Ransomware
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment, usually in cryptocurrency, in exchange for the decryption key needed to restore access.
Definition
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment, usually in cryptocurrency, in exchange for the decryption key needed to restore access.
Overview
Ransomware is one of the most financially damaging categories of Malware in use today. After gaining access to a system — commonly through Phishing emails, exploited unpatched vulnerabilities, or compromised remote access credentials — the ransomware encrypts files across the victim's systems and network shares using strong encryption, then displays a ransom note demanding payment for the decryption key. Modern ransomware operations frequently use "double extortion": before encrypting files, attackers first exfiltrate sensitive data, then threaten to publish or sell it publicly if the ransom isn't paid, adding pressure beyond simply restoring access to encrypted files. Many ransomware groups now operate as "Ransomware-as-a-Service" (RaaS), where the malware's developers lease their tools and infrastructure to affiliate attackers in exchange for a cut of the ransom proceeds, dramatically lowering the technical skill required to launch an attack. Defending against ransomware relies on layered controls: Endpoint Detection and Response (EDR) tools to detect and block encryption behavior in progress, regular offline or immutable backups so encrypted data can be restored without paying, prompt patching of exploited vulnerabilities, and employee training to reduce successful phishing attempts. Security agencies generally advise against paying ransoms, since payment funds future attacks and provides no guarantee that stolen data won't still be leaked or that decryption will actually work. Ransomware has evolved from opportunistic attacks against individual consumers into large-scale, targeted operations against hospitals, municipal governments, and large enterprises, where the disruption of critical operations creates enormous pressure to pay quickly, making it one of the most significant ongoing threats tracked by Threat Intelligence teams worldwide.
Key Concepts
- Encrypts victim files and demands payment, typically in cryptocurrency
- Frequently gains initial access via phishing or unpatched vulnerabilities
- Double extortion combines encryption with data-theft and leak threats
- Ransomware-as-a-Service (RaaS) lowers the barrier to launching attacks
- Best defended with layered controls: backups, EDR, patching, and training
- Security agencies generally advise against paying demanded ransoms
- Has evolved from opportunistic consumer attacks to targeted enterprise campaigns