Ransomware

A type of malicious software that encrypts an organization's data or locks systems and demands payment (ransom) in exchange for the decryption key or restored access, often combined with data exfiltration for double extortion.

What Is Ransomware?

Ransomware is malware that encrypts files or locks systems and demands payment — typically in cryptocurrency — for the decryption key. Modern ransomware operations have evolved into sophisticated criminal enterprises that combine encryption with data theft for maximum pressure.

Ransomware Evolution

| Era | Approach | Example | |---|---|---| | Early (2013-2017) | Mass spray, low ransoms | CryptoLocker, WannaCry | | Big Game Hunting (2018-2021) | Target large orgs, high ransoms | Ryuk, REvil, DarkSide | | Double Extortion (2020+) | Encrypt + steal data | LockBit, BlackCat, Cl0p | | Triple Extortion (2021+) | Encrypt + steal + DDoS/threaten customers | Various groups | | RaaS (ongoing) | Ransomware-as-a-Service platforms | LockBit, BlackBasta |

Common Ransomware Attack Chain

  1. Initial Access: Phishing email, exploited vulnerability, compromised credentials, or RDP brute force
  2. Persistence: Install backdoors, create accounts
  3. Discovery: Map the network, identify critical systems and data
  4. Lateral Movement: Move to additional systems using stolen credentials
  5. Data Exfiltration: Steal sensitive data before encryption (for double extortion)
  6. Impact: Deploy ransomware across all accessible systems simultaneously

Ransomware Defense Strategy

Prevention

  • Email security: Block phishing and malicious attachments
  • Patch management: Eliminate exploitable vulnerabilities
  • MFA everywhere: Prevent credential-based access
  • Network segmentation: Limit lateral movement
  • Least privilege: Minimize blast radius of compromised accounts

Detection

  • EDR/XDR: Detect ransomware behavior (mass file encryption, shadow copy deletion)
  • SIEM: Correlate indicators across the environment
  • Network monitoring: Detect unusual data exfiltration

Response

  • Incident response plan: Documented, tested procedures specific to ransomware
  • Backup strategy: Offline/immutable backups tested regularly
  • Containment playbooks: Automated isolation of infected systems
  • Legal counsel: Prepared for negotiation, disclosure, and regulatory reporting

To Pay or Not to Pay?

Most security experts and law enforcement agencies recommend against paying ransoms because:

  • Payment doesn't guarantee data recovery
  • Payment funds future attacks
  • Paying makes you a target for repeat attacks
  • Some jurisdictions restrict ransom payments to sanctioned entities

However, each situation is unique and should involve legal counsel, cyber insurance, and senior leadership.

Related on CyberSecTool

Buying guides

Related tools