.
• "It's not just about the disruption, it's also about the deterrence," Leatherman says. "Our goal was to make LockBit, the variant itself in the technical ecosystem, radioactive."

Yes, but: Ransomware gangs are constantly evolving.

• Even when law enforcement arrests their leaders or seizes their online infrastructure, the remaining members will rebrand and keep working.

What's next

Between February and April of last year, LockBit attacks on U.S. companies declined 85%, Leatherman said, and that number continued to shrink since the May indictment of LockBitSupp. More victims have also come forward.

Zoom out: Ransomware remained a prominent threat in 2024, when there were as many attacks as in the previous year.

• Ransomware attacks led to service disruptions at hospitals, pharmacies, schools and even auto dealers.
• Congress called a Fortune 500 CEO to testify in May about an attack on his company.

Reality check: Part of the resurgence stems from the growth in the number of internet-connected devices that companies have running on their networks, Leatherman said.

• Security flaws are inevitable these days in all technologies, and each of those internet-connected devices can provide a "jumping off point" for attackers, he added.

The bottom line: Ransomware requires an all-of-government approach, not just law enforcement investigations, to both hold hackers responsible for their misdeeds and to make the cybercrime less appealing.

• "The operation and the investigation is not over," Leatherman says. "We continue to pursue those actors and any other actor that wants to impose harm on the United States cyber ecosystem here."

Go deeper:

• Companies facing slow road out of the ransomware ward
• The clowns and fools behind ransomware attacks
• How one cyberattack causes relentless ripple effects