Ransomware: What Every User Needs to Know

Ransomware is a category of malicious software that encrypts or locks victim data and demands payment — typically in cryptocurrency — before restoring access. This page covers the definition, operational mechanics, common attack scenarios, and the decision boundaries that distinguish ransomware from adjacent threat categories. The sector is governed by overlapping federal frameworks and agency guidance from CISA, the FBI, and NIST, making accurate classification essential for incident response and regulatory compliance.

Definition and scope

Ransomware is formally classified by the Cybersecurity and Infrastructure Security Agency (CISA) as a form of malware that denies access to a system or data until a ransom is paid. The FBI's Internet Crime Complaint Center (IC3) recorded over 2,825 ransomware complaints in 2022, with adjusted losses exceeding $34.3 million (FBI IC3 2022 Internet Crime Report). Those figures reflect only reported incidents — actual economic impact, including downtime and recovery costs, is substantially higher.

The scope of ransomware extends across every sector. CISA designates 16 critical infrastructure sectors, all of which have been targeted in documented incidents. Healthcare, government services, financial services, and education represent the highest-frequency targets based on FBI and CISA joint advisories.

Two primary classifications define the ransomware landscape:

• Crypto ransomware: Encrypts files or file systems, rendering data inaccessible without a decryption key held by the attacker.
• Locker ransomware: Locks the victim out of the operating system or device interface without encrypting underlying files.

A third variant — double extortion ransomware — combines file encryption with data exfiltration, threatening public release of stolen data if the ransom is not paid. Groups employing this model include those tracked under CISA and FBI joint advisories, such as the advisory for Conti ransomware (AA21-265A).

The National Online Safety Authority's listings directory catalogs service providers operating across ransomware defense, incident response, and recovery disciplines.

How it works

Ransomware infections follow a documented attack chain. NIST's Special Publication 800-184, Guide for Cybersecurity Event Recovery, frames recovery operations against the backdrop of this attack lifecycle:

1. Initial access: The attacker gains entry through phishing email attachments, exploitation of unpatched vulnerabilities (e.g., VPN appliances, RDP endpoints), or compromised credentials purchased on dark web markets.
2. Execution and persistence: Malicious payloads execute and establish persistence mechanisms — registry modifications, scheduled tasks, or service installations — to survive reboots.
3. Lateral movement: Using tools such as Mimikatz for credential harvesting or exploitation of Windows protocols, the attacker moves across the network to maximize the footprint before triggering encryption.
4. Data exfiltration (double extortion variant): Sensitive files are exfiltrated to attacker-controlled infrastructure prior to encryption.
5. Encryption: File encryption routines engage, typically using hybrid asymmetric/symmetric cryptography. The attacker holds the private key required to decrypt.
6. Ransom demand: A ransom note is deposited in affected directories or displayed on locked screens, specifying payment terms, cryptocurrency wallet addresses, and deadlines.

The dwell time — the period between initial access and ransomware deployment — averaged 4.5 days in 2023 for ransomware incidents, according to the Mandiant M-Trends 2023 Report (Google/Mandiant, a publicly referenced industry report). Shorter dwell times reduce defender windows for detection and containment.

Common scenarios

Ransomware manifests differently depending on the target environment, attacker sophistication, and delivery mechanism.

Phishing-initiated attacks remain the most common entry vector. A malicious Office document or PDF attachment executes a downloader that retrieves the ransomware payload from a remote server. These attacks are largely opportunistic and volume-driven.

RDP exploitation targets organizations with Remote Desktop Protocol exposed to the public internet on TCP port 3389. Attackers conduct brute-force or credential-stuffing campaigns, purchase valid credentials, and deploy ransomware manually. This vector is strongly associated with human-operated ransomware campaigns.

Supply chain compromise introduces ransomware through software updates or managed service provider (MSP) tooling. The 2021 Kaseya VSA incident — documented in CISA Advisory AA21-200A — affected approximately 1,500 downstream businesses through a single MSP platform vulnerability.

Hospital and healthcare targeting carries distinct regulatory dimensions. Under 45 CFR Part 164 (HIPAA Security Rule), a ransomware attack that affects protected health information (PHI) is presumed to constitute a reportable breach unless the covered entity can demonstrate a low probability of PHI compromise (HHS Ransomware Guidance, 2016).

The purpose and scope of this directory addresses how cybersecurity service categories, including ransomware response, are organized within the broader online safety sector.

Decision boundaries

Distinguishing ransomware from adjacent threat types shapes both legal reporting obligations and technical response priorities.

Ransomware vs. wiper malware: Wiper malware destroys data permanently with no recovery mechanism and no ransom demand. NotPetya (2017), classified by CISA and NSA as destructive malware rather than ransomware despite surface similarities, caused an estimated $10 billion in global damages (CISA Historical Threat Analysis). The absence of a functional decryption pathway is the defining boundary.

Ransomware vs. data extortion without encryption: Some threat actors steal data and demand payment without deploying encryption. This is classified as extortion rather than ransomware under FBI and CISA taxonomy and may carry different notification obligations.

Payment decision framework: The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (2021) warning that payments to sanctioned threat actors may violate the International Emergency Economic Powers Act (IEEPA), regardless of victim intent. Organizations assessing payment must screen attacker designations against OFAC's Specially Designated Nationals (SDN) list.

The resource navigation reference describes how to locate incident response and ransomware recovery services within this directory's classification structure.

References

• CISA Ransomware Resources
• FBI IC3 2022 Internet Crime Report
• NIST SP 800-184: Guide for Cybersecurity Event Recovery
• CISA Advisory AA21-265A: Conti Ransomware
• CISA Advisory AA21-200A: Kaseya VSA Supply Chain Attack
• HHS Ransomware Fact Sheet (2016)
• OFAC Advisory on Ransomware Payments (2021)
• NIST Cybersecurity Framework (CSF)