Ransomware
Home /
Glossary Index /
Alphabet R
Your systems freeze. A ransom note appears on every screen. All your files are encrypted. Pay $3.6 million in Bitcoin within 72 hours or lose your data forever. You cannot access customer records, financial systems, or operational controls. This is ransomware. In 2025, around 41% of ransomware families use AI-based tools to deliver attacks that adapt to each target. The average ransom demand is $3.6 million. Recovery costs far exceed the ransom. Ransomware is not going away. Your only options are preparation or panic.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that aims to hold the user’s data at ransom, making it unavailable unless a demand is met. Attackers achieve this by encrypting the data, with decryption offered once a payment has been received. In many cases, attackers also threaten to leak the data if payment is not received within a certain timeframe. This double extortion model increases pressure on victims to pay.
How Ransomware Attacks Occur
Ransomware attacks start with a compromise of your systems. Compromise can result from exploitation of a public-facing web application, use of compromised credentials, an employee clicking a malicious phishing email, or a vulnerability within your supply chain. Once a threat actor succeeds in compromising your system, ransomware deploys. The attacker begins encrypting data, making it inaccessible. Typically, the attacker displays a ransom note instructing the victim on how to pay to receive the decryption key. The ultimate aim is to gain control of your data and demand a ransom.
The Evolution of Ransomware
Attack methods have evolved. Attackers now threaten to publish or leak stolen data, notify the victim’s regulator, and target senior management directly. The goal is to maximize psychological pressure. Some attacks now combine encryption with extortion. Attackers steal data before encrypting it. Even if you restore from backups, the attacker still threatens to release your data publicly.
Ransomware by the Numbers
Astra Security’s 2025 pentesting report found the average ransom demand was $3.6 million. Healthcare and government organizations face even higher demands. In 2025, around 41% of ransomware families use AI-based tools to deliver adaptive attacks. Kaspersky detected an average of 500,000 malicious files per day in 2025, with ransomware families doubling in activity. Mobile ransomware attacks increased 67% year over year.
3 Pillars of Ransomware Defense
People
Any person in your organization is a potential point of exploitation. Effective information security is a collective responsibility. Train all staff to identify and report phishing emails. Provide interactive information security and awareness training that educates employees on their responsibilities and current threats. Training must go beyond a simple box-ticking exercise.
Processes
Implement processes for regular backups with offline or immutable storage. Test restoration regularly. A backup that cannot restore is not a backup. Establish incident response procedures specific to ransomware. Know who to call, what to isolate, and how to restore. Segment networks to limit spread. Create emergency patch procedures for critical vulnerabilities.
Technology
Deploy endpoint detection and response (EDR) that detects ransomware behavior. Use email security to block phishing campaigns. Implement application allowlisting to prevent unauthorized software execution. Require multi-factor authentication for all remote access. Use privileged access management to secure administrative accounts.
What to Do During a Ransomware Attack
Isolate infected systems immediately. Disconnect network cables. Do not let ransomware spread. Activate your incident response plan. Contact your security team. Engage law enforcement if appropriate. Do not pay the ransom without consulting experts. Paying funds criminal enterprises and does not guarantee data recovery. Restore from clean backups if available. Preserve forensic evidence for investigation.
What Not to Do
Do not reboot infected systems. This may destroy forensic evidence. Do not pay the ransom immediately. Attackers may not provide working decryption keys. Do not communicate directly with attackers without legal and security guidance. Do not assume you are safe after paying. Attackers may strike again.
Ransomware is the most financially damaging threat facing organizations today. It preys on unpreparedness. Back up your data. Segment your networks. Train your users. Patch your systems. The organizations that survive ransomware attacks are the ones that prepared before the attack.
