GLOSSARY · THREATS & INCIDENTS

Ransomware

Malware that encrypts or steals data and demands payment for its return, increasingly paired with the threat of public leaks.

Ransomware turned from a nuisance into an industry over a roughly five-year span. Early variants were opportunistic: spray a malicious attachment broadly, encrypt a workstation, demand a few hundred dollars in Bitcoin. Modern ransomware operations look more like structured businesses with affiliate programs, negotiation teams, and customer service portals for processing payments.

The model that now dominates is double extortion. The attacker encrypts your systems and also exfiltrates data before triggering the encryption. That second lever matters because organizations that maintain good backups might otherwise recover without paying. When the attacker can also threaten to publish contracts, customer records, or personnel files, the calculus changes. Triple extortion adds a third threat: notifying your customers or regulators directly unless payment arrives.

Defensively, the most important investments are backup integrity (tested offline or immutable copies), network segmentation (to limit how far ransomware can spread once inside), and fast detection of lateral movement (the interval between initial access and encryption is typically measured in hours to days, which is the window for containment). Paying the ransom does not guarantee decryption or data deletion, and it funds the next attack.