Locker ransomware encrypts files on infected systems using strong encryption (RSA-2048, AES) rendering them unusable; decryption without the key is cryptographically infeasible
What is ransomware
Ransomware is malicious software that encrypts an organization's data and systems, making them inaccessible, while the attacker demands payment (ransom) for decryption keys. Modern ransomware often involves data exfiltration—stealing sensitive information before encryption and threatening to sell or publish it if payment is refused. Ransomware is the costliest cyber threat, averaging 4.5 million dollars in damages per incident including downtime, recovery, and incident response.
Why it matters
Ransomware is a business-threatening attack. A successful deployment can halt operations across an entire organization, corrupt backups, and expose sensitive data (patient records, financial information, trade secrets). For CISOs, ransomware defense requires a multi-layered strategy: immutable backups that survive encryption, segmentation that contains lateral movement, detection and response procedures that interrupt attacks before encryption completes, and preparation (incident response plans, communication protocols, law enforcement coordination). Unlike data breaches that may go undetected for months, ransomware creates immediate visibility and pressure—attackers deliberately announce the attack to force quick payment decisions. Understanding the attack lifecycle (initial access → lateral movement → data exfiltration → encryption) enables faster response. Most ransomware attacks succeed through unpatched systems and weak credentials, not sophisticated zero-day exploits.
Key points
Data exfiltration ransomware steals sensitive data before encryption, then threatens to publish or sell it—even if you have good backups, this 'double extortion' threat remains
Ransomware-as-a-Service (RaaS) allows non-technical attackers to purchase or rent ransomware code, conduct attacks, and share proceeds with developers; this has industrialized ransomware attacks
Initial access vectors include unpatched systems (EternalBlue, ProxyLogon), weak credentials (RDP exposed to internet, default passwords), phishing with malicious attachments, and compromised supply chain tools
Lateral movement in ransomware attacks exploits lack of segmentation: once inside, attackers use credential theft and privilege escalation to spread to file servers, backups, and domain controllers
Enterprise ransomware attack timeline
An attacker sends a phishing email with a malicious Word document to an employee at a manufacturing company. The document contains a macro that downloads and executes ransomware. The malware establishes persistence, harvests credentials from the compromised workstation, and begins lateral movement to file servers and domain controllers. Simultaneously, it exfiltrates sensitive manufacturing specifications and customer data to attacker-controlled servers. Hours later, the ransomware begins encryption across the network—hundreds of terabytes of data become inaccessible. The attacker demands 5 million dollars for decryption keys and threatens to sell blueprints to competitors. The company faces a dilemma: pay and risk funding future attacks, refuse and lose weeks of recovery time and face regulatory penalties for data exposure. Even with good backups, recovery takes 3+ weeks due to the need to rebuild systems from scratch after verified clean media.
Common mistakes
- Assuming good backups alone protect against ransomware: modern ransomware seeks and encrypts backups or removes backup software; immutable backups (write-once, time-locked) and offline backups are essential
- Paying ransoms: payment doesn't guarantee decryption, funds criminal operations, increases likelihood of re-victimization, and may violate sanctions laws; law enforcement advises against payment
- Storing backup credentials in easily accessible places: if an attacker compromises your domain admin account, they can access backup credentials and encryption keys stored in the same network segment
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
Should we negotiate with ransomware attackers?
Law enforcement (FBI, CISA, Europol) advises against paying ransoms. Payments fund criminal operations, increase likelihood of re-victimization, and don't guarantee decryption or that stolen data won't be sold. However, negotiations may provide additional time for recovery or intelligence about the attack. If you do engage, consult legal counsel and threat intelligence experts. Some organizations use negotiation as a stalling tactic while backups are restored. Regardless, prepare to recover without paying—this means investing in immutable backups and incident response capabilities before an attack occurs.
How can we detect ransomware before encryption completes?
Ransomware typically requires hours to days for lateral movement and exfiltration before encryption begins. Detection strategies include: monitoring file system activity for mass file modifications (endpoint detection and response tools), tracking unusual network traffic (data exfiltration often creates network spikes), monitoring for privilege escalation and lateral movement attempts, and maintaining network segmentation to contain spread. A 4-hour detection window can mean the difference between a contained incident and enterprise-wide encryption. The fastest detection comes from immature ransomware or overeager attackers; sophisticated attackers may take weeks to prepare before encryption.
What is the difference between ransomware and wiper malware?
Ransomware encrypts data and demands payment for decryption keys. Wiper malware (such as WhisperGate, HermeticWiper) simply destroys data without offering recovery—the goal is disruption or sabotage, not extortion. Wiper malware is more common in state-sponsored attacks or destructive campaigns. From a defense perspective, both require fast detection, network segmentation, and offline backups. However, paying a ransom doesn't help against wiper malware since decryption is impossible.
How long does it typically take to recover from a ransomware attack?
Recovery time depends on attack scope, backup quality, and system complexity. Contained incidents (single workstation) may recover in hours. Enterprise-wide attacks typically require 2-8 weeks for full recovery from immutable backups, including time to rebuild compromised systems from clean media, verify data integrity, and conduct forensic analysis. Some organizations never fully recover—they rebuild systems and accept permanent data loss for non-critical systems. Ransomware recovery is slow because you cannot trust any part of the compromised system; everything must be rebuilt from verified clean sources.