Ransomware
Malware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.
Ransomware is malware that, once executed inside a target environment, encrypts files and/or exfiltrates them to attacker-controlled infrastructure, then demands a ransom — for the decryption key, for non-publication of the stolen data, or both (the “double extortion” model now standard since the Maze group popularized it in 2019). The Verizon DBIR and ENISA Threat Landscape consistently rank ransomware as one of the top-impact incident patterns; ANSSI’s annual Panorama de la menace says the same for French organizations.
The technical detonation step gets the headlines, but the access path is almost always human-mediated. The kill chain typically runs:
- Initial access. Phishing email, MFA fatigue push approved by a tired employee, credential reuse, a vulnerable internet-exposed service, or an OAuth grant to an attacker-controlled app.
- Foothold and discovery. Living-off-the-land tooling, credential harvesting, lateral movement.
- Privilege escalation. Domain admin or cloud admin acquired.
- Exfiltration first, encryption second. Modern affiliates copy data out before encrypting, so that ransom leverage survives backups.
- Detonation. Encryption rolled out at scale across servers and endpoints, often timed for a Friday night or holiday.
Defining properties of the modern ransomware landscape:
- Operated as a business. Most incidents are now run by affiliates of a Ransomware-as-a-Service platform, not by lone actors.
- Double or triple extortion. Encrypt, leak, and sometimes DDoS or notify customers/regulators.
- Regulatory exposure stacks on top. Under NIS2 and RGPD, an exfiltration ransomware incident is also a personal-data breach with 72-hour notification clocks at the CNIL.
- Backups alone don’t solve it. They protect against pure encryption but not against the leak side of double extortion.
Defenses split into two tracks. Technical: MFA on everything, FIDO2 where possible, EDR, segmentation, immutable backups, exposed-service hygiene. Human: shortening the chain by closing off phishing, push-fatigue, and OAuth-grant moments before they hand over initial access. Both tracks have to work — ANSSI’s published guidance is explicit that ransomware is a governance problem as much as a technical one.
Related terms
- Ransomware-as-a-Service (RaaS)Cybercrime business model where ransomware operators rent their malware, infrastructure, and leak sites to affiliates in exchange for a cut of each ransom.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- MFA fatigueA social-engineering attack that bombards a user with MFA push prompts until they tap Approve out of annoyance or confusion.
- Supply chain attackAn intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.