Ransomware: Types, detection, and defense
Información clave
- Ransomware caused an estimated $57 billion in global damages in 2025, with 85 active groups representing a record-high fragmentation of the threat landscape (Check Point Research, 2025)
- Compromised VPN credentials now account for 48% of ransomware attacks, making identity-based initial access the dominant entry vector (HIPAA Journal, Q3 2025)
- Data exfiltration occurs in 76% of ransomware incidents before encryption begins, making every ransomware attack effectively a data breach (Deepstrike, 2025)
- Recovery times have improved dramatically — 56% of organizations now recover within one week, compared to 33% the year prior (Sophos, 2025)
- The FBI recommends against paying ransoms, as only 46% of paying victims recover their data and 80% experience subsequent attacks (CSO Online, 2025)
In Q3 2025, 85 ransomware groups operated simultaneously, the highest count ever recorded, while damages reached $57 billion globally (Check Point Research, 2025; Cybersecurity Ventures, 2025). In March 2026 alone, three groups, Qilin, Akira, and DragonForce, accounted for 40% of 672 recorded incidents in a single month (Infosecurity Magazine, 2026).
This guide provides security professionals, SOC analysts, and CISOs with current intelligence on how ransomware works, which threat actors pose the greatest risk, and what defensive measures actually reduce exposure. Whether you are building detection capabilities, refining incident response procedures, or briefing leadership on organizational risk, the information here reflects threat research and defensive best practices from the FBI, CISA, and MITRE ATT&CK.
¿Qué es el ransomware?
Ransomware is a type of malicious software that encrypts files on a victim's device or network and demands a ransom payment, typically in cryptocurrency — to restore access. According to the FBI, ransomware prevents access to computer files, systems, or networks until payment is made.
CISA defines ransomware as malware that encrypts files on a device, rendering the files and the systems that depend on them unusable. The operational consequence goes beyond locked files, ransomware disrupts the business processes that depend on that data.
According to Cybersecurity Ventures, global ransomware damages reached $57 billion in 2025, approximately $156 million per day. These costs extend far beyond ransom payments to include business disruption, recovery expenses, reputational damage, and regulatory penalties.
Modern ransomware operators conduct reconnaissance, establish persistence, and exfiltrate sensitive data before deploying encryption. This transforms each ransomware incident into a potential data breach with long-term consequences for affected organizations.
En qué se diferencia el ransomware de otros tipos de malware
Ransomware differs from other malware primarily because it makes itself known to the victim. While spyware, trojans, and viruses typically operate covertly, stealing data, establishing backdoor access, or corrupting files without announcement, ransomware demands payment through explicit ransom notes. This visibility is deliberate: the cyberattack must be recognized before the victim can be pressured to pay.
Each malware type differs in purpose, visibility, and how attackers profit from it.
Financial incentive drives constant adaptation, the shift from phishing-dominated entry in 2023 to compromised VPN credentials accounting for 48% of attacks by Q3 2025 shows how quickly operators change methods when defenders close one vector.
Cómo funciona el ransomware
Modern ransomware attacks follow a five-stage sequence, and defenders can disrupt each one. Mapping detection controls to each stage is what separates organizations that catch attackers before encryption from those that discover the damage after.
El ataque típico de ransomware avanza a través de cinco etapas:
- Initial access — attackers gain entry through phishing, compromised credentials, or exploited vulnerabilities
- Movimiento lateral: malware por la red mientras recopila credenciales adicionales.
- Escalada de privilegios: los atacantes obtienen acceso administrativo para maximizar el impacto.
- Exfiltración de datos: se roba información confidencial antes del cifrado para obtener una doble ventaja de extorsión.
- Cifrado y demanda de rescate: los archivos se cifran y las víctimas reciben instrucciones de pago.
Ransomware attack vectors and initial access
According to HIPAA Journal, compromised VPN credentials accounted for 48% of ransomware attacks in Q3 2025, up from 38% in Q2. This represents a fundamental change from earlier years when phishing dominated initial access.
Credential-based entry has overtaken phishing, exploitation, and every other ransomware delivery method
The shift reflects both the widespread availability of stolen credentials on criminal marketplaces and the effectiveness of initial access brokers, specialists who compromise systems and sell access to ransomware operators. These brokers use infostealers to harvest credentials at scale.
External service exploitation accounts for another 23% of attacks, with recent campaigns targeting vulnerabilities in VPN appliances (CVE-2024-40766 in SonicWall), Citrix NetScaler devices (CVE-2025-5777), and enterprise software like Oracle E-Business Suite (CVE-2025-61882).
Movimiento lateral y exfiltración de datos
Once inside a network, ransomware operators begin moving laterally within 48 minutes on average. The fastest observed cases show full network propagation in just 18 minutes (Vectra AI research). Defenders have less than an hour, sometimes less than 20 minutes, to detect and contain the spread before the attacker controls the environment.
Attackers use legitimate administrative tools and credentials to move laterally, making their activity difficult to distinguish from normal network operations without behavioral analysis.
According to Deepstrike, 76% of 2025 ransomware attacks involved data exfiltration before encryption, making nearly every ransomware incident a data breach by the time encryption begins. This enables double extortion: even if victims restore from backups, attackers threaten to publish stolen data.
Las herramientas más comunes observadas en la fase de exfiltración incluyen:
- Rclone y Rsync para transferencias cloud
- Cobalt Strike para comando y control
- Mimikatz for credential harvesting
- FTP/SFTP para transferencia masiva de datos
MITRE ATT&CK mapping for ransomware
MITRE ATT&CK catalogs the specific techniques ransomware operators use, from credential abuse (T1078) to encryption for impact (T1486). The primary ransomware technique is T1486, Data Encrypted for Impact, categorized under the Impact tactic.
Six techniques appear in the majority of ransomware operations, spanning from initial credential abuse through defense evasion to final encryption.
Over 70 ransomware families are mapped to specific ATT&CK techniques. Running this mapping against deployed detections reveals exactly where coverage exists and where it does not, a process that enables focused threat hunting against known gaps.
Tipos de ransomware
Ransomware now comes in several distinct categories, each with different encryption methods, extortion tactics, and business models.
Encrypting ransomware vs. locker ransomware
Ransomware splits into two primary categories: encrypting ransomware (crypto-ransomware) and locker ransomware.
Encrypting ransomware encrypts individual files and data on infected devices. According to Keeper Security, victims can still use their devices but cannot access encrypted files without the decryption key. Modern encrypting ransomware uses strong encryption algorithms including AES-256, ChaCha20, and RSA-2048 that are computationally infeasible to break.
Locker ransomware (screen lockers) takes a different approach, locking users out of their entire systems rather than encrypting individual files. According to Check Point, locker variants prevent any access to the device until payment is made. While locker ransomware was more common in ransomware's early history, encrypting ransomware dominates today due to its greater impact and harder recovery path.
Recovery, response, and backup strategies differ significantly between the two.
Double and triple extortion ransomware
Most ransomware attacks now combine encryption with data theft, and some add DDoS attacks and third-party threats on top.
Double extortion ransomware combines data encryption with data theft. Attackers first exfiltrate sensitive information, then encrypt systems. If victims restore from backups without paying, attackers threaten to publish or sell the stolen data. According to Arctic Wolf, 96% of ransomware incident response cases in 2025 involved data exfiltration, making double extortion the norm rather than the exception.
Triple extortion ransomware adds additional pressure tactics beyond encryption and data theft:
- Amenazar con ponerse en contacto con los clientes, socios o pacientes de la víctima para informarles sobre la violación de datos.
- Lanzamiento de ataques DDoS contra la infraestructura de la víctima.
- Dirigirse a terceros con demandas de extorsión basadas en datos robados.
The result is overlapping harm, operational disruption from encryption, breach notification obligations from exfiltration, and reputational damage from public leak threats, all applied simultaneously.
What is ransomware-as-a-service (RaaS)?
According to IBM, ransomware-as-a-service (RaaS) is a business model where ransomware developers sell or lease their malware to affiliates who conduct the actual attacks. The model has industrialized ransomware, turning it from a technical crime into a franchise operation.
Los operadores de RaaS proporcionan a los afiliados:
- Cargas útiles de ransomware listas para desplegarse
- Paneles administrativos para la gestión de víctimas
- Infraestructura de procesamiento de pagos
- Herramientas de apoyo a la negociación y comunicación con las víctimas
- Soporte técnico y actualizaciones
In exchange, affiliates share ransom proceeds with the RaaS operators. According to Flashpoint, typical affiliate revenue shares range from 70–85% of ransom payments, with Qilin offering an industry-leading 85% share to attract affiliates.
Criminals with no technical expertise can now deploy professional-grade ransomware, which is why the number of active groups hit 85 in Q3 2025.
The ransomware threat landscape
A record 85 ransomware groups operated simultaneously in Q3 2025. Between January and September, 4,701 incidents were recorded globally, a 46% increase over the same period in 2024. The fragmentation follows law enforcement disruptions of major groups and reflects the ease with which new groups can launch using RaaS infrastructure.
In March 2026 alone, 672 ransomware incidents were reported, with just three groups (Qilin, Akira, and DragonForce) responsible for 40% of the total.
Los grupos de ransomware más activos en 2025
Qilin emerged as the dominant ransomware group, processing over 75 victims monthly by Q3 2025. The group's 85% affiliate revenue share, higher than competitors, has attracted skilled affiliates from disbanded operations. Notably, North Korean threat actors deployed Qilin payloads in March 2025, indicating nation-state collaboration with criminal ransomware operations.
Akira accumulated $244.17 million in proceeds as of late September 2025, according to CISA advisories. The group targets SMBs and critical infrastructure across manufacturing, education, IT, healthcare, and financial services.
LockBit re-emerged with version 5.0 in September 2025 despite significant law enforcement pressure including Operation Cronos. While diminished from its peak, the group's persistence demonstrates the resilience of well-established RaaS operations.
Casos prácticos de gran repercusión mediática
Change Healthcare (2024–2025): The ALPHV/BlackCat attack on Change Healthcare represents the largest healthcare data breach in U.S. history. According to AHA, approximately 192.7 million individuals were affected, with total costs estimated at $3 billion. The root cause was compromised credentials for a Citrix server without multi-factor authentication, a basic security control failure with catastrophic consequences.
Qilin "Korean Leaks" Campaign (September 2025): According to The Hacker News, Qilin compromised a single managed service provider (GJTec) and used that access to attack 28 downstream organizations, including 24 in South Korea's financial sector. Over 1 million files and 2TB of data were exfiltrated. This supply chain attack demonstrates how a single MSP compromise can amplify ransomware impact exponentially.
Clop Oracle EBS Campaign (November 2025): According to Z2Data, the Clop ransomware group exploited CVE-2025-61882 (CVSS 9.8) in Oracle E-Business Suite to compromise over 100 companies including Broadcom, Estee Lauder, Mazda, Canon, Allianz UK, and the Washington Post. The campaign followed the same mass-exploitation playbook Clop used against MOVEit in 2023, same group, same tactic, different vulnerability.
Estadísticas sobre el impacto en la industria
Healthcare was the top ransomware target in 2025, with 460 attacks and 182 data breaches reported to the FBI, a combined 642 cyber events (IC3 2025 Annual Report, published April 2026). Financial services was the second-highest sector at 447 total events.
The concentration of attacks on specific industries reflects both the value of the data they hold and the operational pressure that makes victims more likely to pay.
According to Verizon DBIR analysis, 88% of data breaches at SMBs involve ransomware, compared to 39% for large organizations. Without dedicated security resources and incident response capabilities, 60% of attacked small businesses close within six months.
How to detect and prevent ransomware
Three distinct control layers, prevention, detection, and response, separate organizations that recover from ransomware from those that do not. Prevention is the cheapest layer. Detection and response determine the outcome once an attacker is already inside.
12 essential ransomware prevention controls
CISA's #StopRansomware Guide defines the baseline controls every organization should deploy. These 12 controls address the most common attack vectors and reduce exposure across the ransomware kill chain.
Priority controls (implement immediately):
- Prioritize remediating known exploited vulnerabilities focus on CISA KEV catalog entries
- Habilitar y aplicar la autenticación multifactorial phishing en todos los servicios externos.
- Realice copias de seguridad cifradas y fuera de línea con regularidad, y pruebe los procedimientos de restauración.
Controles técnicos adicionales:
- Implement zero trust architecture principles for network access
- Segmentar las redes para limitar las oportunidades de movimiento lateral.
- Desactive SMBv1 y actualice a SMBv3 con cifrado.
- Centralize logging with SIEM and minimum 12-month retention
- Restringir la ejecución de PowerShell mediante la política de grupo
- Deploy EDR, NDR, or XDR solutions with real-time detection capabilities
- Exigir contraseñas de al menos 15 caracteres.
- Separar las cuentas administrativas de las cuentas de uso diario.
- Reduce attack surface by disabling unnecessary services
The 48% share of attacks using compromised VPN credentials makes three actions urgent: audit VPN configurations, enforce MFA on all remote access, and evaluate zero-trust network access as a VPN replacement.
Estrategia de copia de seguridad para la resiliencia ante el ransomware
The 3-2-1-1-0 backup rule, as detailed by Veeam, provides ransomware-resilient data protection:
- 3 copias de los datos (una principal y dos copias de seguridad)
- 2 tipos diferentes de soportes de almacenamiento
- 1 copia fuera de las instalaciones
- 1 copia inmutable o aislada
- 0 errores tras las pruebas de verificación
Immutable storage converts backups to write-once, read-many (WORM) format that cannot be overwritten, changed, or deleted, even by administrators with full credentials. This protects against ransomware that specifically targets backup systems.
Untested backups are not backups. Verifying restoration procedures at least quarterly — and documenting actual recovery times against stated objectives, is the difference between a backup that works and one that merely exists.
Ransomware detection indicators
Every stage of the ransomware attack chain produces network artifacts that signature-based tools miss. Network detection and response reveals the lateral movement, exfiltration, and command and control traffic that endpoint agents never see.
malware precursor malware vigilar:
- Los cargadores Bumblebee, Dridex, Emotet, QakBot y Anchor suelen preceder al despliegue del ransomware.
- La detección de estas amenazas debe desencadenar una investigación inmediata.
Indicadores de red de actividad de ransomware:
- Salida de datos anómala en cualquier puerto (exfiltración)
- Herramientas como Rclone, Rsync, FTP/SFTP para mover grandes volúmenes de datos.
- C2 callbacks to unknown infrastructure
- Patrones de movimiento lateral (autenticación inusual, uso indebido de cuentas de servicio)
- Intentos de túnel DNS
- Actividad de suplantación de ARP
When a service account authenticates at 3 AM, an admin session transfers 40 GB to an external host, or a user accesses file shares they have never touched, those deviations are the signal.
See how Vectra AI detects and contains ransomware attacks
What to do if you are hit by ransomware
If your organization is hit by ransomware, CISA provides immediate response guidance:
- Aísle inmediatamente: desconecte los sistemas afectados de la red para evitar la propagación.
- NO reinicie ni reinicie el sistema, ya que esto podría provocar daños adicionales o destruir pruebas forenses.
- Copias de seguridad seguras: desconecte los sistemas de copia de seguridad para evitar el cifrado.
- Documenta todo: haz capturas de pantalla de las notas de rescate y conserva el estado del sistema.
- Evaluar el alcance: determinar qué sistemas se ven afectados y el alcance del cifrado.
- Póngase en contacto con las autoridades: notifique al FBI, a la CISA y a las fuerzas del orden locales.
- Check for free decryptors — the No More Ransom Project provides free decryption tools for 100+ ransomware families
Acting within the first hour determines whether the attack stays contained to one segment or spreads across the network.
According to Sophos, 56% of organizations recovered within one week in 2025 — up from 33% in 2024. The gap between organizations that recover in days and those that take months is narrowing.
Should you pay a ransomware ransom?
El FBI y la CISA recomiendan no pagar rescates. Los datos respaldan esta postura:
- Solo el 46 % de las organizaciones que pagan rescates recuperan con éxito sus datos (CSO Online).
- El 93 % de las víctimas que pagaron aún sufrieron el robo de sus datos, que quedaron potencialmente expuestos.
- Aproximadamente el 80 % de las organizaciones que pagaron sufrieron ataques posteriores.
- El pago financia a las organizaciones criminales e incentiva futuros ataques.
Victim behavior reflects this guidance. According to Sophos, 63% of ransomware victims refused to pay in 2025, up from 59% in 2024. Meanwhile, 97% of organizations successfully recovered their data through backups or other means, demonstrating that payment is not necessary for recovery.
If you are considering payment, legal counsel and law enforcement engagement should precede any decision. Some payments may violate sanctions regulations, and authorities may have intelligence about the specific threat actor that changes the calculus.
Ransomware compliance and regulatory requirements
NIS2, NIST IR 8374, and proposed UK legislation now mandate ransomware-specific controls and incident reporting timelines. Mapping existing controls to these framework requirements, and generating audit-ready evidence, is an operational necessity, not a governance exercise.
Mapeo del marco
NIST IR 8374 — Ransomware Risk Management Profile: This NIST publication applies the Cybersecurity Framework's five core functions (Identify, Protect, Detect, Respond, Recover) specifically to ransomware risk. Updated for CSF 2.0 in January 2025, it provides actionable guidance aligned with ISO/IEC 27001:2013 and NIST SP 800-53 Rev. 5.
MITRE ATT&CK Framework: Version 18 of ATT&CK (October 2025) documents over 70 ransomware families and their techniques. Organizations can use ATT&CK to validate detection coverage against known ransomware behaviors and identify capability gaps.
NIS2 Directive (EU): The NIS2 Directive requires essential and important entities across 18 critical sectors to implement ransomware-specific controls. Key requirements include 24-hour early warning for significant incidents and penalties up to EUR 10 million or 2% of global revenue for non-compliance
Each framework maps to different compliance requirements and operational needs
Cyber insurance and ransomware
The average ransomware insurance claim reached $1.18 million in 2025, a 17% increase year-over-year (Resilience, 2025). Ransomware accounts for 76% of incurred losses despite representing 56% of claims.
Insurers denied approximately 40% of cyber insurance claims in 2024, often citing "failure to maintain security" exclusions (HIPAA Journal). They are scrutinizing vulnerability management, practices, MFA deployment, and backup procedures when evaluating claims.
An emerging concern: the Interlock ransomware group has been observed stealing cyber insurance policies from victims to benchmark ransom demands against coverage limits. When attackers know your coverage ceiling, adequate insurance without corresponding security improvements becomes a liability.
How Vectra AI detects ransomware
Vectra AI approaches ransomware defense through Attack Signal Intelligence, detecting attacker behaviors across the entire attack chain rather than relying on signatures or known indicators. By analyzing network traffic, cloud activity, and identity signals, the platform identifies lateral movement, privilege escalation, and data exfiltration patterns that precede ransomware deployment.
The "Assume Compromise" model starts from the premise that preventive controls will fail, and focuses detection on what happens after initial access. The window between initial access and encryption, often as little as 18 minutes, is where behavioral threat detection catches what signatures miss.
AI-driven detection identifies novel ransomware behaviors without requiring prior knowledge of specific variants. When attackers develop new evasion techniques, behavioral analysis continues to flag the underlying patterns, credential abuse, unusual data access, lateral connection attempts, that remain consistent across campaigns.
Without visibility across identity, cloud, and network layers, attackers reach the encryption stage undetected.
Where most ransomware defenses fall short
Ransomware groups reorganize within weeks of law enforcement disruption, shift attack vectors within quarters, and adopt new extortion tactics within months. Organizations that implement MFA, maintain tested immutable backups, segment networks, and deploy behavioral detection recover faster and avoid paying ransoms.
The path forward starts with honest assessment:
- Do you have continuous visibility into lateral movement across your hybrid environment?
- Can your current tools detect credential abuse and privilege escalation before encryption begins?
- Are your backups truly immutable — and have you tested restoration within the last 90 days?
- Do you know which MITRE ATT&CK techniques your detection stack covers and where the gaps are?
- Can you demonstrate compliance readiness with evidence, not documentation alone?
Conclusión
El ransomware en 2025 representa una amenaza madura, sofisticada y muy fragmentada que ninguna organización puede permitirse ignorar. Con 85 grupos activos, 57 000 millones de dólares en daños a nivel mundial y ataques que combinan habitualmente el cifrado con el robo de datos, nunca ha habido tanto en juego.
Los datos demuestran que la prevención y la preparación funcionan. Las organizaciones que implementan la autenticación multifactorial (MFA), mantienen copias de seguridad inmutables y probadas, y segmentan sus redes se recuperan más rápidamente y evitan pagar rescates. Las que invierten en capacidades de detección, en particular en análisis de comportamiento basados en la red, detectan a los atacantes antes de que comience el cifrado.
El camino a seguir requiere una evolución continua. A medida que los operadores de ransomware desarrollan nuevas técnicas y explotan nuevas vulnerabilidades, los defensores deben adaptarse. Las pruebas periódicas de la cobertura de detección con respecto al MITRE ATT&CK , la formación continua en materia de seguridad y las pruebas trimestrales de restauración de copias de seguridad proporcionan la base para unas operaciones resilientes.
Para las organizaciones que buscan reforzar sus defensas contra el ransomware, el enfoque Vectra AI en materia de Attack Signal Intelligence detección en toda la cadena de ataque, identificando los comportamientos que preceden al despliegue del ransomware, independientemente de malware específicas malware o las técnicas de evasión.
Fuentes y metodología
Statistics and threat intelligence cited in this guide are drawn from the following sources:
- FBI IC3 2025 Annual Report (published April 2026) — sector-level ransomware attack data
- Check Point Research, Q3 2025 — active ransomware group counts and attack volumes
- Infosecurity Magazine, April 2026 — March 2026 incident volumes and group attribution
- HIPAA Journal, Q3 2025 — initial access vector distribution
- Sophos State of Ransomware 2025 — recovery times, payment rates, victim behavior
- Cybersecurity Ventures, 2025 — global damage projections
- Arctic Wolf, 2025 — double extortion prevalence in incident response cases
- Verizon DBIR 2025 — SMB ransomware exposure data
- Resilience Cyber Risk Report, 2025 — insurance claim averages and denial rates
- Flashpoint, 2025 — RaaS affiliate revenue share data
- CISA #StopRansomware Guide — prevention controls and incident response guidance
- MITRE ATT&CK v18 (October 2025) — technique mapping and ransomware family documentation
- NIST IR 8374 (updated January 2025) — ransomware risk management profile
Named incidents (Change Healthcare, Qilin Korean Leaks, Clop Oracle EBS) are sourced from AHA, The Hacker News, and Z2Data respectively.
Preguntas frecuentes
¿Qué es el ransomware en términos sencillos?
El ransomware es un software malicioso que bloquea tus archivos cifrándolos y luego exige un pago, normalmente en criptomoneda, para desbloquearlos. Según el FBI, es una de las formas de ciberataque más perjudiciales desde el punto de vista económico, ya que en 2025 costará a las organizaciones una media de entre 5,5 y 6 millones de dólares por incidente. Los atacantes envían una nota de rescate con instrucciones de pago y una fecha límite. Si se paga, afirman que proporcionarán una clave de descifrado, aunque la recuperación no está garantizada. El ransomware moderno también roba los datos antes de cifrarlos y amenaza con publicar información confidencial si no se paga, incluso después de restaurarlos desde las copias de seguridad.
¿Cómo llega el ransomware a tu ordenador?
El ransomware suele entrar a través de varias vías comunes. En el tercer trimestre de 2025, las credenciales VPN comprometidas representaron el 48 % de los ataques de ransomware, según HIPAA Journal. Phishing Los correos electrónicos con archivos adjuntos o enlaces maliciosos siguen siendo un vector principal. La explotación de vulnerabilidades sin parchear en sistemas conectados a Internet, en particular dispositivos VPN, dispositivos Citrix y software empresarial, proporciona otro punto de entrada. Los ataques a la cadena de suministro a través de proveedores de servicios gestionados o proveedores de software pueden comprometer a varias organizaciones simultáneamente. Una vez que los atacantes obtienen el acceso inicial, suelen pasar días o semanas moviéndose por la red y robando datos antes de implementar el cifrado.
¿Deberías pagar el rescate?
El FBI y la CISA recomiendan no pagar rescates. Las estadísticas respaldan esta recomendación: solo el 46 % de las organizaciones que pagan recuperan sus datos, mientras que el 80 % de los que pagan sufren ataques posteriores. En 2025, el 63 % de las víctimas de ransomware se negaron a pagar, y el 97 % de las organizaciones recuperaron sus datos mediante copias de seguridad u otros medios. El pago de rescates financia a las empresas criminales e incentiva futuros ataques. Si está considerando pagar, consulte primero con un asesor legal y póngase en contacto con las fuerzas del orden. Algunos pagos pueden infringir las normas sobre sanciones, y las autoridades pueden disponer de información que influya en su decisión.
¿Qué debe hacer si es víctima de un ransomware?
Aísle inmediatamente los sistemas afectados desconectándolos de la red para evitar que el ataque se propague. No reinicie ni reinicie los sistemas, ya que esto podría provocar daños adicionales o destruir pruebas forenses. Proteja y desconecte los sistemas de respaldo para protegerlos del cifrado. Documente todo tomando capturas de pantalla de las notas de rescate y conservando el estado del sistema. Evalúe el alcance del ataque para comprender qué sistemas se han visto afectados. Póngase en contacto con el FBI, la CISA o las fuerzas del orden locales. Antes de considerar el pago, consulte el proyecto No More Ransom para obtener herramientas de descifrado gratuitas: disponen de descifradores para más de 100 familias de ransomware.
¿Cómo puedes protegerte contra el ransomware?
Las protecciones clave comienzan con la habilitación de la autenticación multifactorial (MFA) phishing en todos los servicios externos y puntos de acceso remoto. Mantenga copias de seguridad offline e inmutables siguiendo la regla 3-2-1-1-0 detallada por Veeam. Corrija rápidamente las vulnerabilidades explotadas conocidas, dando prioridad a las entradas del catálogo de vulnerabilidades explotadas conocidas de la CISA. Implemente la segmentación de la red para limitar el movimiento lateral. Implemente soluciones EDR, NDR o XDR con capacidades de detección en tiempo real. Separe las cuentas administrativas de las cuentas de uso diario y exija contraseñas de al menos 15 caracteres. Considere el acceso zero trust como alternativa a la VPN tradicional, dado que las credenciales de VPN comprometidas representan el 48 % de los ataques.
¿Qué es el ransomware de doble extorsión?
El ransomware de doble extorsión combina el cifrado tradicional de archivos con el robo de datos. Los atacantes primero extraen datos confidenciales de su red, luego cifran los sistemas y exigen un pago. Si las víctimas restauran desde copias de seguridad sin pagar, los atacantes amenazan con publicar o vender los datos robados en sitios web de filtración. Según Arctic Wolf, el 96 % de los casos de respuesta a incidentes de ransomware en 2025 implicaron la filtración de datos, lo que convirtió la doble extorsión en el modelo operativo estándar. Esta evolución significa que incluso las organizaciones con excelentes prácticas de copia de seguridad se enfrentan a una presión significativa para pagar, ya que la exposición de los datos puede provocar sanciones normativas, daños a la reputación y perjuicios competitivos.
¿Quién está detrás de los ataques de ransomware?
El ransomware moderno es principalmente obra de grupos organizados de ciberdelincuentes que operan plataformas de ransomware como servicio (RaaS). Según Check Point Research, en el tercer trimestre de 2025 había 85 grupos distintos de ransomware activos. Entre los grupos más activos se encuentran Qilin (más de 75 víctimas al mes, 85 % de participación en los ingresos de los afiliados), Akira (244 millones de dólares en ingresos), Medusa más de 300 víctimas en infraestructuras críticas) y DragonForce (en auge debido a los bajos requisitos de participación en los beneficios). Algunos grupos tienen vínculos con Estados-nación: los hackers norcoreanos desplegaron el ransomware Qilin en marzo de 2025, lo que indica la colaboración entre actores estatales y organizaciones criminales. Los intermediarios de acceso inicial se especializan en violar sistemas y vender acceso a los operadores de ransomware, lo que industrializa aún más el ecosistema.