Ransomware is the catch-all name for malicious software that takes something of value, usually data, sometimes the device itself, and increasingly the reputation of the victim, and refuses to give it back unless a payment is made. The basic shape of the crime is ancient. The technical apparatus that makes it work at planetary scale is very modern, and it is the combination of those two things, an old-fashioned shakedown delivered through cryptography and global payment rails, that has turned ransomware into the defining cybercrime of the past decade.
The short definition
Ransomware is malware that denies a victim access to systems or information, typically by encrypting files with a key the attacker controls, and demands payment, almost always in cryptocurrency, in exchange for restoring access. In its modern form it has expanded well past simple file-locking to include data theft, extortion, harassment of customers and employees, and threats of leaking stolen data on a publicly indexed "leak site" if the ransom is not paid.
Why it works
Three ingredients made ransomware viable as a business and unstoppable as a phenomenon:
- Strong, asymmetric cryptography. Modern ransomware uses well-understood ciphers (AES, ChaCha20, RSA, Curve25519) in ways that are mathematically sound. Without the attacker’s private key, files are unrecoverable in any practical timeframe. Decryption without paying is the exception, not the rule.
- Cryptocurrency. Bitcoin, and later Monero, gave criminals a way to receive large international payments without going through banks that can freeze, claw back, or report transactions. Tracing has improved, chain-analytics firms now do real damage to laundering operations, but the fundamental affordance of pseudonymous, irreversible payment remains.
- An economy of specialists. Today’s ransomware ecosystem is divided into roles: initial-access brokers, malware developers, affiliates who run intrusions, negotiators, money launderers, and PR people. The crime is professionalised and industrialised. Most modern operators run on a Ransomware-as-a-Service (RaaS) model, where a core group writes the malware and rents it out for a cut of any successful ransom.
What an attack actually looks like
The popular image of ransomware is a sudden skull on a screen. The reality is closer to a corporate buyout that the victim never agreed to. A typical intrusion runs roughly like this:
- Initial access through a phishing email, a stolen VPN credential, an exposed RDP service, or an unpatched edge device.
- Reconnaissance and privilege escalation, the attacker moves laterally, often using legitimate admin tools (PsExec, PowerShell, Cobalt Strike, AnyDesk), and tries to obtain domain-administrator rights.
- Data theft, before any encryption, gigabytes to terabytes of sensitive data are silently exfiltrated to attacker-controlled storage.
- Backup destruction, volume shadow copies are deleted, backup servers are wiped or encrypted, and disaster-recovery options are pre-emptively closed off.
- Encryption, at a chosen moment, often a Friday night or holiday eve, the ransomware payload is detonated across the estate.
- Extortion, a ransom note appears, victims are directed to a Tor portal to negotiate, and a countdown begins. If they refuse, stolen data is published on a dedicated leak blog.
This pattern is sometimes called double extortion. Some groups go further: triple extortion adds DDoS attacks against the victim’s public services, harassment of customers whose data was stolen, or threats made directly to executives and their families.
Who gets hit
Effectively everyone, but with a clear bias toward organisations that can least afford downtime: hospitals, schools, municipalities, manufacturers, logistics firms, law firms, and managed service providers. Two factors drive target selection. First, time-sensitivity, a hospital that cannot dispatch ambulances or a factory that cannot run its production line is far more likely to pay quickly. Second, blast radius, compromising a single managed service provider or a single piece of file-transfer software can yield hundreds of downstream victims at once, as Cl0p’s MOVEit campaign demonstrated.
How much it costs
The ransom itself is rarely the largest line item. Industry incident-response data consistently shows that recovery costs, downtime, forensics, rebuilding infrastructure, regulatory exposure, legal fees, customer notification, and brand damage, usually exceed the ransom by several multiples, and that paying does not reliably restore data: decryptors are buggy, partial, or simply wrong, and there is no consumer-protection regime in the criminal underground.
Why it is not going away
Law enforcement has scored real wins, the takedowns of Hive, LockBit, and others, but the underlying conditions remain. Edge devices keep shipping with vulnerabilities. Credentials keep getting stolen and resold. Cryptocurrency keeps providing a payment rail. And the asymmetry between attacker and defender is brutal: a defender has to be right every day across a sprawling estate, while an attacker only needs one foothold and a long weekend.
The good news is that the playbook is now well understood. Multi-factor authentication on every external service, immutable offline backups, modern EDR, prompt patching of internet-facing systems, and rehearsed incident-response plans dramatically reduce both the probability and impact of an attack. Ransomware is, in the end, a problem of operational discipline as much as it is a problem of malware. Knowing what you are up against is the first step.