- Modern ransomware operators exfiltrate data before encrypting systems.
- Speedy containment can limit blast radius during active encryption.
- Tested offline backups are the most reliable recovery path available.
- Multi-factor authentication and privilege management slow lateral movement.
- Paying the ransom does not guarantee data recovery or deletion.
What is it and why it matters
Ransomware has evolved from simple file encryption into a sophisticated extortion operation where attackers combine encryption with data theft, threatening to leak sensitive information if payment isn’t made — a tactic called double extortion. Attackers typically gain initial access through phishing, compromised credentials, or unpatched vulnerabilities, then move laterally to identify and encrypt high-value data across the network. For security analysts, ransomware represents the worst-case convergence of multiple attack disciplines: initial access, privilege escalation, lateral movement, data exfiltration, and destructive impact — all under extreme time pressure.
Real world examples
- WannaCry ransomware (2017) — Exploited the EternalBlue vulnerability to spread across unpatched Windows systems globally, hitting over 200,000 computers in 150 countries including NHS hospitals in the UK.
- Colonial Pipeline attack (2021) — DarkSide ransomware forced the shutdown of the largest fuel pipeline in the US, causing fuel shortages across the East Coast and a $4.4 million ransom payment.
- NotPetya / Petya (2017) — Disguised as ransomware but designed as destructive wiper malware, NotPetya caused over $10 billion in damage to global companies including Maersk, Merck, and FedEx.