Ransomware stopped being a malware problem years ago. Today it is a business model — a layered extortion economy with affiliates, brokers, negotiators and data-leak sites. Understanding that economy is the first step to disrupting it.

From encryption to extortion

The early ransomware playbook was simple: encrypt files, demand payment for the key. Reliable backups largely defeated it. So attackers added leverage. Double extortion — exfiltrate data first, then encrypt — means paying for a decryptor no longer makes the stolen data disappear. Many crews now layer on a third pressure point: DDoS, or direct harassment of customers and employees.

This maps cleanly to MITRE ATT&CK T1486 (Data Encrypted for Impact), usually preceded by exfiltration over web services and abuse of valid accounts for initial access.

The affiliate model

Most large operations run as Ransomware-as-a-Service (RaaS). Operators build and maintain the encryptor, leak site and payment infrastructure; affiliates do the intrusions and take the larger cut of any ransom. The model is resilient: take down one brand and the affiliates simply move to another.

Law-enforcement disruptions — most visibly the takedown of LockBit's infrastructure — proved that even dominant brands can be dislodged, but also that the talent pool behind them re-forms under new names. Defenders should plan for capabilities, not brands.

What actually changes outcomes

The economics reward speed and pressure. Your job is to make both harder:

  • Kill the easy entry points — enforce MFA everywhere, retire exposed RDP, and patch internet-facing systems fast.
  • Protect the backups — keep offline, immutable copies and test restoration regularly.
  • Detect the pre-encryption stage — bulk file access, shadow-copy deletion and mass-modification patterns precede the payload.
  • Plan for the leak — assume exfiltration happened; involve legal and comms early.
Paying ends the incident on the attacker's terms, not yours. Treat the decision as a business and legal one — and make it before you are under pressure, not during.

Key takeaways

  • Double and triple extortion mean backups alone no longer neutralize ransomware.
  • RaaS affiliates outlast the brands they work under — defend against capabilities, not names.
  • Most damage is preventable upstream: MFA, patching, and killing exposed remote access.
  • Decide your payment and disclosure stance before an incident, not during one.