Ransomware Variants: Major Strains and Families

Ransomware operates through a diverse ecosystem of named strains and organized families, each distinguished by technical architecture, deployment model, and extortion methodology. The threat landscape is tracked by federal agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, which jointly publish variant-specific advisories under the Stop Ransomware initiative. Identifying which family is present in an environment determines decryption feasibility, attribution likelihood, negotiation dynamics, and applicable regulatory reporting timelines. This page catalogs the major strains, their structural characteristics, and the classification boundaries used by security researchers and law enforcement to distinguish them.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix
• References

Definition and scope

A ransomware variant is a distinct, named malware build with identifiable code lineage, behavioral signatures, and often a specific threat actor or affiliate network behind its deployment. CISA defines ransomware broadly as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until payment is made (CISA Stop Ransomware), but variant-level classification goes further — distinguishing strains by encryption algorithm, ransom note format, command-and-control infrastructure, and monetization structure.

The FBI's Internet Crime Complaint Center (IC3 2023 Internet Crime Report) logged 2,825 ransomware complaints in 2023 across all sectors. Critical infrastructure sectors — including healthcare, government facilities, and energy — accounted for the highest concentration of reported incidents. CISA's Stop Ransomware portal maintains a running list of advisories for specific variants, each issued jointly with the FBI and, where relevant, the National Security Agency (NSA).

The scope of variant analysis covers three distinct generations of ransomware architecture: commodity malware distributed indiscriminately via phishing, targeted Ransomware-as-a-Service (RaaS) platforms with structured affiliate programs, and hybrid extortion tools that combine encryption with data theft. Each generation introduced new structural complexity that shapes how ransomware providers are organized for practitioner reference.

Core mechanics or structure

Ransomware variants share a common operational skeleton while differing substantially in implementation. The major structural components present across families include an initial access mechanism, a privilege escalation and lateral movement phase, a data staging or exfiltration module (in double-extortion variants), an encryption engine, and a persistence or anti-recovery mechanism.

Encryption architecture is the most technically differentiating factor between families. LockBit 3.0, for example, uses a combination of AES-256 for file encryption and RSA-2048 for key encapsulation (CISA Advisory AA23-075A). BlackCat (ALPHV) is written in Rust, a choice that enables cross-platform deployment on Windows, Linux, and VMware ESXi environments simultaneously — a structural feature that distinguishes it from Windows-only predecessors. Conti, before its dissolution, employed a multi-threaded encryption approach capable of processing up to 32 simultaneous encryption threads to maximize speed and minimize detection windows.

Command-and-control (C2) infrastructure varies between centralized models (fixed C2 servers) and decentralized peer-to-peer architectures. Ryuk and its successor Conti relied on Cobalt Strike beacons for C2 prior to deployment of the encryption payload. REvil (Sodinokibi) used a Tor-based C2 with automated ransom negotiation portals, a design feature that streamlined the monetization process for affiliates.

Ransom delivery mechanisms include encrypted note files dropped in every affected provider network, wallpaper replacement, and — in the case of BlackBasta — dual-channel extortion through a dedicated leak site and direct victim communication. The National Institute of Standards and Technology (NIST) Cybersecurity Framework categorizes these operational stages under the "Identify," "Detect," and "Respond" functions, providing a structural mapping relevant to incident classification (NIST CSF).

Causal relationships or drivers

The proliferation of distinct ransomware variants is not random — it follows identifiable economic and operational drivers.

RaaS platform economics are the primary driver of variant diversification since 2019. Under RaaS models, core developers lease ransomware infrastructure to affiliates who conduct intrusions and split ransom proceeds — typically at a 70/30 or 80/20 affiliate-to-developer ratio. This structure incentivizes continuous variant development to attract skilled affiliates, producing rapid iteration of named strains. LockBit alone cycled through three major versions (LockBit 1.0, 2.0, and 3.0) between 2019 and 2023, with each version introducing new capabilities to maintain competitive standing in the criminal affiliate market.

Law enforcement disruption cycles directly cause variant rebranding. After Operation Cronos dismantled significant LockBit infrastructure in February 2024 (UK National Crime Agency announcement), affiliates migrated to competing platforms. The pattern recurs consistently: after Conti's operational collapse in 2022 following a source code leak, former members seeded at least 4 successor groups including BlackBasta and Royal. CISA's advisory ecosystem tracks these lineage connections across variant transitions.

Vulnerability exploitation timelines drive deployment targeting. The Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog (CISA KEV) documents vulnerabilities actively leveraged by ransomware operators. Variants like Cl0p (Clop) built their 2023 campaign specifically around a zero-day in MOVEit Transfer (CVE-2023-34362), demonstrating that variant activity spikes are often tied to specific vulnerability discovery cycles rather than general opportunism.

Classification boundaries

Security researchers and federal agencies use overlapping but distinct classification frameworks. CISA and FBI advisories classify variants by threat actor group (e.g., the group operating BlackCat is tracked as ALPHV), while antivirus vendors classify by code family lineage. These two axes do not always align.

By deployment model:
- Commodity ransomware — distributed via mass phishing campaigns with no victim targeting (e.g., GandCrab in its early phases)
- Targeted RaaS — operator-selected victims with manual intrusion steps (e.g., LockBit 3.0, BlackCat/ALPHV, BlackBasta)
- State-sponsored ransomware — financially motivated tools attributed to nation-state actors (e.g., WannaCry, attributed by the US government to North Korea's Lazarus Group per DOJ announcement, 2018)

By extortion methodology:
- Single extortion — encryption-only, payment for decryption key
- Double extortion — encryption plus threatened data publication
- Triple extortion — adds DDoS attack against the victim or direct contact with victim's customers/partners as additional leverage

By code lineage:
The ransomware family tree documented by researchers at Recorded Future and referenced in CISA advisories shows that REvil descended partially from GandCrab code, while Conti shared tooling with Ryuk. BlackMatter was widely assessed as a Darkside rebrand following the Colonial Pipeline incident response. These lineage relationships matter for decryption tool applicability — a decryptor built for one variant may function against related strains sharing the same key management logic.

The ransomware provider network purpose and scope explains how these classification frameworks inform the structural organization of professional service providers.

Tradeoffs and tensions

Speed versus stealth in encryption design: Faster encryption (higher thread count, larger file coverage) reduces detection window but increases CPU and disk I/O signatures that endpoint detection and response (EDR) tools monitor. LockBit 2.0 was specifically marketed by its operators as the "fastest encrypting ransomware" — a technical claim that simultaneously represented a competitive advantage and a detection surface. NIST SP 800-61 (Computer Security Incident Handling Guide) frames this tension as a core detection opportunity for defenders.

Attribution versus actionability: Variant attribution to a specific threat actor informs law enforcement response but rarely accelerates victim recovery. A confirmed attribution to ALPHV/BlackCat does not produce a decryption key faster; it primarily serves regulatory notification framing and FBI engagement prioritization. The how to use this ransomware resource page addresses how practitioners navigate between attribution intelligence and immediate operational needs.

Decryptor availability versus ransom payment pressure: Free decryptors exist for a subset of variants. The No More Ransom project, a joint initiative by Europol, the Dutch National Police, and industry partners (No More Ransom), has published decryption tools for over 165 ransomware families as of its public reporting. However, decryptor availability is variant-version-specific — a tool for LockBit 2.0 does not necessarily function against LockBit 3.0. This creates pressure on victims to pay even when partial tooling exists, because version identification requires technical forensics that take time victims under operational pressure may not have.

Common misconceptions

Misconception: Paying the ransom guarantees data recovery.
FBI guidance explicitly states that payment does not ensure functional decryption (FBI Ransomware Guidance). In double-extortion campaigns, payment addresses only the encryption key; stolen data may still be published or sold. CISA documentation notes that organizations that paid ransoms have subsequently found their data on leak sites regardless.

Misconception: Ransomware variants are purely criminal enterprises with no state connection.
WannaCry (2017) and NotPetya (2017) demonstrate that nation-state actors deploy ransomware-style tools for destructive purposes with no genuine ransom-collection intent. NotPetya caused an estimated $10 billion in global damages (as assessed by the White House in 2018) and was attributed by the US, UK, and EU to Russian military intelligence (GRU). Classifying all ransomware as financially motivated cybercrime misrepresents the threat landscape.

Misconception: Variant rebranding creates entirely new threats.
When Darkside rebranded as BlackMatter after the Colonial Pipeline incident, the underlying code, affiliate relationships, and key management infrastructure carried forward. CISA's advisory on BlackMatter (AA21-291A) explicitly documented code overlap and affiliate continuity. Treating a rebranded variant as a novel threat inflates the apparent diversity of the ecosystem and can misdirect investigative resources.

Misconception: Endpoint antivirus reliably detects all ransomware variants.
Modern RaaS variants, particularly those with custom packers or living-off-the-land techniques (abusing legitimate Windows tools like PsExec or WMIC), frequently evade signature-based detection. NIST SP 800-83 (Guide to Malware Incident Prevention and Handling) notes that behavior-based detection — not signature matching alone — is required for reliable ransomware identification.

Checklist or steps (non-advisory)

Variant identification sequence (forensic phase):

1. Identify ransom note filenames and content format (e.g., !!!-Restore-My-Files-!!!.txt is associated with specific LockBit versions; RECOVER-FILES.txt formatting varies by family).
2. Record file extension appended to encrypted files (e.g., .lockbit, .alphv, .blackbasta) — extension patterns are indexed in public variant databases including the ID Ransomware service operated by MalwareHunterTeam.
3. Submit a sample encrypted file and ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) for automated family identification.
4. Check No More Ransom (nomoreransom.org) for available decryptors matching the identified variant and version.
5. File a complaint with the FBI IC3 (ic3.gov) — IC3 data contributes to federal variant tracking and may surface law enforcement resources specific to active investigations.

Reference table or matrix