Ransomware

Ransomware typically arrives via phishing, exploitation of unpatched vulnerabilities, or compromised credentials — often through remote access tools like RDP or VPNs. Once inside, it moves laterally across the network, escalating privileges and spreading to maximize the damage before triggering the encryption.

The encryption itself is usually fast. By the time an alert fires, the damage may already be done. Recovery depends entirely on whether backups exist, are current, and weren't also encrypted (a problem if backups were network-accessible).

The modern ransomware model

Today's ransomware is almost always double-extortion: attackers exfiltrate sensitive data first, then encrypt. The threat isn't just losing access to your files — it's your customer data, financial records, or confidential communications being published publicly or sold.

Most ransomware operations are now Ransomware-as-a-Service (RaaS): criminal groups develop and lease the tools to affiliates who run the actual attacks, splitting the ransom proceeds. This has lowered the technical barrier to entry significantly.

Defense priorities

Immutable, offline backups — the most critical control. Backups that the ransomware can't reach or modify. 3-2-1: three copies, two media types, one offsite.

Endpoint detection and response (EDR) — behavioral detection that identifies ransomware activity (mass file encryption) before it completes.

Least privilege and segmentation — limits lateral movement. A compromised endpoint that can only reach its local VLAN causes far less damage than one with access to everything.

Patching — many ransomware attacks exploit known vulnerabilities with available patches. Timely patching closes the most common entry points.