Ransomware is getting more prevalent, and sophisticated. cybercriminals encrypt the victim computers to make them unusable and then attempt to extort funds from victims. To protect yourself, maintain offline encrypted backups, regularly test backup procedures, and follow basic cyber hygiene.
Contents
Ransomware is a common cyberattack where a threat actor gains access to a victim’s system and encrypts all of their files, rendering the system unusable. Their objective is to cripple an organization and prevent them from using any of their computer systems. Next, the threat actors demand a ransom , in the form of a cryptocurrency, in exchange for the decryption of their systems and a return of stolen files.
How Ransomware Works
Initial access for ransomware attacks usually begins with phishing emails or stolen credentials. Some ransomware actors elicit the help of an initial access broker who specializes in obtaining access to networks. Lateral movement into other devices in a victim network usually occurs in under 1 hour from the initial infection. The average time between initial infection and when the victimized organization pays the ransom is under 17 hours, with variability depending on the targeted organization and the ransomware group that made the attack.
Double Extortion is a common ransomware technique whereby threat actors first steal the data from the victim’s computer, then encrypt the files on the infected machine. Next, they request a ransom to decrypt the victims’ computers and then ask for additional ransom payments to prevent a public release of the stolen data. Most of the ransomware groups exfiltrate data prior to deploying their ransomware for double extortion on a Dark Web leak site.
Ransomware is a core part of the cybercrime economy, with different threat actors playing different roles. The total cybercrime economy is worth $10 trillion dollars, more than the global trade of all illicit drugs combined. Most cyber criminal groups are financially-motivated and a ransowmare attack is a fast and effective way to obtain funds. Healthcare organizations are lucrative targets for ransomware as they have large financial resources, and have critical services that their administrators want to keep running as much as possible. The cybercrime economy has grown up around commodity malware bought sold on the Dark Web.
Ransomware deployment requires trust between the malware operators and affiliates. The terms ‘Operator’ and ‘Affiliate’ may be counterintuitive. The ‘Operators’ develop and market their ransomware and can be though of as the suppliers of ransomware, while the ‘Affiliates’ act as customers by purchasing the ransomware, selecting targets, and using the ransomware against their selected targets. In this model, the affiliate splits any ransom between themselves and the operators with most going to the affiliate as hey do most of the work and can easily work with other operators. Most of the affiliates are opportunistic and not necessarily tech savvy though they may target particular types of organizations or industries.
Initial Access Brokers (IABs) are individuals or organizations that are skilled in getting into networks, but not interested in stealing data. They typically sell the access that they have gained to other threat actors. These are one of the most effective cybercrime accelerators in the modern threat landscape. IABs are opportunistic and they scan the internet for vulnerable systems to attack rather than selecting specific target victims. IABs appeared in the ransomware ecosystem in 2020-2021 and have become essential for the rise of Ransomware-as-a-Service.
Ransomware-as-a-Service operates on a gig economy, where the actual malware is developed by freelance developers who work alone and then sell their malware to whoever will use it. They may not even know or care about the identity of the groups that they are providing their malware to. The ransomware developers may also be paid a percentage of any ransom that is paid by the victim. There is a very limited pool of individuals that have the technical skills and lack of a moral and ethical compass to produce this malware, thus they take advantage of the larger number of possible buyers to market their malware. These individual actors may also be part of a larger ransomware group.
Ransoware groups are very sophisticated and may even have skilled customer service departments and operate like small businesses. Some roles in a ransomware organization include negotiators that handle communications with the affected organizations, programmers that develop and maintain the software, and money launderers that work to wash the cryptocurrency ransom that the companies pay. There are also supporting roles not directly involved in the attacks, such as hosting services and infrastructure providers. The cyber infrastructure of ransomware actors uses hosting providers that are outside the country of origin and close to their targets to help mask the identity and location of the attackers.
Ransomware groups do not end operations after their websites and infrastructure are taken down by law enforcement, they simply merge into new groups, build up new infrastructure, and change their methods. Law enforcement agencies have difficulty making arrests of individuals in ransomware groups as many reside in countries that don’t have any extradition to the United States. A common technique to disrupt the ransomware groups is to target the trust between the affiliates and the operators. This may look like publicly posting the information about the affiliates and operators, also known as Doxxing, when the site is seized by law enforcement.
Organizations can protect themselves against ransomware by maintaining secure backups and ensuring that backup restoration functions are working properly. Pre-configured cloud template images of a system can be deployed quickly to re-build an affected cloud system in the event of an attack. Additionally, cyber hygiene should be followed, such as keeping software updated, using the principle of least-privilege, and enforcing proper account permissions. In the event of a ransomware attack, law enforcement agencies discourage paying the ransom as it does not guarantee that the victim’s data will be recovered and it may open organizations up to legal liabilities if they don’t properly inform law enforcement. Ransomware leak sites taken down by law enforcement operations included stolen data from organizations that paid a ransom. There is no way to know if a ransomware organization has completely deleted all of the data stolen from a victim organization. Additionally if an organization is unable to determine or fix the intrusion method, they are vulnerable to repeated ransomware attacks through the same channels. Therefore a ransomware infection may be evidence of an unresolved hole in the networks security. Paradoxically, many victim organizations protect the ransomware actors to save face or prevent the fallout of publicly declaring a security breach.
Sources
- D. Bombal, Sign in Never access the Dark Web without doing this! (Tor and Telegram demos), (Sep. 22, 2024). [Online Video]. Available: https://www.youtube.com/watch?v=7wLLcFMmbpg
- D. Bombal, Sign in Ex-NSA hacker tools for real world pentesting, (Oct. 22, 2021). [Online Video]. Available: https://www.youtube.com/watch?v=G8lrwmsx8KA
- A. Greenberg, “A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask,” Wired, Apr. 04, 2024. [Online]. Available: https://www.wired.com/story/p4x-north-korea-internet-hacker-identity-reveal/
- R. Mathenge, “The 41 Hacking Statistics and Facts You Should Know in 2024,” The 41 Hacking Statistics and Facts You Should Know in 2024. [Online]. Available: https://privacysavvy.com/security/safe-browsing/hacking-statistics/
- “North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector,” CISA, aa22-187, Jul. 2022. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a
- B. Vigliarolo, “Breaking the economy of trust: How busts affect malware gangs,” The Register, Aug. 02, 2024. [Online]. Available: https://www.theregister.com/2024/08/02/malware_economy_of_trust/
- C. Jones, “LockBit dethroned as leading ransomware gang for first time post-takedown,” The Register, May 22, 2024.
- K. Baker, “History of Ransomware,” History of Ransomware. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/
- P. Eubanks, “De-anonymizing ransomware domains on the dark web,” De-anonymizing ransomware domains on the dark web. [Online]. Available: https://blog.talosintelligence.com/de-anonymizing-ransomware-domains-on/
- “#StopRansomware Guide,” CISA.
- C. Barry, “Medusa ransomware and its cybercrime ecosystem,” Medusa ransomware and its cybercrime ecosystem. [Online]. Available: https://blog.barracuda.com/2025/02/25/medusa-ransomware-and-its-cybercrime-ecosystem
- “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
Ransomware Groups
These are some of the ransomware groups that I came across in my research. This is not an exhaustive list nor are the descriptions a comprehensive representation of the actions of the threat actors mentioned. I intend to give an idea of how many ransomware actors are active that don’t make the front-page news cycles.
| Ransomware Group | Description |
|---|---|
| DarkSide | In 2021, the DoJ seized $2.3M worth of bitcoin from the DarkSide Threat actor. DarkSide was a Russian-backed group that used ransomware attacks against US critical infrastructure in the Colonial Pipeline attack. |
| REvil | REvil was a Russian threat actor that used ransomware attacks. It was forced offline by the FBI, secret service, and the US Cyber Command in conjunction with international partners |
| NetWalker | In 2020, The NetWalker group utilized living-of-the-land techniques to target a healthcare institute with ransomware. This disrupted operations and required the hospital to divert patients to other hospitals. |
| Conti | Conti was a Russian cybercriminal group that performed ransomware attacks. They attacked the US healthcare and first responder networks, as well as the health services in Ireland and New Zealand. Conti has been linked to Russian-located threat actors. Conti also threatened to retaliate against any entity who conducts computer network attacks on Russian critical infrastructure. |
| Meow | Meow Ransomware is associated wi Conti V2 |
| INC RANSOM | INC RANSOM focuses on corporate and organizational networks. They target entities with substantial financial resources and sensitive data. They use spear phishing to gain initial access and Commercial off-the-shelf (COTS) software and legitimate system tools for lateral movement. They use double extortion ransomware attacks against their victims. |
| One Percent Group | This ransomware group used Cobalt Strike to attack US companies in 2020. They gained access via a phishing email to infect the system with the IceID banking trojan and used double extortion to encrypt data and exfiltrate it from victim systems. Their phishing emails use a malicious zip file attachment such as a MS Word document with macros. |
| Reveton | Reveton was the first ransomware-as-a-service case. Seen in 2012, this threat actor impersonated law enforcement, threatening criminal charges and arrests. They sold the ransomware to third parties which allowed ransomware attacks to spread in the cybercrime world. |
| GrandCrab | GrandCrab was a ransomware-as-a-service attack that used a file-stealing element to exfiltrate sensitive data such as credentials, screenshots, and other files. |
| Scattered Spider | Scattered Spider is a ransomware group. Scattered Spider is also a catch-all term for cyber activity that is not always performed by the same individuals. Scattered Spider members use SMS phishing and sim-swapping attacks. This group is linked to ransomware attacks on MGM, and the Marks and Spencer company. It rebranded from a ransomware-as-a-service group to a cyber cartel. It provides shared resources for its affiliates. Scattered Spider has used phone-based scams that ask users to enter their security codes. |
| Maze Cartel | The Maze organization was formed from the collaboration of Twisted Spider, Viking Spider, and LockBit operators. |
| Viking Spider | Viking Spider developed the Ragnar Locker malware. They also pioneered the tactics of using common virtualization software to deploy malware. |
| Cryptorbit | Cryptorbit was a 2013 ransomware strain that corrupted the first 1024 bytes of any file that it finds. It had the ability to bypass group policy settings. Social engineering including fake flash updates or rogue antivirus software was used to get their victims to install the ransomware, then Cryptorbit installed a cryptocurrency miner on the victim systems to use the infected hardware to mine cryptocurrency. |
| Albabat | This is a cross-platform ransomware threat that targets Windows, Mac, and Linux. It uses GitHub for configuration management which allows for remote updates without re-deploying malware. Albabat also terminates specific running processes to ensure encryption success. |
| Van Helsing | First spotted in March 2025, This ransomware is targeting Windows machines in the government, pharmaceutical and manufacturing industries. It uses double extortion by encrypting and exfiltrating data. It also uses Rootkits and registry chagnes for persistence. |
| Dark Angles | This group is a rebrand of the Babuk Ransomware Group. They used a hidden service as a leak site to publish their victim data. |
| FunkSec | FunkSec is a ransomware group that emerged in late 2024 using AI-assisted malware. The group activities swing between hacktivism and cybercrime. They present themselves as a ransomware-as-a-service operation. This threat actor group is likely inexperienced, and their custom encryption algorithm is likely developed by an Algeria-based author. FunkSec targets India and the US, and aligns with the “Free Palestine” movement. The basis for targeting the US according to FunkSec is that the US weakens the Middle East. FunkSec has attempted to associate itself with hacktivist groups such as Ghost Algeria, and C6b3r Fl00d. |
| Black Cat Ransomware Group | Aka BlackCat, Noberus, AlphaV, AlphaVM, and ALPHV-ng. They target financial, manufacturing, legal, healthcare, and pharmeceutical sectors. They use extortion, spear-phishing, stolen credentials, and unpatched vulnerabilities. They have used stolen credentials and exploit vulnerabilities in Microsoft Exchange. They set up malicious group policy objects using the windows task scheduler. They also use the Mimikatz tool to obtain and extract credentials from their victims. |
| Ghost Ransomware Group | he Ghost ransomware group is a Chinese threat actor. The techniques that this group exploits unpatched vulnerabilities in Fortinet, Adobe Cold Fusion, Microsoft Sharepoint, and Microsoft Exchange. Their webshells include Windows command prompt and powershell operations that execute a Cobalt Strike Beacon. The Cobalt Strike functions steal process tokens that run under the SYSTEM user context to allows another running of Cobalt Strike at an elevated privelage.The Cobalt Strike Hashdump collects credentials, passwords, and password hashes. |
| Royal | Royal is a cybercriminal organization that has been active since 2022. It targets transportation, manufacturing, technology, government, and healthcare organizations. They use phishing attacks, and attack Remote Desktop Protocol (RDP) and public-facing applications. The Royal ransomware family is the direct successor to the Conti operation. Royal disables antivirus software and exfiltrates data before deploying ransomware. It uses partial encryption and allows the threat actor to choose a percentage of the data to be encrypted. Two-thirds of Royal incidents use Phishing to gain initial access, while twenty-three percent of Royal attacks used RDP. For lateral movement the threat actors use a legitimate account to log in to the domain controller, then they deactivate antivirus by modifying group policy objects. They also use Cobalt Strike for data aggregation and exfiltration. Some Royal ransomware victims were contacted multiple times for extortions after the initial attacks. |
| Black Basta | This is a Russian cybercriminal group that has been active since 2022. They target construction, manufacturing and healthcare industries with RDP, web injections, malicious downloads, and phishing attacks. Black Basta operates on a ransomware-as-a-service model, impacted critical infrastructure in North Americae, and affected more than 500 organizations globally. Black Basta actors call their victims posing as tech support asking to resolve spam issues and get the users to download remote access tools. |
| North Korea | North Korea operates numerous cyberwarfare and military intelligence units that have been known to carry out ransomware attacks. These attacks provide funding for their government and weapons programs. |
| Medusa | Medusa ransomware affected multiple industries since February 2025. This group uses phishing and unpatched vulnerabilities for initial access. Medusa has been active since 2021 and initially began as a closed ransomware operation. It then progresssed to an affiliate model. Ransom payments appear to be split between the affiliate (55-60%) and the software developer (remainder). Medusa deletes itself after encrypting targeted systems and files. Stolen data is published on a public telegram channel as well as the Dark Web. Most of the organizations targeted by Medusa are in the US, while organizations in Russia, and Belarus are seemingly not targeted. The group uses slang that is unique to Russian criminal subcultures and avoids targeting companies in the CIS. |
| Ransomware Hub | RansomwareHub is a ransomware-as-a-service variant. it was first discovered in Feb 2024 and has at least 210 victims. |
| Medusa Locker | MedusaLocker ransomware was first detected in September 2019. MedusaLocker leveraged the confusion surrounding Covid-19 to launch attacks. It operates as a ransomware as a service where the ransom is split between the affiliates and the developer. They use phishing email campaigns to compromise their targets and remote desktop protocol. Medusa Locker leverages infrastructure in the US as most security tools block incoming web traffic from Russia. |
| CryptoLocker | Cryptolocker was the first instance of ransomware spread through email attachments spread through the Zeus Banking Trojan botnet. By December 2013, the cryptolocker group made $20M in bitcoin. After a few months, clones of CryptoLocker were popping up all over the world. When the user clicks on the email link, the executable starts scanning network drives, renames the files and encrypted them. Cryptolocker infected more than 200 thousand computers. |
Sources
- “Cyber Threat Snapshot.” Committee on Homeland Security, Nov. 12, 2024. [Online]. Available: https://homeland.house.gov/wp-content/uploads/2024/11/11.12.24-Cyber-Threat-Snapshot.pdf
- “Joint Guidance: Identifying and Mitigating Living off the land Techniques.” US Defense Department, Feb. 07, 2024. [Online]. Available: https://media.defense.gov/2024/Feb/07/2003389936/-1/-1/0/JOINT-GUIDANCE-IDENTIFYING-AND-MITIGATING-LOTL.PDF
- “HC3’s Top 10 Most Active Ransomware Groups.” US Department of Health and Human Services, Apr. 05, 2024. [Online]. Available: https://www.hhs.gov/sites/default/files/hc3-top-10-most-active-ransomware-groups-analyst-note-tlpclear-r.pdf
- A. Kaushik, “The War on Ukraine: A Look at (Underemphasised) Russian Cyber Operations.” GLOBSEC, Oct. 02, 2023. [Online]. Available: https://www.globsec.org/what-we-do/publications/war-ukraine-look-underemphasised-russian-cyber-operations
- “Indicators of Compromise Associated with OnePercent Group Ransomware,” FBI, 210823, Aug. 2021.
- “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
- K. Baker, “History of Ransomware,” History of Ransomware. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/
- “Targeted Phishing Linked to ‘The Com’ Surges.” [Online]. Available: https://intel471.com/blog/targeted-phishing-linked-to-the-com-surges
- K. Laffan, “A Brief History of Ransomware,” A Brief History of Ransomware. [Online]. Available: https://www.varonis.com/blog/a-brief-history-of-ransomware
- P. Eubanks, “De-anonymizing ransomware domains on the dark web,” De-anonymizing ransomware domains on the dark web. [Online]. Available: https://blog.talosintelligence.com/de-anonymizing-ransomware-domains-on/
- “Funksec – Alleged Top Ransomware Group Powered By AI,” Funksec – Alleged Top Ransomware Group Powered By AI. [Online]. Available: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
- “HC3’s Top 10 Most Active Ransomware Groups.” US Department of Health and Human Services, Apr. 05, 2024. [Online]. Available: https://www.hhs.gov/sites/default/files/hc3-top-10-most-active-ransomware-groups-analyst-note-tlpclear-r.pdf
- “#StopRansomware: Royal Ransomware,” IC3, 230302, Mar. 2023.
- “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
- D. Winder, “FBI Says Backup Now—Advisory Warns Of Dangerous Ransomware Attacks,” Forbes, Feb. 22, 2025. [Online]. Available: https://www.forbes.com/sites/daveywinder/2025/02/22/new-fbi-warning-backup-today-as-dangerous-attacks-ongoing/
- “#StopRansomware: Black Basta,” IC3, 240511, Nov. 2024. [Online]. Available: https://www.ic3.gov/CSA/2024/240511.pdf
- “#StopRansomware: Medusa Ransomware,” 250312, Mar. 2025. [Online]. Available: https://www.ic3.gov/CSA/2025/250312.pdf
- V. Pasca, “A Deep Dive into Medusa Ransomware.” 2024. [Online]. Available: https://securityscorecard.com/wp-content/uploads/2024/01/deep-dive-into-medusa-ransomware.pdf
- C. Barry, “Medusa ransomware and its cybercrime ecosystem,” Medusa ransomware and its cybercrime ecosystem. [Online]. Available: https://blog.barracuda.com/2025/02/25/medusa-ransomware-and-its-cybercrime-ecosystem
- “#StopRansomware: RansomHub Ransomware,” IC3, 240829, Aug. 2024. [Online]. Available: https://www.ic3.gov/CSA/2024/240829.pdf
- “MedusaLocker Ransomware,” HHS, 202302241700, Feb. 2023. [Online]. Available: https://www.hhs.gov/sites/default/files/medusalocker-ransomware-analyst-note.pdf
- “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
- K. Baker, “History of Ransomware,” History of Ransomware. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/
- K. Laffan, “A Brief History of Ransomware,” A Brief History of Ransomware. [Online]. Available: https://www.varonis.com/blog/a-brief-history-of-ransomware
- “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” US Department of the Treasury, Sep. 21, 2021. [Online]. Available: https://ofac.treasury.gov/media/912981/download?inline
Ransomware Attacks
This is a list of ransomware attacks that I have come across in researching this report. It is not an exhaustive list of all of the attacks, and just highlights some of the more commonly-known instances of widespread disruption due to ransomware.
| Known Cyberattack | Description |
|---|---|
| AIDS Trojan Virus | The first recorded instance of a Ransomware attack that took place in 1989 at the WHO AIDS conference. It was also one of the first instances of Hacktivism. The virus was introduced via Floppy Disk, A lock screen was displayed, and after 90 reboots the malware would encrypt the files and demand a ransom. The files were encrypted with a symmetric cryptography algorithm. The victims were then instructed to mail payment to a PO box in Panama. The man behind this attack was a Harvard-Trained evolutionary biologist, Joseph L Popp. Popp sent 20,000 infected floppy disks to attendees of the WHO AIDS conference. Popp was eventually apprehended, but deemed unfit to stand trial for the cyberattack. |
| CDK Global Cyberattack | A software firm serving 15,000 car dealerships was targeted by a ransomware attack in 2024. This forced employees to conduct transactions manually. |
| United Health ransomware attack | The subsidiary processor Change Healthcare was breached by the threat actor BlackCat potentially sponsored by a nation-state. This breach influenced 190M people. The $22M ransom was paid and the breach cost the company at total of $872M. The compromised data includes health insurance, billing, social security numbers, and banking details. It is the largest healthcare data breach in US history. |
| North Korean Maui Ransomware Attack | Rim Jong Hyok, a North Korean national, targeted 2 US air bases, 17 hospitals and healthcare facilities across 11 states using the Maui Ransomware. Rim was a member of the North Korean Andariel Unit which is a military intelligence unit that specializes in cyber espionage. |
| New Mexico Ransomware Attack | A ransomware attack took computer systems in Bernalillo County, New Mexico offline. This attack closed government buildings and forced emergency services to use their backup methods. The attack also disabled security cameras and automatic door locks at an Albuquerque jail. |
| Brenntag chemical Distribution | Hackers targeted Brenntag’s North American Division and reportedly stole 150 Gb of data. The company paid $4.4M of the $7.5M ransom. |
| WannaCry | More than 200,000 to 300,000 computers across 150 countries were targeted by WannaCry in 2017. This attack compromised 1/3 of the secondary care hospitals and 8% of medical practices in the UK were crippled by the attack. This attack cost $112M in total damages. The original attack started via phishing on a computer located in Asia, and spread around the globe in a matter of hours. WannaCry was the first ransomware to use vunlerability exploits from the EternalBlue tool that was leaked from the NSA. The North Korean-linked Lazarus Group was behind the WannaCry ransomware. |
| 2025 NY Blood Center Ransomware Attack | This attack affected hospital supply chains and Hospital operations by forcing the center to take some of their devices offline. |
| 2025 Houston Ransomware Attack | In Early 2025, the Houston police department was attacked by ransomware. Their data was leaked when they did not pay the ransom. |
| 2023 Minneapolis Public School Ransomware Attack | This was a ransomware attack by Medusa that exposed sensitive student information. This information contained names and birthdays of special needs children, details of their home lives and disorders, results of tests, and medications. |
| Colonial Pipeline Attack | The DarkSide “ransomware-as-a-service” group that attacked the Colonial Pipeline IT system in 2021. The group, was able to access just a single password due to the lack of multifactor authentication and an old VPN. 100Gb of company data was held for ransom for 75 bitcoin ($5M). This was a turning point where a cyberattack was so impactful that it bordered on a form of terrorism. |
Additionally I wanted to mention two cyberattacks that used destructive wipers disguised as ransomware. These were not true ransomware attacks, thus I decided not to include them in the table above. The imitation of ransomware to hide other operations shows just how widespread it has become.
The first instance was the NotPetya attacks that targeted Ukrainian computers in 2017. This malware was a wiper that disguised itself as the common Petya ransomware, hence the name NotPetya when researchers discovered its true nature. This malware encrypted the system files and the master boot record with no way to decrypt them, effectively destroying the computer. This attack affected an estimated 10% of all computers in Ukraine and spilled out onto the networks of foreign organizations that had offices in Ukraine.
The second of these attacks was WhisperGate, a destructive program that disguised itself as ransomware. It also targeted computers inside the Ukrainian government including the Ukrainian Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Energy, Accounting Chamber for Ukraine, Sate Emergency Service, State Forestry Agency, and Motor Insurance Bureau.
- “Cyber Threat Snapshot.” Committee on Homeland Security, Nov. 12, 2024. [Online]. Available: https://homeland.house.gov/wp-content/uploads/2024/11/11.12.24-Cyber-Threat-Snapshot.pdf
- “North Korea Sanctions,” North Korea Sanctions. [Online]. Available: https://ofac.treasury.gov/sanctions-programs-and-country-information/north-korea-sanctions
- “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
- A. Kaushik, “The War on Ukraine: A Look at (Underemphasised) Russian Cyber Operations.” GLOBSEC, Oct. 02, 2023. [Online]. Available: https://www.globsec.org/what-we-do/publications/war-ukraine-look-underemphasised-russian-cyber-operations
- “The largest-ever crypto hack: everything we know so far,” Cybernews, Mar. 20, 2025. [Online]. Available: https://cybernews.com/cybercrime/bybit-hack-lazarus-group/
- “Russian Military Cyber Actors Target US and Global Critical Infrastructure,” CISA, aa24-249a, Sep. 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a