The Ultimate Deep Dive Ransomware Comparison

Ransomware remains the most pervasive and costly threat facing organizations globally, with 2024 seeing a 37% year-over-year increase in attacks according to Verizon’s DBIR. For security teams, IT administrators, and incident responders, understanding the nuances between prevalent ransomware families is critical to building targeted defenses, streamlining incident response, and minimizing downtime. This deep dive compares the most active ransomware variants as of Q3 2024 across core technical and operational metrics.

Core Comparison Criteria

To ensure an apples-to-apples evaluation, we standardized comparisons across six key dimensions:

• Attack Vectors: Initial access methods including phishing, RDP brute force, vulnerable service exploitation, and supply chain compromises.
• Encryption Standards: Symmetric and asymmetric algorithms used (e.g., AES-256, RSA-4096, ChaCha20), along with whether partial or full disk encryption is applied.
• Targeting Profile: Preferred victim sectors (healthcare, critical infrastructure, SMBs) and geographic focus.
• Ransom Operations: Average demand amounts, payment methods (Bitcoin, Monero), and whether double/triple extortion (data theft + encryption + DDoS threats) is used.
• Persistence & Evasion: Techniques to maintain access, disable security tools, and evade detection (e.g., process hollowing, anti-VM checks).
• Leak Site Activity: Presence of dedicated dark web leak sites, data publication cadence, and victim shaming tactics.

2024’s Most Active Ransomware Families: Side-by-Side Comparison

Ransomware Family

Primary Attack Vector

Encryption Stack

Avg. Ransom Demand

Extortion Model

Target Sectors

LockBit 3.0

Phishing, RDP brute force, Fortinet/VMware exploit

AES-256 + RSA-2048, full disk encryption

$1.2M – $15M

Triple extortion (encrypt + leak + DDoS)

Critical infrastructure, manufacturing, healthcare

BlackCat (ALPHV)

Supply chain, compromised credentials, Log4j exploit

ChaCha20 + ECC-256, partial file encryption

$500K – $20M

Double extortion + API-driven data leaks

Financial services, energy, government

Clop

GoAnywhere MFT, MOVEit Transfer exploits

AES-256 + RSA-4096, full disk encryption

$2M – $25M

Double extortion, high-profile supply chain focus

Education, healthcare, Fortune 500 enterprises

Conti (Legacy)

RDP brute force, phishing, BazarLoader drops

AES-256 + RSA-4096, full disk encryption

$500K – $10M

Double extortion, affiliate-driven model

Healthcare, local government, SMBs

WannaCry (Legacy)

EternalBlue SMB exploit

AES-128 + RSA-2048, full disk encryption

Fixed $300 – $600 Bitcoin

Single extortion (encryption only)

Global, unpatched Windows systems

Key Technical Distinctions

Beyond surface-level metrics, several technical differentiators separate high-impact variants:

Encryption Efficiency

BlackCat’s use of ChaCha20 for symmetric encryption delivers 3x faster file encryption than AES-256 variants, reducing the window for detection during active attacks. LockBit 3.0 optimizes encryption by skipping system files and small temporary files, further accelerating attack timelines.

Evasion Capabilities

BlackCat and LockBit 3.0 both include built-in anti-forensic features: they wipe shadow copies, disable Windows Defender via PowerShell, and delete event logs post-encryption. Conti legacy variants rely on BazarLoader’s custom evasion modules to bypass EDR solutions, while Clop leverages legitimate administrative tools (e.g., PsExec) to blend in with normal network activity.

Affiliate Models

LockBit, BlackCat, and legacy Conti operate under ransomware-as-a-service (RaaS) models, where core developers take 20-30% of ransom payments and affiliates retain the rest. Clop operates as a closed group with no public affiliates, focusing exclusively on high-value supply chain vulnerabilities.

Mitigation Strategies Informed by Comparison Data

Insights from this comparison directly inform prioritized defense investments:

• Patch internet-facing vulnerabilities (Fortinet, VMware, GoAnywhere, MOVEit) within 24 hours of disclosure to block top attack vectors.
• Deploy immutable backups stored offline or in air-gapped environments to neutralize encryption-based extortion.
• Implement strict RDP access controls (VPN-only, MFA, account lockout policies) to mitigate brute force attacks.
• Monitor dark web leak sites for early indicators of data exfiltration tied to targeted sectors.
• Deploy EDR solutions with behavioral detection to catch evasion techniques like process hollowing and legitimate tool abuse.

Conclusion

No single ransomware variant dominates all attack scenarios, but LockBit 3.0 and BlackCat remain the most flexible and high-impact threats for most organizations. Regular comparison of emerging variants against internal risk profiles ensures defenses evolve in lockstep with adversary tactics, reducing both the likelihood and impact of successful ransomware attacks.