Ransomware

Ransomware is a category of malicious software designed to block access to a computer system or data, typically by encryption, until a sum of money (ransom) is paid to the attacker.

Evolution of Ransomware

Phase 1: Encryption-Based (Traditional)

Malware encrypts files on the victim's system and demands cryptocurrency payment for the decryption key.

Phase 2: Double Extortion

Attackers exfiltrate sensitive data before encryption, threatening to leak it publicly if the ransom isn't paid. This means even organizations with good backups face data exposure risk.

Phase 3: Triple Extortion and Beyond

Extortion extends beyond the initial victim — targeting customers, partners, or leveraging DDoS attacks alongside encryption and data theft.

Ransomware-as-a-Service (RaaS)

Modern ransomware operations operate like businesses:

• Developers: Create and maintain the ransomware malware and infrastructure
• Affiliates: Conduct the actual intrusions and deploy the ransomware
• Initial Access Brokers: Sell network access to affiliates
• Negotiation Teams: Handle victim communications and payment

Defending Against Ransomware

1. Prevention: Patching, email security, endpoint protection, access controls
2. Detection: Monitoring for data exfiltration, lateral movement, and encryption activity
3. Response: Incident response plans, network isolation capabilities, forensic readiness
4. Recovery: Tested backups, disaster recovery plans, business continuity procedures

Key Statistics

• Average dwell time (time attackers are in the network before encryption) is measured in days
• Ransomware payments fund further criminal operations
• Recovery costs typically far exceed the ransom amount

Related Terms

• Lateral Movement
• Initial Access
• Incident Response