There are a lot of different types of malicious software (malware). Viruses and worms directly infect systems for a specific purpose. This can be stealing data or credentials, but it could be to perform any kind of unauthorized tasks. Older malware could hijack a system to try to mine for cryptocurrency; one highly specific virus was spread benignly across the world until it hit Iranian uranium centrifuges and caused them to malfunction.
Ransomware functions a little differently. Unlike passive attacks, ransomware targets a specific organization (usually through stolen credentials) and then plants an executable that begins disabling security systems and encrypting data. They then follow up with a ransom demand in exchange for access to the data.
Changing Targets and Goals
As with all technology, ransomware is evolving. The first generations of ransomware were specialized and sophisticated pieces of software and required both skilled developers and skilled hackers to take advantage of access. Because of the effort of creating ransomware, early attacks were done by closed, organized groups. Attacks were focused on large enterprise or high-value organizations such as hospitals, government departments, and banks – organizations with large amounts of sensitive data and very deep pockets to pay substantial ransoms.
That trend is definitely shifting. Looking at Thrive’s customer base and incidents over the past year, manufacturing and logistics companies are 7.5 times more likely to be attacked by ransomware than financial services or health care organizations.
On one hand, large enterprises remain a major target because of the likelihood of getting a large payout. The average ransomware demand in 2020 was $200,000; in 2024, it had skyrocketed to over $5 million. However, midmarket organizations typically face smaller payouts, both from slightly smaller demands and from being more likely to try negotiations. In 2020, they were paying as little as $5,000 on average; in 2024, it was over half a million dollars.
There has also been a shift in the different ways that attacker groups extort money.
- The original extortion tactic was to encrypt key databases or servers and then demand payment for decryption information or access.
- Increasingly, groups are extorting to prevent the release of sensitive information, from employee and client data to patents and confidential information.
And of course, most groups want payments for both.
Changing Technology
The tactics of ransomware attacks are changing because the technology of ransomware is changing. Over the past five years or so, ransomware has shifted from custom, installed software created by underground groups into software-as-a-service. Relatively unsophisticated criminal organizations can part with ransomware providers to run attacks – frequently working on a commission basis.
New types of ransomware emerges routinely, but there are three ransomware groups that have consistently been at the heart of most ransomware attacks since 2022, at least looking at our Thrive customer base.
Retro Groove: Akira
The main hallmark of Akira is its intentionally retro styling: it has an 80s-style command-line interface (CLI) which appears on affected systems.
Akira tries to avoid detection by using legitimate tools to run processes. It uses different encryption methods for keys and files to make it harder to decrypt, and it stops itself from running in analysis tools to make it harder to reverse engineer. Stolen data files are uploaded to torrent sites.
Unlike other types of ransomware, Akira targets almost exclusively small and medium-sized businesses. It presents demands for both file access and to prevent leaking stolen data (double extortion) and usually has high ransom demands.
Akira usually exploits known vulnerabilities in VPNs to steal credentials for user accounts not using multi-factor authentication.
Game’s On: Play
Play ransomware is some of the oldest running, having emerged in June 2022. Unlike Akira or RansomHub, it is a closed model rather than ransomware-as-a-service.
Part of what makes Play so ominous is that it uses very personal methods to communicate. Play attacks use a unique email address to communicate demands and are usually followed up with a phone call.
Play attacks can occur relatively quickly because it uses intermittent encryption to process files very quickly. Its executables usually boot into safe mode or use similar system tools to avoid endpoint detection and response (EDR) agents.
Play also makes it hard to identify binaries by using unique filehashes and names for every attack.
Convenient Affiliate Program: RansomHub
RansomHub is one of the newer ransomware attacks, emerging in early 2024. One of the “coolest” things about RansomHub is its financial model. RansomHub is a ransomware-as-a-service that runs a user-friendly affiliate program. Users can prepay for advanced support or customization and can select different levels for commission rates. As with other types of ransomware attacks, RansomHub has the double-extortion model, both for data files and for preventing data leaks.
RansomHub borrows some of the techniques of other ransomware, such as intermittent encryption and disabling EDR and security services. It uses simple but effective ways to cover its tracks, like password-encrypting its configuration files and erasing Windows events logs. RansomHub isn’t selective in what systems it hits – anything on the network, from mainframes to laptops – can be affected.
RansomHub uses malicious plugins in browsers to deliver its payload, and from there, it exploits unpatched systems.
What Makes You Vulnerable
One attack type, years ago, involved a group that would hack a user account at a bank, but then go and physically watch that person performing their duties. They would figure out that person’s normal processes and access, imitate that, and then slowly ramp up until they had admin access and they would dump money from an ATM. This was usually never caught by IT; it would come out after auditing the cash reserves in the ATMs.
That’s not a “ransomware” attack, but it perfectly lays out the same pattern of account exploitation and privilege escalation.
Many customers don’t think they’re big enough or public enough to catch the attention of attack groups, and that leads them to be lax in their typical system maintenance. I consistently see the same pathways to an attack:
- Bruteforcing VPN or firewall access
- Exploiting unpatched vulnerabilities on hardware and systems
- Taking advantage of weak credential requirements for accounts
- Escalating privileges through poor domain and permissions management for applications and processes
And that’s really the moral of security: security starts with good system administration practices. After that, the key areas for security process planning are:
- Defining an incident response plan
- Managing data security
- User security policies and training
Early in 2025, a Thrive customer noticed something odd. One seemingly innocuous CPU spike was the first indicator of a problem that could have potentially destroyed an entire multi-state manufacturing company.
The Background Before the Attack
This company (Example Corp, for anonymity) had been a Thrive customer for awhile. In the spring of 2025, they were using Thrive for managed services, including performance and event monitoring, but were using their internal teams for MDR and security services. The customer is headquartered in Florida but has other major operations hubs throughout the southeastern United States.
Manufacturing and logistics are often heavily reliant on proprietary operational technology (OT) that’s hard to secure and often lacks comprehensive security monitoring. Many organizations integrate OT into their IT networks without proper segmentation, increasing the risk of devastating impact should either side be breached. Combined with limited IT resources, fewer cybersecurity regulations, and low downtime tolerance, this makes them highly likely to be targeted by ransomware, no matter the size of the organization. Thrive’s intelligence shows manufacturing, construction, and logistics are targeted 7.5 times more than financial services by ransomware groups like RansomHub, Akira, and Play. This mix of weak defenses and high impact makes manufacturing a prime ransomware target.
Thankfully, that wasn’t the case at Example Corp. Their CTO had a strong grasp of the internal environment and knew exactly what was needed—phase by phase—to bring operations back online quickly. He also leaned heavily on Thrive’s deep expertise in incident response and threat actor behavior to avoid common pitfalls, ensure a secure restoration, and remediate any potentially lingering threats. With 24/7 support from Thrive, his disciplined leadership and reliance on proven best practices were critical to saving Acme that day in February.
The Attack
Early on Friday morning, the Thrive event management team noticed an atypical CPU spike on a server. Since it was very early in the morning – hours before the start of the workday – the Thrive team decided to check on what was going on.
The Thrive team discovered that the CPU usage was coming from an abnormal process, and they called in the Thrive security team to take a look (even though, at the time the customer wasn’t using Thrive for security services). The security team recognized ransomware executables and shut down the server immediately to try to limit the scope of the attack.
Thrive also began trying to contact the CTO and other IT points of contact, which took almost an hour. In that time, Thrive had begun isolating affected systems and using forensic tools to identify the extent of the attack. Thrive had also attributed the damage to a specific threat actor. After learning of this attribution and the impact details provided by Thrive, the client engaged their cyberinsurance provider. The forensics team assigned through the insurer decided to use the data already collected by Thrive to conduct their investigation. This allowed them to begin their analysis quickly and supported a rapid restoration without introducing further delays.
Timeline to Recovery
Example Corp did not have an incident response plan, but their teams had deep knowledge of their systems and domains, so once the Thrive and customer IT teams were able to connect, they started rolling on mitigating the damage and recovering their operations.
- Thrive and Example Corp held near-hourly standup calls to quickly address their most immediate actions and next steps, with everyone working collaboratively. These meetings were short and focused on completing tasks, removing roadblocks, and outlining next steps with clear timelines.
- They shut down any VPN tunnels and site-to-site tunnels between their five sites.
- Using the forensics tools, they began reviewing timelines and affected systems.
- Within the first hour, Thrive had confirmed there had been data exfiltration (stolen data) and had run a damage assessment. The attackers had tried to download lightweight assets like text files, documents, PDFs, spreadsheets, and images.
- Example Corp contacted their cyberinsurance agency, and they used the insights from Thrive to run a parallel investigation.
- Example Corp had people onsite at three of the five locations on the same day; the other two were restored remotely when the main site was restored.
The recovery went fairly smoothly. One of the affected systems was a virtual host, so all of the associated virtual machines had to be rebuilt; in addition, a couple of domain controllers were lost and had to be restored. Thrive rebuilt all affected servers and restored most data from backup with minimal loss.
The initial attack was sparked Friday morning; all five had been restored to full operations by Sunday afternoon. By contrast, other manufacturing businesses typically take 7-14 days to restore to full functionality.
What Went Right
Technology is only one part of the People – Process – Technology Framework. This customer had all three pillars in place long before their ransomware attack.
- Prepared team. Many organizations only think to call their service provider or cyberinsurance company and then wait to be told what to do. Example Corp didn’t have a formal incident response plan, but all of their IT personnel had a thorough understanding of their systems, services, and dependencies, as well as a full asset inventory. This allowed them to move very quickly, which ultimately minimized the damage.
- Effective communication and time management. Example Corp and Thrive teams were cohesive and worked very well together, across multiple states.
- Held response team meetings every couple of hours
- Limited length to less than 30 minutes
- Focused only on what was new, what was next, and any blockers.
- Clear ownership. CTO took ownership of critical internal systems. They also created a running, prioritized list of services and tasks in the background but worked to keep from overwhelming the team by only adding new actions as the current ones were completed.
- Solid system management and architecture practices. Example Corp had good IT practices in place, such as using separate Active Directory domains for different sites and services. They also had routine backups in a separate location, so no backup data were corrupted in the attack. these basic tasks made it possible to quickly replace and recover their systems.
- High level of urgency. This incident had the risk to collapse the company, but the entire customer team, from the CTO to the practitioners, was focused on the potential impact to their employees and customers. One of the potentially affected systems included payroll services, and their primary objective was to make sure everyone got paid on time.
What Were Their Next Steps
Example Corp came through the entire event unscathed, but the threat had truly been existential. They had several major business deals which would have failed had there been any disruption in operations for days, much less weeks.
Their CTO had already been talking with Thrive about switching their in-house security services, so the first changes that they looked at were in bolstering their security resources:
- Scheduled penetration testing and created list of follow-up actions
- Bought advisory services for ongoing reviews and feedback on their processes and technology stack
- Migrated to Thrive’s MDR services
- Began drafting a formal incidence response plan
One tenet of cyber resilience is that it is wasted effort to try to prevent all attacks. It is a much more strategic decision to focus on security technologies that allow greater visibility into systems, solid IT practices, and well-trained and committed teams. That allows you to recover quickly, no matter what happens.
You can find out more about Thrive’s disaster recovery services or contact Thrive for a chat. You can also check out our on-demand webinar on cybersecurity tech trends.