Ransomware Variants: Major Strains and Families

Ransomware does not operate as a monolithic threat — it encompasses dozens of distinct malware families, each with differentiated encryption methods, delivery mechanisms, extortion models, and target profiles. This page catalogs the major ransomware strains and families active across US infrastructure, maps their technical and operational characteristics, and establishes the classification boundaries used by security researchers, incident responders, and regulatory bodies to categorize and respond to these threats. Understanding variant-level distinctions is foundational to the ransomware incident response process and shapes decisions about containment, negotiation, and recovery.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix
• References

Definition and scope

Ransomware variants refer to discrete malware families distinguished by their codebase lineage, encryption implementation, command-and-control (C2) infrastructure, ransom delivery mechanism, and operational model. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Stop Ransomware advisory catalog that tracks individual families by name, issuing joint advisories with the FBI and NSA when variant-specific indicators of compromise (IoCs) reach sufficient threat density. As of the CISA advisory archive through 2023, tracked families include LockBit, BlackCat (ALPHV), Hive, Royal, Black Basta, Cl0p, Akira, and Scattered Spider-associated tools, among others.

The scope of ransomware variant classification extends across three operational dimensions: technical architecture (what the malware does), delivery ecosystem (how it reaches victims), and business model (how operators monetize the infection). Variant identity matters in incident response because decryption tools — cataloged by the No More Ransom Project, a public-private initiative coordinated by Europol — are family-specific. A decryptor built for Dharma will not function against LockBit 3.0 ciphertext. The FBI's Internet Crime Complaint Center (IC3) recorded 2,825 ransomware complaints in 2023 (IC3 2023 Internet Crime Report), with LockBit accounting for the highest single-family complaint volume among tracked groups.

Core mechanics or structure

Most modern ransomware families share a structural execution chain despite diverging in implementation detail. The chain proceeds through distinct phases that align with the MITRE ATT&CK framework's enterprise tactic categories (MITRE ATT&CK):

Initial access and staging. Variants arrive through phishing attachments, RDP exploitation, exposed VPN appliances, or supply chain compromise. LockBit affiliates have been documented using the Cobalt Strike framework for post-exploitation staging before payload delivery.

Privilege escalation and credential harvesting. Families such as BlackCat (ALPHV) and Black Basta routinely deploy tools like Mimikatz to harvest Active Directory credentials, enabling domain-wide deployment. This phase is examined in the active directory ransomware reference.

Encryption engine. The encryption layer is the defining technical fingerprint of a variant. Implementation splits across two dominant approaches:
- Symmetric-only encryption: AES-256 applied to file content, with the AES key itself encrypted by an attacker-held RSA or elliptic curve public key. Families including WannaCry and NotPetya operated this architecture.
- Hybrid intermittent encryption: Cl0p and LockBit 3.0 encrypt only portions of large files (e.g., the first 4 KB) to accelerate throughput while still rendering files unreadable — a technique that evades some size-change-based detection heuristics.

Exfiltration (double and triple extortion layers). Since 2019, the dominant family architecture includes a pre-encryption exfiltration stage. Maze ransomware operationalized this model at scale; it is now standard practice for LockBit, BlackCat, Akira, and Cl0p. Double extortion ransomware and triple extortion ransomware represent structured escalations of this model.

Ransom note and payment infrastructure. Variants deploy Tor-accessible payment portals with family-specific branding. LockBit operated a publicly accessible leak site with automated countdown timers. Hive maintained a victim portal with a chat interface until its infrastructure was seized by the FBI and international partners in January 2023 (DOJ Hive Takedown).

Causal relationships or drivers

The proliferation of distinct ransomware variants is structurally driven by the ransomware-as-a-service (RaaS) model, which separates malware development from attack execution. Core developers maintain and lease the ransomware codebase to affiliates who conduct intrusions; revenue splits — typically 70–80% to affiliates and 20–30% to developers — are documented in leaked LockBit affiliate panel data reviewed by threat intelligence researchers.

Three causal factors accelerate variant diversity:

1. Code reuse and forking. When ransomware source code leaks — as occurred with Conti in 2022 and LockBit 3.0 (which incorporated leaked LockBit Black builder code) — new groups fork the codebase and rebrand. This produced multiple Conti-derived families including Black Basta and Royal.

2. Law enforcement disruption pressure. Takedowns of infrastructure (Hive in January 2023, LockBit in February 2024 via Operation Cronos (NCA/Europol Operation Cronos)) push affiliates to migrate to surviving or newly launched platforms, concentrating activity in successor families.

3. Cryptocurrency payment infrastructure availability. The accessibility of privacy-enhancing coins and mixing services sustains the financial viability of ransomware operations. OFAC's ransomware sanctions framework specifically designates wallets and exchanges associated with named actors, creating compliance pressure on payment processors.

Classification boundaries

Ransomware families are classified along four axes used by CISA, the FBI, and academic threat intelligence researchers:

By encryption scope:
- Full-disk encryption: Petya and its derivative NotPetya encrypted the Master Boot Record, preventing system boot entirely — a destructive capability that exceeded typical ransomware and led CISA to classify NotPetya as a wiper-ransomware hybrid.
- File-targeting encryption: The majority of families (LockBit, BlackCat, Dharma) encrypt individual files while leaving the operating system functional to display ransom notes.
- Intermittent/partial encryption: Cl0p and LockBit 3.0 implement partial-file encryption for speed.

By operational model:
- RaaS families: LockBit, BlackCat (ALPHV), Hive, REvil/Sodinokibi, DarkSide, Black Basta, Akira — developer groups maintaining affiliate ecosystems.
- Closed-group operators: Ryuk (attributed to the WIZARD SPIDER group by CrowdSrike) and early Conti operations were conducted by tightly controlled teams rather than open affiliate networks.

By targeting posture:
- Opportunistic spray: WannaCry and earlier Dharma variants spread indiscriminately via EternalBlue exploit, infecting targets of any size.
- Big-game hunting (BGH): Modern RaaS families prequalify targets for revenue above defined thresholds. BlackCat operators have been observed rejecting affiliate submissions targeting organizations below specific annual revenue floors.

By exfiltration capability:
- Encrypt-only (legacy): CryptoLocker, early CryptoWall. No exfiltration capability documented.
- Exfiltrate-then-encrypt: All major post-2019 families — Maze, REvil, LockBit, BlackCat, Cl0p.

Tradeoffs and tensions

Speed versus detection evasion. Faster encryption maximizes damage but generates file system activity that endpoint detection and response (EDR) tools flag. Intermittent encryption sacrifices completeness for speed and stealth — a tradeoff that shapes both malware design and ransomware detection techniques.

Affiliate openness versus operational security. Open RaaS affiliate models (LockBit's near-public recruitment) accelerated scale but introduced affiliates with poor tradecraft who left attributable artifacts and, in at least one documented case, negotiated independently against platform rules — exposing the operation to internal leaks.

Infrastructure persistence versus law enforcement targeting. Centralized C2 and payment infrastructure enables efficient operations but creates single points of failure. The Hive takedown succeeded because the FBI infiltrated Hive's infrastructure for seven months, collecting 300 decryption keys for active victims and 1,000 keys for previous victims before the public disruption announcement (DOJ Hive Press Release, January 26, 2023).

Decryptor availability versus continued extortion. When law enforcement or researchers release decryptors for a family (as occurred with Ragnarok and Avaddon), operators frequently rebrand rather than fix the vulnerability — producing successor variants with patched crypto implementations.

Common misconceptions

Misconception: NotPetya was ransomware. The US Department of Justice, UK National Cyber Security Centre (NCSC), and multiple forensic analysis firms have attributed NotPetya to destructive intent rather than financial extortion. The decryption mechanism was nonfunctional by design; it was a wiper disguised as ransomware. The US government formally attributed NotPetya to Russian military intelligence (GRU) in 2018 (NCSC NotPetya Attribution).

Misconception: paying the ransom restores all data. CISA and the FBI both state that ransom payment does not guarantee decryption. Hive provided non-functional decryptors to a proportion of paying victims prior to its disruption. Recovery without payment, covered in the ransomware recovery without paying reference, relies on backup integrity and available public decryptors.

Misconception: ransomware variants are independent operations. LockBit 3.0 incorporated code from BlackMatter (itself a DarkSide successor), demonstrating cross-family code sharing. Many "new" families are partial re-implementations of predecessors with patched encryption or modified C2 protocols.

Misconception: small organizations are not targeted by sophisticated families. BlackCat affiliates and Akira operators have compromised organizations with fewer than 50 employees. The SMB ransomware risks reference documents this targeting pattern. Big-game hunting describes a revenue threshold, not an organizational complexity threshold.

Checklist or steps (non-advisory)

The following sequence reflects the standard analytical process used by incident response firms and threat intelligence analysts when identifying a ransomware variant during an active engagement:

1. Collect ransom note text and file extension — ransom note filenames (e.g., !README!.txt, RECOVER-FILES.txt, BlackMatter_README.txt) and appended file extensions are primary identification signals.
2. Query the ID Ransomware service (ID Ransomware, Malwarebytes) — upload an encrypted file and ransom note sample for automated family identification.
3. Cross-reference CISA's Stop Ransomware advisory list — match identified family name against CISA's published joint advisories for known IoCs, TTPs, and mitigation guidance.
4. Check No More Ransom Project decryptor catalog — verify whether a working decryptor exists for the identified family and version.
5. Document encryption scope — determine whether MBR, full disk, partial file, or file-level encryption was applied; this shapes recovery path prioritization.
6. Identify C2 infrastructure artifacts — extract registry keys, scheduled tasks, and network connection logs to identify persistence mechanisms specific to the family.
7. Search MITRE ATT&CK software entries — the ATT&CK database includes technique mappings for named ransomware families at attack.mitre.org/software.
8. Correlate with threat actor attribution — link family to known threat actor group profiles maintained in the ransomware threat actors reference.
9. Assess exfiltration indicators — determine whether data staging directories, cloud upload tools (Rclone, MEGAsync), or known exfiltration domains are present in log data.
10. Document findings for FBI IC3 submission — variant identification, IoCs, and payment demand details are required fields in IC3 ransomware submissions; see FBI ransomware reporting.

Reference table or matrix