Glossary

Ransomware

A type of malicious software that encrypts an organization's data or locks systems and demands payment (ransom) in exchange for the decryption key or restored access, often combined with data exfiltration for double extortion.

Last updated

What Is Ransomware?

Ransomware is malware that encrypts files or locks systems and demands payment — typically in cryptocurrency — for the decryption key. Modern ransomware operations have evolved into sophisticated criminal enterprises that combine encryption with data theft for maximum pressure.

Ransomware Evolution

| Era | Approach | Example | |---|---|---| | Early (2013-2017) | Mass spray, low ransoms | CryptoLocker, WannaCry | | Big Game Hunting (2018-2021) | Target large orgs, high ransoms | Ryuk, REvil, DarkSide | | Double Extortion (2020+) | Encrypt + steal data | LockBit, BlackCat, Cl0p | | Triple Extortion (2021+) | Encrypt + steal + DDoS/threaten customers | Various groups | | RaaS (ongoing) | Ransomware-as-a-Service platforms | LockBit, BlackBasta |

Common Ransomware Attack Chain

  1. Initial Access: Phishing email, exploited vulnerability, compromised credentials, or RDP brute force
  2. Persistence: Install backdoors, create accounts
  3. Discovery: Map the network, identify critical systems and data
  4. Lateral Movement: Move to additional systems using stolen credentials
  5. Data Exfiltration: Steal sensitive data before encryption (for double extortion)
  6. Impact: Deploy ransomware across all accessible systems simultaneously

Ransomware Defense Strategy

Prevention

  • Email security: Block phishing and malicious attachments
  • Patch management: Eliminate exploitable vulnerabilities
  • MFA everywhere: Prevent credential-based access
  • Network segmentation: Limit lateral movement
  • Least privilege: Minimize blast radius of compromised accounts

Detection

  • EDR/XDR: Detect ransomware behavior (mass file encryption, shadow copy deletion)
  • SIEM: Correlate indicators across the environment
  • Network monitoring: Detect unusual data exfiltration

Response

  • Incident response plan: Documented, tested procedures specific to ransomware
  • Backup strategy: Offline/immutable backups tested regularly
  • Containment playbooks: Automated isolation of infected systems
  • Legal counsel: Prepared for negotiation, disclosure, and regulatory reporting

To Pay or Not to Pay?

Most security experts and law enforcement agencies recommend against paying ransoms because:

  • Payment doesn't guarantee data recovery
  • Payment funds future attacks
  • Paying makes you a target for repeat attacks
  • Some jurisdictions restrict ransom payments to sanctioned entities

However, each situation is unique and should involve legal counsel, cyber insurance, and senior leadership.

Related Resources

Categories

Enterprise EDR Platforms

Compare enterprise EDR alternatives to CrowdStrike Falcon. Evaluate SentinelOne, Carbon Black, and Cortex XDR for advanced threat detection, investigation, and response at scale.

Cloud Email Security Platforms

Compare the best cloud email security alternatives to Proofpoint in 2026. Microsoft Defender for Office 365, Trend Micro, Mimecast — cloud-native protection, XDR integration, and pricing compared.

Enterprise SIEM Platforms

Compare the best enterprise SIEM alternatives to Splunk in 2026. IBM QRadar, LogRhythm, Exabeam — threat detection, UEBA, SOAR, and pricing compared.

Products

CrowdStrike

Cloud-native endpoint protection platform with AI-powered threat detection

SentinelOne

AI-powered autonomous endpoint protection with one-click remediation

Microsoft Defender for Endpoint

Enterprise endpoint protection deeply integrated with Microsoft 365 security stack

Proofpoint

Enterprise email security platform for advanced threat protection, compliance, and data loss prevention

Abnormal Security

AI-powered email security platform specializing in behavioral detection of social engineering attacks

Sources & References

  1. NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
  2. NIST Computer Security Resource Center[Government Standard]
  3. MITRE ATT&CK Framework[Industry Framework]
  4. OWASP Foundation[Industry Framework]
  5. CISA Cybersecurity Best Practices[Government Standard]
  6. SANS Institute Reading Room[Industry Research]
  7. Cloud Security Alliance (CSA)[Industry Framework]
  8. CIS Critical Security Controls[Industry Framework]
  9. Gartner Magic Quadrant for Endpoint Protection Platforms 2024[Analyst Report]
  10. Forrester Wave: Endpoint Security, Q4 2024[Analyst Report]
  11. IDC MarketScape: Worldwide Modern Endpoint Security 2024[Analyst Report]
  12. MITRE ATT&CK Evaluations: Enterprise[Industry Evaluation]
  13. AV-TEST Institute: Endpoint Protection Tests[Independent Testing]
  14. SE Labs: Endpoint Protection Reports[Independent Testing]
  15. Gartner Peer Insights: Endpoint Protection Platforms[Peer Reviews]
  16. Gartner Magic Quadrant for Email Security 2024[Analyst Report]
  17. Forrester Wave: Enterprise Email Security, Q2 2024[Analyst Report]
  18. SE Labs: Email Security Gateway Test Results[Independent Testing]
  19. DMARC.org: Domain-based Message Authentication[Industry Standard]
  20. Anti-Phishing Working Group (APWG): Phishing Activity Trends[Industry Research]
  21. Gartner Peer Insights: Email Security[Peer Reviews]
  22. Gartner Magic Quadrant for SIEM 2024[Analyst Report]
  23. Forrester Wave: Security Analytics Platforms, Q4 2024[Analyst Report]
  24. IDC MarketScape: Worldwide SIEM 2024[Analyst Report]
  25. MITRE ATT&CK Evaluations[Industry Evaluation]
  26. SANS Institute: Best Practices for SIEM Deployment[Industry Research]
  27. Gartner Peer Insights: SIEM[Peer Reviews]