Malicious software that encrypts a victim's files, systems, or entire networks, rendering them inaccessible until a ransom is paid to the attackers for a decryption key.
Ransomware is a category of malware that denies access to data or systems through encryption, then demands payment — typically in cryptocurrency — for restoration. Modern ransomware has evolved far beyond simple file encryption. Today's attacks are carried out by organized criminal enterprises that conduct extensive reconnaissance, move laterally through networks, exfiltrate data, destroy backups, and then deploy encryption across entire domains simultaneously.
The ransomware ecosystem has become highly professionalized through the Ransomware-as-a-Service (RaaS) model, where developers create the ransomware tools and lease them to affiliates who carry out attacks. This division of labor has dramatically increased the volume and sophistication of attacks, making ransomware one of the most significant cybersecurity threats facing organizations of all sizes.
A typical ransomware attack follows a predictable kill chain: initial access (usually through phishing or exploiting vulnerabilities), reconnaissance and lateral movement to maximize reach, privilege escalation to gain domain admin access, data exfiltration for double extortion leverage, backup destruction or encryption, and finally mass deployment of the ransomware payload across all accessible systems. The encryption itself — often using AES-256 combined with RSA public-key cryptography — renders files mathematically unrecoverable without the attacker's private key. Modern ransomware groups maintain dedicated leak sites on the dark web where they publish stolen data from victims who refuse to pay.
From the first known ransomware (the AIDS Trojan in 1989, distributed via floppy disk) to today's multi-million-dollar enterprise attacks, ransomware has undergone a dramatic evolution. Key milestones include CryptoLocker (2013) introducing Bitcoin payments, WannaCry (2017) demonstrating worm-like propagation, and the emergence of double extortion (Maze, 2019) and triple extortion (adding DDoS threats). In 2026, ransomware costs organizations over $30 billion annually, with average ransom demands exceeding $1 million for enterprise targets. The average total cost of a ransomware incident — including downtime, recovery, legal fees, and reputational damage — exceeds $4.5 million.