Ransomware Threats: Reference for US Organizations

Ransomware represents one of the most operationally disruptive categories of malicious software targeting US organizations across the public and private sectors. This page describes the threat landscape, attack mechanics, prevalent deployment scenarios, and the decision boundaries that determine organizational exposure and recovery options. The framing draws on definitions and guidance from CISA, NIST, and the FBI, the three primary federal bodies responsible for ransomware threat intelligence and incident response coordination.

Definition and scope

Ransomware is a class of malicious software that denies access to data, systems, or networks — typically through encryption — and demands payment in exchange for restoring access. The FBI's Internet Crime Complaint Center (IC3) classifies ransomware under extortion-based cybercrime, distinct from data theft malware, though modern variants frequently combine both functions (FBI IC3).

CISA defines ransomware in its Ransomware Guide (published jointly with MS-ISAC) as malware that "encrypts files on a device, rendering any files and the systems that rely on them unusable," with actors demanding ransom for the decryption key.

The scope of affected entities spans healthcare, critical infrastructure, education, and municipal government. The HHS Office for Civil Rights has issued specific guidance addressing ransomware under HIPAA because a ransomware attack on health data is presumed to constitute a reportable breach unless the covered entity can demonstrate a low probability of PHI compromise (HHS OCR Ransomware Guidance, 2016).

Principal variant categories:

1. Crypto-ransomware — encrypts files and demands payment for the decryption key; the most prevalent variant since 2013
2. Locker ransomware — locks the device interface without encrypting file contents
3. Double-extortion ransomware — combines encryption with exfiltration, threatening public data release if ransom is not paid
4. Ransomware-as-a-Service (RaaS) — a criminal affiliate model in which developers license ransomware tools to operators in exchange for a percentage of ransom proceeds; identified by NIST as a distinct threat actor structure (NIST SP 800-207)
5. Wiper malware posing as ransomware — destructive software that mimics ransomware demands while permanently destroying data regardless of payment

Double-extortion and RaaS models represent the dominant operational pattern observed by federal agencies in attacks against US critical infrastructure sectors as documented in CISA advisories.

How it works

Ransomware deployment follows a structured kill chain that aligns with the MITRE ATT&CK framework's enterprise matrix, which documents adversary tactics across 14 distinct phases (MITRE ATT&CK).

Typical ransomware attack sequence:

1. Initial access — attackers gain entry via phishing emails, exploitation of unpatched vulnerabilities (notably RDP, VPN appliances), or compromised credentials purchased from initial access brokers
2. Execution — the payload is delivered and executed, often through script-based loaders or living-off-the-land techniques using legitimate system tools
3. Privilege escalation — attackers move from standard user accounts to administrator or domain administrator privileges
4. Lateral movement — the attacker traverses the network to reach high-value assets including backup systems, domain controllers, and file servers
5. Data exfiltration (in double-extortion scenarios) — sensitive data is copied to attacker-controlled infrastructure before encryption begins
6. Inhibit system recovery — backup systems, shadow copies, and recovery tools are deleted or disabled; this step is documented in CISA's #StopRansomware advisories
7. Encryption — files are encrypted using asymmetric cryptography, with the private decryption key held by the attacker
8. Ransom demand — a ransom note specifies payment terms, typically in cryptocurrency, and often includes a countdown timer

NIST SP 800-184 covers recovery from cybersecurity events and addresses the technical and organizational steps relevant to ransomware recovery scenarios (NIST SP 800-184).

Common scenarios

Healthcare organizations face compounded risk because HIPAA breach notification obligations activate simultaneously with operational disruption. A ransomware attack that encrypts electronic protected health information (ePHI) triggers mandatory notification to HHS OCR, affected individuals, and — for breaches exceeding 500 records — prominent media notice within 60 days of discovery (45 CFR §164.400–414).

Municipal and state governments have been targeted because they typically operate legacy systems with extended patching cycles and limited dedicated cybersecurity budgets. CISA's Known Exploited Vulnerabilities Catalog maintains a binding operational directive (BOD 22-01) requiring federal civilian agencies to remediate verified vulnerabilities within defined timeframes; state and local entities are not legally bound but are advised to adopt the same standards.

Critical infrastructure operators — including energy, water, and transportation sectors — face sector-specific regulatory exposure. The Transportation Security Administration issued cybersecurity directives in 2021 and 2022 requiring pipeline and surface transportation operators to implement specific ransomware-relevant controls including network segmentation and access control (TSA Cybersecurity Directives).

Small and mid-size businesses represent a disproportionate share of ransomware victims due to limited endpoint detection capabilities. The FBI IC3 reported ransomware as one of the top 5 crime types by reported loss in its annual Internet Crime Report, which organizations can reference at ic3.gov/Media/PDF/AnnualReport.

Decision boundaries

The central decision facing an affected organization is whether to pay the ransom — a choice with legal, operational, and strategic dimensions that federal agencies address explicitly.

OFAC (the Treasury Department's Office of Foreign Assets Control) has issued guidance stating that paying ransom to a sanctioned entity or jurisdiction may violate US sanctions law, regardless of whether the payer knew the recipient was sanctioned (OFAC Ransomware Advisory, updated 2021). This creates a compliance risk that operates independently of operational recovery considerations.

Key decision factors structured by federal guidance:

1. Backup integrity — organizations with tested, offline, immutable backups retain the ability to restore without decryption; CISA's ransomware guide treats functional backup architecture as the single highest-impact preventive control
2. Data exfiltration confirmation — if sensitive data has been confirmed or suspected as exfiltrated, ransom payment does not eliminate breach notification obligations or civil liability exposure
3. Sanctions screening — before any payment consideration, OFAC screening of the threat actor group against the SDN (Specially Designated Nationals) list is a required compliance step
4. Incident reporting obligations — CISA's Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) establishes mandatory reporting requirements for covered entities, with proposed rules under development that will define 72-hour incident reporting and 24-hour ransom payment reporting windows (CISA CIRCIA)
5. Law enforcement engagement — the FBI and CISA both advise contacting law enforcement before payment; in documented cases, law enforcement has obtained decryption keys from seized infrastructure, as occurred in the Colonial Pipeline ransomware incident of 2021 when the Department of Justice recovered approximately $2.3 million in bitcoin from the DarkSide affiliate (DOJ Press Release, June 7, 2021)

Organizations seeking vetted response service providers can reference the cyber safety providers maintained on this provider network, which catalogs firms operating in the incident response and ransomware recovery space. The describes the criteria under which service providers participate. For context on navigating provider network resources, see how to use this cyber safety resource.