What is ransomware in one sentence?

Ransomware is malware that encrypts your data and demands a payment to give it back, often combined with a threat to leak the stolen data publicly.

What is double extortion?

A tactic where attackers steal a copy of the data before encrypting it, then threaten to publish it. This way, restoring from backups alone does not protect against the leak.

How does ransomware get in?

Most commonly through phishing emails, stolen or reused credentials on exposed remote-access services, and exploitation of unpatched, internet-facing software.

Should you pay the ransom?

Law enforcement generally advises against it. Payment funds further crime, does not guarantee a working key or that stolen data is deleted, and may carry legal risk. Tested backups are the real answer.

What is the best defense against ransomware?

Offline, tested backups; phishing-resistant MFA on every remote-access point; rapid patching of internet-facing systems; network segmentation; and endpoint detection to catch the intrusion before encryption begins.

Glossary · Security

What is Ransomware?

Ransomware is malicious software that encrypts an organization's files and systems, then demands a payment — almost always in cryptocurrency — for the key to unlock them. Modern campaigns add a second threat: the attackers steal a copy of the data first and promise to publish it unless paid, so even a clean restore from backup does not make the problem go away.

How an attack unfolds

Ransomware rarely detonates the instant it lands. A typical intrusion starts small — a phished credential, a reused password on an exposed remote-desktop service, or an unpatched internet-facing application. The attacker then moves laterally, escalates privileges, and maps the network for days or weeks, quietly locating backups and the most valuable data. Only at the end do they trigger encryption everywhere at once, usually after hours, to maximize damage before anyone can respond. By the time files lock, the real breach is long past — which is exactly where defenders have the best chance to catch it.

Double and triple extortion

Years ago, solid backups defeated ransomware: you wiped the machines and restored. Attackers adapted. Double extortion adds data theft before encryption, so the victim faces a public leak even with perfect backups. Some crews escalate to triple extortion — also threatening a DDoS, or contacting the victim's customers and regulators directly to increase pressure. This shift means ransomware is now as much a data-breach problem as an availability problem, and the response has to account for the confidentiality of whatever was exfiltrated, not just getting systems back online.

Ransomware as a business

The ecosystem is industrialized. Ransomware-as-a-service operators build and maintain the malware, then rent it to affiliates who carry out intrusions and split the proceeds. Initial-access brokers sell footholds into already-compromised networks. This division of labor lowers the skill needed to launch a damaging attack and is a big reason ransomware has stayed near the top of the threat list for organizations of every size. It is not a lone hacker in a hoodie — it is a supply chain, which is also a clue to how it should be disrupted.

How to prevent it

Prevention is layered. Close the common front doors first: phishing-resistant multi-factor authentication on every remote-access service, rapid patching of internet-facing software, and elimination of reused or weak credentials. Segment the network so one compromised machine cannot reach everything. Keep offline, immutable, regularly tested backups that an attacker who owns the domain cannot encrypt or delete. Deploy endpoint detection to catch the lateral movement and privilege escalation that precede encryption. And rehearse the incident-response plan, because the worst time to write one is mid-incident.

At QUANT LAB

We help organizations close the doors ransomware crews walk through. Our penetration tests and Active Directory assessments replay the exact path an intruder takes — from an initial foothold through privilege escalation to domain-wide control — and surface the misconfigurations that would let an attacker reach your backups. On the software we build, we default to least privilege, MFA, and patched dependencies so the common entry points simply are not there. Ransomware thrives on neglected basics; we find them before the affiliates do.

The human entry point

Most ransomware starts with a person, not a zero-day. A convincing phishing email or a social-engineering call that resets a password can hand an attacker the foothold they need, and no amount of perimeter hardware stops a user from typing their credentials into a fake portal. That is why phishing-resistant MFA and a security-aware culture matter as much as any technical control — the cheapest way in is almost always a human one.

Long-form deep-dives that use this term

All posts

Related terms

Want to close the doors ransomware uses?

We replay the intruder's path and find the gaps before an affiliate does. Book a 30-minute call.

Penetration testing