Ransomware — Malware That Encrypts or Extorts for Financial Gain
Ransomware is a type of malicious software that encrypts data or threatens publication to extort payment from victims. This SECMONS glossary entry explains how ransomware operates, common attack stages, and why modern ransomware campaigns combine encryption with data exfiltration.
What Is Ransomware? 🧠
Ransomware is a category of malicious software designed to encrypt data, disrupt operations, or threaten exposure of stolen information in exchange for payment.
Modern ransomware is rarely a single executable dropped randomly. It is typically the final stage of a coordinated intrusion involving:
- /glossary/initial-access/
- /glossary/privilege-escalation/
- /glossary/lateral-movement/
- /glossary/persistence/
- /glossary/data-exfiltration/
Encryption is often only one component of the attack.
How Ransomware Campaigns Operate 🎯
Most enterprise ransomware incidents follow a structured lifecycle:
| Stage | Description |
|---|---|
| Initial Access | Phishing, exploit, or exposed service |
| Privilege Escalation | Expanding control inside environment |
| Lateral Movement | Identifying high-value systems |
| Data Exfiltration | Stealing sensitive data |
| Encryption | Locking systems and files |
| Extortion | Demanding payment |
This structured approach mirrors exploit chains described in /glossary/exploit-chain/.
Double and Triple Extortion 🔎
Modern ransomware groups frequently use:
- Double Extortion: Encrypt data and threaten public release.
- Triple Extortion: Add additional pressure (e.g., DDoS attacks, customer notification).
Exfiltration enables attackers to monetize even if backups exist.
Ransomware as a Service (RaaS) 🔬
Many ransomware operations now function as Ransomware-as-a-Service (RaaS):
- Core developers maintain malware.
- Affiliates conduct intrusions.
- Revenue is shared.
This model lowers the barrier to entry for financially motivated /glossary/threat-actor/ groups.
Ransomware vs Other Malware 🔄
| Concept | Focus |
|---|---|
| Backdoor | Persistent unauthorized access |
| Web Shell | Web-based command execution |
| Botnet | Distributed control of infected devices |
| Ransomware | Financial extortion through encryption |
Ransomware frequently uses backdoors and C2 infrastructure described under /glossary/command-and-control/.
Common Entry Points ⚠️
Ransomware often enters through:
- Unpatched vulnerabilities listed under /vulnerabilities/
- Exploitation of systems marked as /glossary/exploited-in-the-wild/
- Compromised remote access services
- Phishing campaigns
- Weak access control configurations
Internet-facing exposure significantly increases risk.
Defensive Considerations 🛡️
Reducing ransomware risk requires:
- Strong patch management
- Multi-factor authentication enforcement
- Network segmentation
- Offline, immutable backups
- Continuous monitoring
- Incident response readiness
- Privilege minimization
- Threat intelligence integration
Operational hardening guidance is typically documented under:
Why SECMONS Treats Ransomware as High Impact 📌
Ransomware represents one of the most disruptive forms of cybercrime.
It combines technical exploitation with operational extortion and reputational pressure.
Understanding the full lifecycle — not just encryption — is essential for effective defense.
Authoritative References 📎
- CISA Ransomware Guide
- MITRE ATT&CK — Impact Tactics