Volatile and Adaptable: Tracking the Movements of Modern Ransomware<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.html\"><br \/>\n<meta property=\"og:title\" content=\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/banner%20volatile%20ransomware.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/banner%20volatile%20ransomware.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.911674449633\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"868472141\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7774725274725\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.06043956044\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">Trend Micro’s tracking of modern ransomware, as well as of older families, shows which attacks are gaining momentum and which families are particularly dangerous for enterprises and private users. <\/p>\n<p class=\"article-details__author-by\">By: Trend Micro Research <time class=\"article-details__date\">December 15, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"39.926701570681\">\n<div readability=\"26.293193717277\">\n<p>In the first half of 2021, we saw that <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/research-and-analysis\/threat-reports\/roundup\/attacks-from-all-angles-2021-midyear-security-roundup\" target=\"_blank\" rel=\"noopener\">modern ransomware threats<\/a> were still active and evolving, using double extortion techniques to victimize targets. Unlike traditional ransomware tactics, current adversaries use private data stolen from victims\u2019 machines to add pressure and threaten to release valuable information onto public leak sites if the ransom remains unpaid. Further into the year, our tracking of these threats, as well as of older ransomware families, shows which attacks are gaining momentum and which families are particularly dangerous for enterprises and private users. <\/p>\n<p><span class=\"body-subhead-title\">A deeper look into 2021\u2019s modern ransomware<\/span><\/p>\n<p>The total number of Trend Micro detections of ransomware threats, which covers all types of ransomware, lessened in June and July but started picking up again in August. Upon looking at the targets of these ransomware threats, we found that enterprises were the most targeted, while consumers were next in line. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-1-01.jpg\" alt=\"Figure 1. Ransomware detections by layer (email, file, and URL) from January to September 2021 \"><figcaption>Figure 1. Ransomware detections by layer (email, file, and URL) from January to September 2021 <\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-2-01.jpg\" alt=\"Figure 2. Ransomware file detections by business segment from January to September 2021 \"><figcaption>Figure 2. Ransomware file detections by business segment from January to September 2021<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.5\">\n<div readability=\"30\">\n<p>Although threat actors are still utilizing various tactics to abuse users\u2019 systems, we have been tracking older ransomware families as well as modern ransomware and observed some differences. <\/p>\n<p>WannaCry (aka WCry), an older and more traditionally operated thread, has been dominant among the total ransomware threats since 2007. To understand trends of the modern ransomware families, we therefore need to check the data without WCry, as well as look at the movement of WCry alone. As the following chart shows, by excluding WCry, we can see the increase in the other ransomware families. On the other hand, we can see that the legacy WCry family is on the decline. Older families like Locky can also be considered legacy ransomware and so might be in the same situation in the future. <\/p>\n<p>Modern or post-intrusion ransomware is typically loaded after another malware gains access to a victim\u2019s device. The latest rankings indicate the volatility of these modern high-profile ransomware families. For example, Sodinokibi (aka REvil) shows irregular behavior. Due to the “targeted” nature of these families, the detection counts spike depending on whether or not specific attacks occur. With traditional ransomware, the campaigns are released without a specific target, like a net that catches whatever it can. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-3-01.jpg\" alt=\"Figure 3. Top 10 ransomware families detected from January to September 2021; highlighted sections show the decline of WannaCry and the volatility of the REvil modern ransomware.\"><figcaption>Figure 3. Top 10 ransomware families detected from January to September 2021; highlighted sections show the decline of WannaCry and the volatility of the REvil modern ransomware.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-4-01.jpg\" alt=\"Figure 4. Monthly ransomware file detections with and without WCry\"><figcaption>Figure 4. Monthly ransomware file detections with and without WCry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.330838323353\">\n<div readability=\"28.354790419162\">\n<p><span class=\"body-subhead-title\">Ransomware campaign trends<\/span><\/p>\n<p>Emotet, Ryuk, and Trickbot are the three malware families with the most active campaigns this far into 2021. In January 2021, law enforcement agencies from eight countries coordinated with one another to disrupt the Emotet botnet, causing the steep decline from January and February as seen in Figure 5. Unfortunately, even after this disruption, the remaining Emotet operators continued with their campaigns. <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/21\/c\/emotet-one-month-after-the-takedown.html\" target=\"_blank\" rel=\"noopener\">Emotet is largely known as an example of malware as a service<\/a>, which provides other groups with access to compromised computers. Trickbot has also been <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and-response\" target=\"_blank\" rel=\"noopener\">used to move laterally across a network and propagate<\/a>. Many ransomware operators, like those distributing Ryuk, have used these tools and services to conduct campaigns. <\/p>\n<p>Among these families, Emotet has the highest detection rate (we detect both the primary payload along with its ransom notes). Ryuk has steadily been increasing over the course of the year and showed a significant surge in August. Notably, the 734.1% increase was possibly caused by some specific, large-scale attacks. Our data shows that the considerable surge occurred only in the enterprise and small-to-medium business (SMB) categories, showing that it could be part of particular attacks launched on corporate sectors. By September, the surge had died down considerably.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-5-01.jpg\" alt=\"Notes: Ryuk and Emotet detections include ransom notes Figure 5. Top three malware families with the most active campaigns\"><figcaption>Figure 5. Top three malware families with the most active campaigns (Notes: Ryuk and Emotet detections include ransom notes)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"body-subhead-title\">The global threat of post-intrusion ransomware<\/span><\/p>\n<p>Post-intrusion ransomware groups use various tools and compromised accounts for access and lateral movement \u2014 and these families are generally more sophisticated than traditional ransomware. We saw that the detections for post-intrusion ransomware were consistent from 2019 up until the third quarter of 2020. However, in the fourth quarter of 2020, we saw a dramatic increase. While post-intrusion ransomware in 2021 decreased compared to the fourth quarter of 2020, it is still significantly higher when compared to detections from the first to the third quarter of 2020.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-6-02.jpg\" alt=\"Figure 6. Rates of post-intrusion ransomware from January 2020 to September 2021\"><figcaption>Figure 6. Rates of post-intrusion ransomware from January 2020 to September 2021<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>Countries like US, India, Japan, Germany, and others were consistently affected by post-intrusion ransomware from 2019 until the first half of 2021. However, the United Kingdom, Singapore, Hong Kong, and Netherlands saw the rate of their ransomware incidents increase, and these countries rose in the ranking of top countries with ransomware detections from 2019 to the first half of 2021.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/Volatile%20Ransomware-7-01.jpg\" alt=\"Figure 7. Global ranking of the four countries with regard to overall (email, URL and file) ransomware detections from Trend Micro data\"><figcaption>Figure 7. Global ranking of the four countries with regard to overall (email, URL and file) ransomware detections from Trend Micro data<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.183610597659\">\n<div readability=\"16.857670979667\">\n<p>Based on the data in the preceding chart, ransomware actors seem to be following a trend where they either continue targeting countries where they previously experienced success or increase their efforts there. We see this especially in the UK and the Netherlands. These two trends might also indicate that ransomware actors are slowly moving away from countries where they don\u2019t have as much success. <\/p>\n<p><span class=\"body-subhead-title\">Solutions and Security Recommendations <\/span><\/p>\n<p>Ransomware groups are a persistent threat, and they continue to evolve their business strategy as well as the tools and techniques they use to target enterprises. Organizations can mitigate the risks of ransomware with these best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Vision One\u2122\ufe0f with Managed XDR<\/a> helps detect and block ransomware components to stop attacks before they can affect an enterprise.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Make a playbook for prevention and recovery. Invest in incident response or <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/managed-detection-and-response\/cyberattacks-from-the-frontlines-incident-response-playbook-for-beginners\" target=\"_blank\" rel=\"noopener\">IR teams<\/a>, as well as a dedicated and specific playbook applicable to the company. IR <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-61\/rev-2\/final\" target=\"_blank\" rel=\"noopener\">playbook<\/a> <a href=\"https:\/\/www.cynet.com\/incident-response\/incident-response-sans-the-6-steps-in-depth\/\" target=\"_blank\" rel=\"noopener\">frameworks<\/a> allow an organization to plan and prepare for attacks such as ransomware and breaches. Maintain these guides with proper procedures that everyone can follow when the need arises.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Conduct attack simulations. Expose employees to a <a href=\"https:\/\/www.nytimes.com\/2021\/06\/03\/us\/politics\/ransomware-cybersecurity-infrastructure.html\" target=\"_blank\" rel=\"noopener\">realistic cyberattack simulation<\/a>. This can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps as well as pressure points in systems and people.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro’s tracking of modern ransomware, as well as of older families, shows which attacks are gaining momentum and which families are particularly dangerous for enterprises and private users. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44441,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-44440","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/banner%20volatile%20ransomware.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware\",\"datePublished\":\"2021-12-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/\"},\"wordCount\":1119,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/\",\"name\":\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg\",\"datePublished\":\"2021-12-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg\",\"width\":1515,\"height\":954},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Volatile and Adaptable: Tracking the Movements of Modern Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-12-15T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/banner%20volatile%20ransomware.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware","datePublished":"2021-12-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/"},"wordCount":1119,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/","url":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/","name":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg","datePublished":"2021-12-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware.jpg","width":1515,"height":954},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44440"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44440\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44441"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44440,"date":"2021-12-15T00:00:00","date_gmt":"2021-12-15T00:00:00","guid":{"rendered":"urn:uuid:b828238b-3597-6826-7c56-694d816018c3"},"modified":"2021-12-15T00:00:00","modified_gmt":"2021-12-15T00:00:00","slug":"volatile-and-adaptable-tracking-the-movements-of-modern-ransomware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/volatile-and-adaptable-tracking-the-movements-of-modern-ransomware\/","title":{"rendered":"Volatile and Adaptable: Tracking the Movements of Modern Ransomware"},"content":{"rendered":"