Safeguard
Vulnerability Analysis

What is Ransomware

Ransomware costs organizations $2.73M on average to recover from. Learn how it works, its top infection vectors, and how to defend against it.

Safeguard Research Team
Research
7 min read

Ransomware is malware that encrypts files or entire systems and demands payment — usually cryptocurrency — for a decryption key. Modern ransomware operations go further: attackers exfiltrate data before encrypting it, then threaten to leak that data publicly if the ransom isn't paid, a tactic called double extortion. In 2024, the average cost of a ransomware attack reached $2.73 million per incident according to Sophos' State of Ransomware report, and the Change Healthcare breach alone forced the company to pay a reported $22 million to the ALPHV/BlackCat affiliate group. Ransomware no longer arrives only through phishing emails; increasingly it spreads through compromised software vendors, vulnerable internet-facing applications, and unpatched third-party dependencies — making it a supply chain security problem as much as an endpoint one. Understanding how ransomware actually infiltrates and moves through an environment is the first step toward stopping it before encryption ever starts.

How does ransomware actually work?

Ransomware works in four distinct stages: initial access, lateral movement and privilege escalation, data exfiltration, and encryption. Attackers first gain a foothold through a phishing email, a stolen credential, an exposed RDP port, or — increasingly — a vulnerable software component. Once inside, groups like LockBit and BlackCat/ALPHV use legitimate admin tools such as PsExec, Cobalt Strike, and Windows Management Instrumentation to move laterally and escalate privileges, often taking days or weeks before triggering encryption. During this dwell time, they locate and exfiltrate sensitive data to use as extortion leverage. Only after data theft is complete do they deploy the encryption payload, typically timed for nights or weekends when security staffing is thinnest — the Colonial Pipeline attack in May 2021 was detected on a Friday morning, and the DarkSide group had already been inside the network for hours before encryption began. The company ultimately paid a $4.4 million ransom in Bitcoin, part of which the DOJ later recovered.

What are the most common ransomware infection vectors?

The three leading infection vectors are compromised credentials, exploited vulnerabilities, and malicious email — but exploited vulnerabilities in third-party and internet-facing software have become the fastest-growing category. The Cl0p ransomware group's 2023 exploitation of CVE-2023-34362, a zero-day SQL injection flaw in Progress Software's MOVEit Transfer product, compromised over 2,700 organizations and exposed the data of more than 93 million individuals, according to breach-tracking firm Emsisoft. Similarly, the 2021 Kaseya VSA attack used a vulnerability in a widely deployed remote-monitoring tool to push REvil ransomware to roughly 1,500 downstream businesses in a single supply chain event. These incidents illustrate a shift: attackers no longer need to breach a target directly when they can compromise one vulnerable dependency and reach hundreds of organizations at once. Verizon's 2024 Data Breach Investigations Report found that vulnerability exploitation as an initial access vector nearly tripled year-over-year, growing from 5% to almost 14% of breaches analyzed.

How much does a ransomware attack actually cost an organization?

A ransomware attack costs an organization far more than the ransom itself, with recovery, downtime, and legal expenses typically dwarfing the payment demand. Sophos' 2024 survey of 5,000 IT and security leaders found the mean recovery cost — excluding any ransom paid — was $2.73 million, and organizations that paid the ransom still spent an average of $3.96 million on recovery. IBM's Cost of a Data Breach Report 2024 put the average total cost of a ransomware breach at $4.91 million, roughly 9% higher than the average cost of a non-ransomware breach. Downtime compounds the damage: the same Sophos data showed organizations took a median of 24 days to recover operations after an attack. MGM Resorts disclosed roughly $100 million in losses following its September 2023 breach by the Scattered Spider group, driven primarily by ten days of shut-down casino and hotel systems rather than any ransom paid.

What is double extortion ransomware?

Double extortion ransomware is a technique where attackers steal data before encrypting it, then threaten to publish or sell that data if the victim refuses to pay — even if the victim can restore from backups. The Maze ransomware group pioneered this tactic in late 2019, and it is now standard practice among major ransomware-as-a-service (RaaS) operations including LockBit, BlackCat/ALPHV, and Cl0p. This shift neutralizes backups as a full defense, since restoring encrypted files does nothing to stop a leak of stolen intellectual property, customer records, or credentials. Some groups have escalated further into "triple extortion," adding DDoS attacks or direct outreach to a victim's customers and business partners to increase pressure. Cl0p's MOVEit campaign relied entirely on this model — it skipped encryption altogether in many cases and extorted victims using stolen data alone, publishing names of non-paying organizations on a dark web leak site starting in June 2023.

How is ransomware-as-a-service changing the threat landscape?

Ransomware-as-a-service has industrialized ransomware by letting operators lease their encryption tools and infrastructure to affiliates in exchange for a cut of each ransom, typically 20-30%. This model, used by LockBit — which the UK's National Crime Agency and FBI identified as the most deployed ransomware variant globally before its infrastructure was seized in Operation Cronos in February 2024 — allowed relatively low-skilled affiliates to launch sophisticated attacks without writing any malware themselves. Even after that takedown, LockBit and successor brands resurfaced within months, illustrating how quickly RaaS affiliate networks reconstitute. The RaaS model also explains why ransomware groups increasingly specialize: some affiliates focus exclusively on initial access brokering, selling footholds into corporate networks to the highest-bidding ransomware operator, which shortens the time between a vulnerability disclosure and active exploitation.

How can organizations reduce their ransomware risk?

Organizations reduce ransomware risk most effectively by closing the vulnerabilities and misconfigurations that provide initial access, since nearly every major ransomware incident starts with a preventable entry point. That means patching internet-facing software promptly — CVE-2023-34362 in MOVEit had a patch available before mass exploitation was detected — enforcing multi-factor authentication on remote access and VPN accounts, segmenting networks so lateral movement is contained, and maintaining offline, tested backups. CISA's #StopRansomware advisories consistently name unpatched public-facing applications and weak remote access controls as the two most exploited weaknesses across ransomware cases they've responded to. Because so many recent attacks originate in third-party software rather than an organization's own code, visibility into what open-source and vendor components are actually running — and whether any known-exploited vulnerabilities in them are reachable from an attack surface — has become as important as traditional endpoint defense.

How Safeguard Helps

Safeguard helps security teams get ahead of ransomware's most common entry point: exploitable vulnerabilities in the open-source and third-party components running in production. Our reachability analysis determines whether a vulnerable function in a dependency — like the kind of flaw Cl0p exploited in MOVEit — is actually invoked by your application code, cutting through CVE noise so teams can prioritize the handful of findings that represent real exposure instead of chasing thousands of theoretical ones. Griffin AI continuously correlates SBOM data, runtime context, and threat intelligence to flag components under active exploitation before they become the next initial-access vector for a ransomware affiliate. Safeguard generates and ingests SBOMs across your software supply chain to maintain a live inventory of what's actually deployed, and our auto-fix PRs remediate reachable, high-risk vulnerabilities automatically — shrinking the patch window attackers depend on from weeks to hours.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.