What Is Ransomware: Definition and Core Concepts

Ransomware is a category of malicious software that denies access to data or systems — typically through encryption — and demands payment in exchange for restoration. The threat spans every major sector of the US economy, carrying significant financial, operational, and regulatory consequences for affected organizations. This page covers the formal definition, attack mechanics, common deployment scenarios, and the classification boundaries that distinguish ransomware variants from one another and from adjacent threat categories. The ransomware service landscape covered across this reference network reflects the breadth of professional categories now engaged in ransomware response.

Definition and scope

Ransomware is formally defined by the Cybersecurity and Infrastructure Security Agency (CISA) as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom is paid. The FBI's Internet Crime Complaint Center (IC3) classifies ransomware as a subset of extortion-based cybercrime and received 2,825 ransomware complaints in 2023 — a figure widely understood to underrepresent actual incident volume given chronic underreporting (IC3 2023 Internet Crime Report).

The scope of ransomware as a threat category extends beyond simple file encryption. Operators frequently exfiltrate data before encrypting it, threatening public disclosure as a second coercive layer. This pattern — referred to as double extortion — has become a standard component of professional ransomware operations since approximately 2019. A third variant, triple extortion, adds distributed denial-of-service (DDoS) pressure or direct contact with a victim's clients or partners.

CISA's statutory authority to issue ransomware guidance derives from the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), which designated CISA as the national coordinator for civilian cybersecurity, including ransomware threat response. Sector-specific regulatory obligations layer on top of this baseline: healthcare entities face reporting obligations under HIPAA (45 CFR §§ 164.400–414), financial institutions operate under the Gramm-Leach-Bliley Act and its implementing rules, and critical infrastructure operators are subject to CISA's Cross-Sector Cybersecurity Performance Goals.

How it works

Ransomware attacks follow a structured kill chain. The phases below reflect the taxonomy documented in NIST Special Publication 800-61 (Computer Security Incident Handling Guide) and operationalized across CISA's published advisories:

  1. Initial access — Attackers gain entry through phishing emails, exploitation of unpatched vulnerabilities (notably exposed Remote Desktop Protocol on port 3389), credential stuffing, or compromised managed service providers. CISA's advisory AA22-040A identified phishing and RDP exploitation as the two most common ransomware initial access vectors across observed incidents.
  2. Execution and persistence — Malicious payloads are deployed and persistence mechanisms are established, often through scheduled tasks, registry modifications, or implanted remote access tools. Attackers may reside in a network for days to weeks before triggering encryption.
  3. Privilege escalation and lateral movement — Attackers escalate to administrator or domain-level credentials and traverse the network to maximize the scope of encryption. Tools such as Mimikatz and living-off-the-land binaries (LOLBins) native to Windows environments are commonly observed at this phase.
  4. Data exfiltration (double/triple extortion models) — Sensitive files are staged and exfiltrated to attacker-controlled infrastructure prior to encryption, establishing the second coercion lever.
  5. Encryption and ransom note delivery — The ransomware payload executes, encrypting files using asymmetric cryptography. Decryption keys are withheld by the operator. A ransom note specifying payment amount — typically denominated in cryptocurrency — and contact instructions is deposited on the affected system.
  6. Negotiation and payment (or recovery) — Victims elect to pay, negotiate, or pursue independent recovery. The resources and professional services sector covered in this network primarily operates at this phase and the preceding recovery planning phases.

Encryption algorithms used by ransomware operators typically combine AES (symmetric, for speed) with RSA or elliptic-curve cryptography (asymmetric, for key protection), making brute-force decryption computationally infeasible without the attacker-held private key.

Common scenarios

Ransomware deployment patterns cluster around high-value targets and sectors with low tolerance for operational downtime. The following scenarios represent consistently documented attack contexts across CISA, FBI, and HHS advisories:

Healthcare and hospitals — Healthcare remains the most targeted critical infrastructure sector for ransomware, as documented in the HHS Office for Civil Rights breach portal and multiple CISA health sector advisories. Electronic health record (EHR) system outages directly impair patient care, creating maximum coercive pressure. The 2020 attack on Universal Health Services — one of the largest US hospital chains — disrupted 400 facilities (HHS HIPAA Breach Notification Rule, 45 CFR §164.400).

State and local government — Municipal governments face ransomware pressure due to legacy infrastructure, constrained IT budgets, and the public visibility of service disruptions. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has documented ransomware as the leading cyberthreat to state and local government entities.

Education — K-12 schools and universities represent targets of opportunity due to broad network access, high volumes of personal data, and relatively open network architectures. CISA's K-12 Cybersecurity Act of 2021 (Public Law 117-82) directed CISA to produce specific guidance addressing this sector's vulnerabilities.

Manufacturing and operational technology (OT) — Ransomware that crosses from IT networks into industrial control systems (ICS) or operational technology environments can halt physical production. The 2021 attack on Colonial Pipeline — which supplies roughly 45 percent of fuel consumed on the US East Coast — triggered a federal emergency declaration under 49 USC § 60101 and remains the benchmark reference point for critical infrastructure ransomware risk.

Decision boundaries

Accurate classification of a ransomware incident determines the applicable regulatory notification timeline, the appropriate technical response path, and the legal exposure of the affected organization. The distinctions below define the operative boundaries within this threat category.

Ransomware vs. wiper malware — Ransomware preserves the ability to restore data (in theory) by withholding a decryption key. Wiper malware destroys data without offering a restoration path. NotPetya (2017) was initially classified as ransomware but has since been reclassified as destructive wiper malware by the US and UK governments; no functional decryption key was ever offered. The distinction matters because wiper attacks trigger different incident response playbooks and potentially different insurance coverage determinations.

Ransomware-as-a-Service (RaaS) vs. closed-group operations — RaaS operators provide ransomware payloads, negotiation infrastructure, and technical support to affiliate attackers in exchange for a percentage of ransom proceeds, typically 20–30 percent of collected payments based on observed affiliate agreements documented in CISA and FBI joint advisories. Closed-group operations — such as those attributed to nation-state actors — do not use affiliate structures and typically have distinct geopolitical motives beyond financial extortion.

Locker ransomware vs. crypto ransomware — Locker ransomware locks users out of a device's interface without encrypting underlying files; crypto ransomware encrypts files directly. Locker ransomware was more prevalent before 2013; crypto ransomware, particularly following the emergence of CryptoLocker in late 2013, now constitutes the dominant form. NIST SP 800-83 (Guide to Malware Incident Prevention and Handling) provides a taxonomy framework applicable to this classification distinction.

Single extortion vs. double extortion vs. triple extortion — Single extortion uses encryption alone. Double extortion adds data leak threats. Triple extortion adds DDoS pressure or third-party notification threats. Each tier escalates negotiation complexity and widens the potential regulatory notification obligation, since exfiltrated data may trigger breach notification requirements under state laws (all 50 US states have enacted breach notification statutes) regardless of whether a ransom is paid.

For organizations assessing where a specific incident falls within these boundaries, the purpose and scope documentation for this provider network and the resource navigation reference describe how professional service categories within the ransomware response sector are organized and differentiated.

References

 ·   · 

Read Next

Ransomware Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Ransomware Network: Purpose and Scope The... Ransomware Listings ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Ransomware Providers The ransomware... Cybersecurity Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Cybersecurity Network: Purpose and Scope...