Infosec glossary
Ransomware
Ransomware incidents can interrupt operations, deny access to systems, expose stolen data, and create financial or legal harm. Many ransomware operations combine malware with credential theft, lateral movement, data exfiltration, and extortion. Encryption is common, but some incidents rely mainly on stolen data and pressure to publish it.
How a ransomware incident develops
Attackers may gain initial access through stolen credentials, phishing, exposed remote services, software vulnerabilities, or an existing access broker. They can then discover systems, escalate privilege, move between hosts, disable security controls, steal data, and prepare recovery systems or backups for disruption.
The ransomware payload may encrypt files on endpoints, servers, virtual infrastructure, or network storage. The demand may offer a decryption tool, promise that stolen data will not be published, or threaten further disruption.
Ransomware prevention, containment, and recovery
Prevention and preparation include patching exploited vulnerabilities, protecting remote access, using phishing-resistant authentication where possible, limiting privileges, segmenting networks, monitoring identity and endpoint activity, and maintaining recoverable backups. No single control prevents every initial access or later-stage action.
Containment may require isolating affected systems, disabling compromised identities, blocking command channels, protecting backups, and preserving evidence. Recovery includes rebuilding from trusted sources, rotating credentials, verifying restored systems, monitoring for persistence, and communicating with affected parties.
- Initial access and credential compromise
- Lateral movement, privilege escalation, and data theft
- Encryption, disruption, and extortion
- Containment, restoration, and post-incident monitoring
Ransomware, double extortion, and data extortion
Double extortion describes an incident in which attackers encrypt systems and also steal data, creating two forms of pressure. Some groups add service disruption or contact customers and partners to increase that pressure.
Data extortion can occur without ransomware encryption or even without a ransomware payload. Keeping the terms separate makes incident reporting more precise and helps responders describe what evidence exists.
Related reading
The term is clearer when the nearby language is clear too.
Use the pages below when you need adjacent terms, category context, or a longer explanation instead of leaving the definition to stand on its own.
Adjacent terms
Further reading
Sources used to check the definition and terminology
Guides
Where the definition expands into a longer explanation
A practical guide to the traits that separate strong cybersecurity content from generic B2B copy, with examples of what to aim for across common asset types.
How to Review Cybersecurity Content Before PublishA practical pre-publish review process for cybersecurity content covering terminology, claims, audience fit, proof, structure, and trust.