Back to Glossary
Threats & AttacksCritical

Ransomware

Malicious software that encrypts files or systems and demands payment for decryption keys

Skill Paths:
Malware AnalysisIncident ResponseThreat IntelligenceDigital Forensics
Job Paths:
Malware AnalystIncident ResponderThreat Intelligence AnalystSecurity Analyst
Relevant Certifications:
GIAC GREMSANS FOR508CEHCompTIA Security+
Content

What is Ransomware?

Ransomware is a type of malicious software that encrypts files, systems, or entire networks and demands payment (ransom) in exchange for decryption keys. It's one of the most financially damaging cyber threats, affecting individuals, businesses, and critical infrastructure.

How Ransomware Works

Infection Phase

  • Delivery – Phishing emails, exploit kits, compromised websites
  • Execution – Malicious code runs and begins encryption
  • Persistence – Establishes foothold in the system

Encryption Phase

  • File scanning – Identifies target files and systems
  • Encryption – Uses strong algorithms to encrypt data
  • Key generation – Creates unique encryption keys

Extortion Phase

  • Ransom note – Displays payment instructions
  • Payment demand – Usually cryptocurrency (Bitcoin, Monero)
  • Deadline – Threatens permanent data loss

Types of Ransomware

File-Encrypting Ransomware

  • CryptoLocker – Early widespread ransomware
  • WannaCry – Exploited EternalBlue vulnerability
  • Ryuk – Targeted enterprise networks
  • REvil/Sodinokibi – Ransomware-as-a-Service

System-Locking Ransomware

  • Screen lockers – Prevents system access
  • MBR lockers – Encrypts master boot record
  • Mobile ransomware – Targets smartphones and tablets

Double Extortion

  • Data theft – Steals data before encryption
  • Threat to publish – Demands payment to prevent data exposure
  • Multiple demands – Separate ransoms for decryption and silence

Prevention Strategies

Technical Controls

  • Regular backups – Air-gapped, immutable backups
  • Email filtering – Advanced threat protection
  • Endpoint protection – EDR/XDR solutions
  • Network segmentation – Isolate critical systems
  • Patch management – Keep systems updated

Organizational Measures

  • Security awareness training – Phishing simulation
  • Incident response planning – Ransomware playbooks
  • Business continuity – Recovery procedures
  • Cyber insurance – Financial protection

Response and Recovery

Immediate Actions

  • Isolate affected systems – Prevent spread
  • Assess scope – Identify all compromised systems
  • Preserve evidence – For forensic analysis
  • Notify authorities – Law enforcement reporting

Recovery Options

  • Restore from backups – Clean, recent backups
  • Decryption tools – Free tools from security vendors
  • Professional services – Incident response teams
  • Data reconstruction – Rebuild from other sources

Best Practices

  • Never pay the ransom – Encourages more attacks
  • Maintain offline backups – Air-gapped storage
  • Test recovery procedures – Regular backup testing
  • Implement zero trust – Verify all access
  • Monitor for indicators – Early detection systems
Quick Facts
Severity Level
10/10
Goal

Extort money through data encryption

Delivery

Phishing, exploit kits, RDP attacks

Payment

Usually cryptocurrency (Bitcoin, Monero)

Recovery

Backups, decryption tools, incident response

Related Terms
Malware

General category of malicious software

Cryptomalware

Ransomware that specifically targets cryptocurrency

Backup

Critical defense against ransomware attacks

Learn More
Ransomware Response GuidePreventing Ransomware Attacks