Ransomware

What is ransomware?

Ransomware is a type of malicious software that, once executed, encrypts files on the infected device and demands payment (typically in cryptocurrency) in exchange for the decryption key. Modern ransomware has evolved from simple screen-locking tools into sophisticated operations run by organised criminal groups.

The ransomware business model has changed significantly in recent years. Groups such as LockBit, ALPHV/BlackCat and Cl0p employ double extortion - they steal data before encrypting it, then threaten to publish it if the victim refuses to pay. Some groups even employ triple extortion, contacting the victim’s clients directly.

Ransomware-as-a-Service (RaaS) has lowered the barrier to entry. Developers provide the software to affiliates who carry out attacks and share the ransom proceeds. A single ransomware programme can be used by dozens of independent actors against different targets.

Why does it matter?

A ransomware attack can paralyse an organisation for days or weeks, generating losses measured in millions - from downtime and recovery costs to regulatory fines and customer loss. Incidents such as the Colonial Pipeline attack (2021) and JBS (2021) demonstrated that ransomware can disrupt critical infrastructure.

Defending against ransomware requires a multi-layered approach: MFA, network segmentation, EDR, regular backups (offline), employee training on phishing recognition and incident response plans. No single measure provides complete protection.

Related topics

• EDR
• SOC
• MFA
• Zero trust