Infosec glossary

Ransomware

Ransomware incidents can interrupt operations, deny access to systems, expose stolen data, and create financial or legal harm. Many ransomware operations combine malware with credential theft, lateral movement, data exfiltration, and extortion. Encryption is common, but some incidents rely mainly on stolen data and pressure to publish it.

Threat language 5 min read By Infosec Writing Studio editorial team
01

How a ransomware incident develops

Attackers may gain initial access through stolen credentials, phishing, exposed remote services, software vulnerabilities, or an existing access broker. They can then discover systems, escalate privilege, move between hosts, disable security controls, steal data, and prepare recovery systems or backups for disruption.

The ransomware payload may encrypt files on endpoints, servers, virtual infrastructure, or network storage. The demand may offer a decryption tool, promise that stolen data will not be published, or threaten further disruption.

02

Ransomware prevention, containment, and recovery

Prevention and preparation include patching exploited vulnerabilities, protecting remote access, using phishing-resistant authentication where possible, limiting privileges, segmenting networks, monitoring identity and endpoint activity, and maintaining recoverable backups. No single control prevents every initial access or later-stage action.

Containment may require isolating affected systems, disabling compromised identities, blocking command channels, protecting backups, and preserving evidence. Recovery includes rebuilding from trusted sources, rotating credentials, verifying restored systems, monitoring for persistence, and communicating with affected parties.

  • Initial access and credential compromise
  • Lateral movement, privilege escalation, and data theft
  • Encryption, disruption, and extortion
  • Containment, restoration, and post-incident monitoring
03

Ransomware, double extortion, and data extortion

Double extortion describes an incident in which attackers encrypt systems and also steal data, creating two forms of pressure. Some groups add service disruption or contact customers and partners to increase that pressure.

Data extortion can occur without ransomware encryption or even without a ransomware payload. Keeping the terms separate makes incident reporting more precise and helps responders describe what evidence exists.