What Is Ransomware: Definition and Core Concepts

Ransomware is a category of malicious software that denies access to data or systems — typically through encryption — and demands payment in exchange for restoration. The threat spans every major sector of the US economy, carrying significant financial, operational, and legal consequences for affected organizations. This page covers the formal definition, attack mechanics, common deployment scenarios, and the classification boundaries that distinguish ransomware variants from one another and from adjacent threat categories.

Definition and scope

Ransomware is formally defined by the Cybersecurity and Infrastructure Security Agency (CISA) as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom is paid. The FBI's Internet Crime Complaint Center (IC3) classifies ransomware as a subset of extortion-based cybercrime and received 2,825 ransomware complaints in 2023, a figure widely understood to underrepresent actual incident volume given chronic underreporting (IC3 2023 Internet Crime Report).

The scope of ransomware as a threat category extends beyond simple file encryption. Operators may exfiltrate data before encrypting it, threatening public release as a second layer of coercion — a pattern covered in depth under double extortion ransomware. A third layer involving direct pressure on customers, partners, or regulators defines triple extortion ransomware. Payment demands are almost universally denominated in cryptocurrency to complicate attribution and asset recovery, as detailed under ransomware cryptocurrency payments.

Regulatory framing intersects with the definition itself. Under HIPAA, the Department of Health and Human Services (HHS) has confirmed that a ransomware attack involving protected health information is presumed to constitute a reportable breach unless the covered entity can demonstrate a low probability of compromise. This framing makes the legal consequences of ransomware inseparable from its technical definition in healthcare and other regulated sectors.

How it works

A ransomware attack follows a structured sequence of phases that security practitioners commonly map against the MITRE ATT&CK framework and the lifecycle model published in NIST SP 1800-26. The operational phases are:

  1. Initial access — The attacker gains a foothold through phishing emails, exploitation of exposed Remote Desktop Protocol (RDP) services, unpatched vulnerabilities, or compromised credentials. The ransomware initial access vectors taxonomy covers these entry points by frequency and sector.
  2. Execution and persistence — Malicious payloads are deployed and mechanisms are established to survive reboots or detection attempts. Legitimate system tools — a technique MITRE ATT&CK labels "Living off the Land" — are frequently repurposed at this stage.
  3. Lateral movement — The attacker traverses the internal network to identify high-value targets such as domain controllers, backup systems, and file servers. Active Directory compromise is a critical enabler at this phase; see active directory ransomware for structural detail.
  4. Privilege escalation — Administrative credentials are obtained to maximize encryption scope and disable defensive tooling.
  5. Data staging and exfiltration — In double extortion operations, sensitive data is copied to attacker-controlled infrastructure before encryption begins.
  6. Encryption — The ransomware payload encrypts target files using asymmetric or symmetric cryptographic algorithms. Asymmetric schemes, such as RSA-2048 or RSA-4096, are standard for protecting the decryption key. The full technical treatment of cryptographic methods used appears at ransomware encryption methods.
  7. Ransom demand — A ransom note is dropped, providing payment instructions and, increasingly, a negotiation portal operated by the threat actor group.

The full attack chain is mapped at ransomware attack lifecycle.

Common scenarios

Ransomware deployment scenarios vary by target sector, threat actor sophistication, and delivery mechanism.

Commodity ransomware via phishing is the highest-volume scenario. Broadly distributed campaigns deliver malicious attachments or links to large populations of recipients. Infection is largely opportunistic, and ransom demands are calibrated to consumer or small business payment capacity — typically ranging from hundreds to low thousands of dollars.

Ransomware-as-a-Service (RaaS) operations dominate the enterprise threat landscape. Under the RaaS model, a core developer group licenses ransomware infrastructure to affiliate operators who conduct intrusions independently. LockBit, ALPHV/BlackCat, and Cl0p operated under this structure, enabling high attack volume across affiliates. The structural mechanics of this model are covered at ransomware as a service.

Targeted enterprise and critical infrastructure attacks involve extended dwell times — sometimes exceeding 14 days — during which affiliates conduct reconnaissance, escalate privileges, and maximize encryption impact before deploying the payload. These operations produce the highest ransom demands, frequently exceeding $1 million.

Supply chain compromise represents a distinct scenario in which a trusted software vendor or managed service provider (MSP) is used as the intrusion vector into downstream customer organizations simultaneously. The 2021 Kaseya VSA incident, attributed to the REvil group, affected over 1,500 organizations through a single MSP compromise (CISA Advisory AA21-200A). This scenario type is analyzed at ransomware supply chain attacks.

Decision boundaries

Classification boundaries distinguish ransomware from adjacent threat categories and separate ransomware subtypes from one another.

Ransomware vs. wiper malware — Both categories may encrypt or destroy data, but wiper malware has no decryption mechanism; destruction is the objective. NotPetya (2017), attributed by the US government to Russian military intelligence (GRU), functioned as a wiper despite superficial ransomware characteristics. No payment would have restored data.

Locker ransomware vs. crypto ransomware — Locker variants deny access to the operating system or device interface without encrypting individual files. Crypto ransomware encrypts files at the filesystem level, leaving the OS partially functional. Crypto ransomware now dominates operational deployments because it is more difficult to remediate without the decryption key.

Single extortion vs. double vs. triple extortion — Single extortion involves only the encryption-and-payment demand. Double extortion adds a data leak threat. Triple extortion extends pressure to third parties — customers, regulators, or business partners — creating cascading legal exposure. These variants are classified in detail at ransomware variants.

Reporting obligation thresholds — Whether an incident triggers mandatory disclosure depends on sector, data types involved, and the regulatory bodies with jurisdiction. Healthcare entities report to HHS under HIPAA. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established a federal framework requiring covered entities to report ransomware payments to CISA within 24 hours and significant cyber incidents within 72 hours, pending final rulemaking. The FBI maintains separate voluntary and mandatory reporting channels detailed at FBI ransomware reporting, and OFAC sanctions compliance creates additional legal boundaries around payment decisions addressed at OFAC ransomware sanctions.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator