What is the most active ransomware?

Ransomware is a form of malicious software that encrypts files on a victim’s computer and demands payment in order to decrypt them. Over the past several years, ransomware has emerged as a major cyber threat, inflicting significant damage on individuals, businesses, and government agencies worldwide. But with so many different strains of ransomware circulating today, which ones are the most prolific and dangerous?

Key Takeaways

  • Ransomware infections have increased dramatically since 2020, with some of the most damaging attacks targeting corporations and critical infrastructure.
  • The most active ransomware families today include LockBit, Conti, Ryuk, Cerber, Phobos, Dharma, and Sodinokibi.
  • These strains utilize advanced encryption algorithms, anonymizing technologies, and ransom demands averaging in the hundreds of thousands of dollars.
  • Mitigating ransomware requires a multi-layered security approach involving endpoint protection, patch management, backups, user education, and incident response planning.

The Explosive Growth of Ransomware

Ransomware has undergone exponential growth in recent years. Cybersecurity firm SonicWall recorded global ransomware attacks jumping from 304 million in 2020 to 623 million in 2021. Attacks on large enterprises and critical infrastructure have resulted in ransom payments upwards of $50 million. Governments are also frequent targets, with more than 80 federal, state, and municipal agencies impacted in the U.S. alone in 2021.

Several factors have contributed to the ransomware boom:

  • The accessibility of ransomware kits on the dark web makes it easy for cybercriminals to launch attacks with ready-made malware.
  • The availability of cryptocurrencies provides an easy way for attackers to collect anonymous ransom payments.
  • Corporations and governments often underinvest in cybersecurity, leaving networks vulnerable.
  • Social engineering tactics like phishing emails enable ransomware to infiltrate networks by exploiting human error.

As ransomware attacks become more disruptive and costly, identifying the most prevalent strains is crucial for defense and mitigation.

Major Ransomware Families

Today’s ransomware landscape features dozens of competing ransomware-as-a-service (RaaS) offerings and variants. But a handful of strains consistently rise to the top in terms of distribution, sophistication, and impact. These include:


Emerging in 2019, LockBit is currently one of the most prolific ransomware variants. The operators behind it run a RaaS model, allowing affiliates to deploy the ransomware in exchange for a cut of the profits. LockBit has compromised a number of major corporations, encrypting Windows domains and exfiltrating data to leak online if ransom demands are not met. A recent high-profile victim was aerospace company Accenture in August 2022.


Another leader in RaaS, Conti appeared in 2020 and aggressively expanded its affiliate program and victim targeting. Conti is particularly known for its double extortion tactics – encrypting data on infected systems while also threatening to publicly release stolen data. Thousands of Conti ransomware attacks have impacted healthcare systems, law enforcement, and various Fortune 500 companies. Damage from Conti may be reduced following public leaks of the gang’s internal communications.


Active since 2018, Ryuk exclusively targets large enterprises and public institutions, including hospitals, government agencies, and school systems. Striking over 200 U.S. organizations in its first two years, Ryuk often demands ransoms in excess of $5 million. Infection and encryption can spread rapidly across entire networks. Ryuk is notably operated by the prolific Russia-based cybercrime group Wizard Spider.


First seen in early 2016, Cerber remains a constantly evolving ransomware threat. It uses a ransomware-as-a-service model similar to LockBit, allowing affiliates to use the Cerber malware kit in exchange for paying the developers a percentage of ransom profits. Cerber abuses Windows PowerShell and Microsoft’sperformance monitoring tool Process Explorer to infect systems. Victims span all sectors, but healthcare and education networks have been especially impacted.


Phobos appeared in late 2021 as a strain targeting victims through malicious attachments on email. Extensive use of anti-analysis techniques makes it difficult to detect. In addition to encrypting files, Phobos exfiltrates data and overwrites system backups to make recovery more difficult. Victims include municipal governments, school districts, and notable companies like crowdfunding platform Patreon.


Active for years, Dharma pioneered the RaaS model adopted by many modern ransomware operations. Affiliates can easily obtain a Dharma builder kit through underground forums to start launching attacks. Dharma continually evolves with new variants incorporating updated evasion techniques and stronger encryption algorithms. Major victims include healthcare providers, universities, and public transit systems.


Also known as REvil, Sodinokibi operates as an affiliate-based RaaS model while also conducting some direct big game hunting. It lands on target systems often through supply chain compromises before slowly encrypting data and exfiltrating it. Sodinokibi is notorious for demanding enormous multi-million dollar ransoms from large corporations based on the victim’s annual revenue. A massive attack shut down meat supplier JBS Foods in 2021.

Sophisticated Tactics and Techniques

Modern ransomware strains like those above exemplify the sophisticated tradecraft of cybercriminal groups. Tactics and capabilities include:

  • Advanced encryption algorithms like RSA-4096 that rapidly encrypt files beyond recovery
  • Anonymizing technologies like Tor and Bitcoin for covert extortion
  • Evasive scans and anti-analysis techniques to avoid detection
  • Double extortion with data exfiltration and public exposure threats
  • Custom packers, droppers, and loaders to bypass security controls
  • PowerShell abuse, credential theft, and lateral movement to spread across networks

Increasingly targeted, persistent campaigns maximize disruption and ransom payouts. Average ransom demands in 2021 exceeded $200,000, with some attacks extracting payments upward of $50 million.

Impact on Victims

For individual users or small businesses without adequate backups, ransomware attacks can cause data loss and system downtime imposing severe costs. But large organizations face the most devastating effects:

  • Mass data and intellectual property theft
  • Interruptions to operations and supply chains
  • Harms to life and safety from disruption of hospitals, emergency services, utilities, and other critical infrastructure networks
  • Long recovery times and expensive mitigation expenses
  • Legal, regulatory, and contractual violations from data breaches
  • Reputational damage and eroded customer trust

These impacts underscore the need for robust ransomware defenses.

Defense Strategies

Combating prevalent ransomware threats like LockBit and Ryuk requires a layered mitigation approach including:

  • Endpoint protection – Install advanced antivirus/anti-malware tools on all endpoints to block known threats and behaviors.
  • Patch management – Promptly patch and update operating systems, software, and firmware to eliminate vulnerabilities.
  • Backups – Maintain regular backups offsite or air-gapped from the network to enable data recovery without paying ransom.
  • User education – Train staff to identify social engineering attacks, safely handle emails, and report suspicious activity.
  • Network segmentation – Isolate and monitor high-risk areas of the network to limit lateral movement.
  • Incident response plan – Have an IR plan in place for rapidly responding to contain, eradicate, and recover from ransomware infections.

The Importance of Backup

Of all ransomware defenses, experts agree that maintaining robust, regularly tested backups is the most crucial for resilience. With offline backups isolated from the network, organizations can recover encrypted data without paying ransom. But backups must be comprehensive and secured against corruption or deletion by ransomware strains that target backups.

Here are best practices for resilient data backup:

  • Perform regular full backups combined with frequent incremental backups to capture changes.
  • Maintain multiple generations of backup data sets in case versions need to be recovered.
  • Store backups offline and offsite using media like external drives rotated to different locations.
  • Retain backups long enough to fall back outside the time window of possible infection.
  • Encrypt backups and protect media physically and digitally for security.
  • Include systems, applications, databases, networks, and cloud assets in backup processes.

Testing restores regularly validates the backup system. With strong backups, organizations can defeat ransomware extortion demands and quickly restore their systems and data.


Ransomware poses one of the most severe cyber threats to businesses, critical infrastructure, and government institutions. Modern strains like LockBit, Conti, and Ryuk feature sophisticated capabilities that allow them to infect networks, encrypt vast amounts of data, and exact seven- and eight-figure ransom payments from victims.

Combating prolific ransomware requires a multilayered approach to security. But resilient backup solutions represent the most crucial defense for escaping the disruptions and extortion inflicted by ransomware attacks. By implementing comprehensive backup protocols and keeping recent point-in-time data recovery copies, organizations can mitigate ransomware with their data intact.