Ransomware
Ransomware is malware that encrypts data or systems and demands a ransom for decryption.
Ransomware is among the most dangerous and costly cyber threats. Attackers encrypt organizational data and demand ransom for release – often in the millions. Attacks affect organizations of all sizes: from small businesses and hospitals to enterprises and critical infrastructure. Preventive measures and a solid backup strategy are the best defence against this growing threat.
What is Ransomware?
Ransomware is malware that blocks access to data or IT systems by encrypting files or locking the device, then demands a ransom (usually in cryptocurrency) for decryption. Modern groups use 'double extortion': besides encryption they exfiltrate data and threaten to publish it if ransom is not paid. 'Triple extortion' adds DDoS as extra pressure. Ransomware-as-a-Service (RaaS) has lowered the bar: even unskilled criminals can buy ready-made kits on the dark web. Average ransom demands are in the hundreds of thousands for SMEs and tens of millions for large enterprises.
How does Ransomware work?
The most common entry is phishing: an employee opens an infected attachment or clicks a malicious link. Alternatively attackers use unpatched vulnerabilities or weak passwords on remote access. After access the malware moves laterally to compromise as many systems as possible. Before encrypting, backups are often deleted or encrypted. Then files are encrypted with strong crypto (AES-256, RSA). A ransom note with payment instructions appears. Without the decryption key the data is unusable.
Practical Examples
WannaCry (2017): Global attack infecting over 200,000 systems in 150 countries, including the UK NHS and Deutsche Bahn.
Kaseya (2021): Attack via a vulnerability in IT management software infected hundreds of companies worldwide at once (supply-chain).
Conti against hospitals: Ransomware attacks on clinics led to postponed operations and patient transfers – with potentially life-threatening impact.
SME attack: A mid-size manufacturer loses access to orders, drawings and ERP data. Two weeks of production stoppage.
Double extortion at a financial services firm: Customer data is exfiltrated before encryption; besides ransom there is a threat to publish sensitive financial data.
Typical Use Cases
Backup strategy: 3-2-1 rule (3 copies, 2 media, 1 offsite) with immutable backups as last line of defence
EDR: AI-based detection of suspicious behaviour on endpoints before encryption starts
Network segmentation: Isolate critical systems so ransomware cannot spread laterally
Incident response plan: Defined process for who does what, who is informed and how systems are restored
Security awareness: Train all staff to recognize phishing as the main infection vector
Advantages and Disadvantages
Advantages
- Prevention is possible: With the right technical and organizational measures risk can be greatly reduced
- Backup as lifeline: A solid backup strategy makes paying ransom unnecessary
- Growing awareness: Media coverage has increased security budgets and prevention
- Better tools: EDR and AI-based detection are increasingly effective at early detection
Disadvantages
- Constantly new variants: Ransomware groups keep developing new encryption and attack methods
- High cost of damage: Even without paying, outage, forensics and recovery are costly
- No complete protection: Even well-protected organizations can be hit, e.g. by zero-days or supply-chain attacks
- Human factor: One careless click on a phishing link can defeat all protection
Frequently Asked Questions about Ransomware
Should you pay the ransom in a ransomware attack?
How can an SME protect itself from ransomware?
What are the first steps after a ransomware infection?
Related Terms
Want to use Ransomware in your project?
We are happy to advise you on Ransomware and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.