HomeResourcesGlossaryRansomware
Cybersecurity Glossary

What is Ransomware?

Ransomware is a category of malware that encrypts files and demands payment in exchange for decryption. Modern ransomware operations often also exfiltrate data first and threaten to publish it, creating a double-extortion model that survives even full backups.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How Ransomware works

Three-step view of how it operates in practice.

1

Intrusion

Attackers get in — usually through phishing, stolen credentials, or an unpatched internet-facing system. They often spend days moving laterally.

2

Exfiltration

Before encryption, modern ransomware gangs copy sensitive data out. This is leverage for double extortion.

3

Encryption & demand

Files are encrypted, backups deleted where possible, and a ransom note appears. Downtime begins.

Ransomware Variants

Common ransomware delivery paths

A clear breakdown of the common variants.

Path

Email-delivered

Phishing with malicious attachments or links to credential theft pages.

Most common

Exploitation of public services

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Compromised credentials

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Supply-chain attack

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Ransomware matters for SMBs

Ransomware is a category of malware that encrypts files and demands payment in exchange for decryption.

59%
of organizations were hit by ransomware in the past year, with average recovery costs of $2.73 million
Source: Sophos State of Ransomware, 2024
Pitfalls

Common Ransomware mistakes

  • Backups on the same network as productionModern ransomware hunts and deletes backups first. Immutable, offline, or air-gapped copies are essential.
  • Untested recovery plansAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No documented IR playbookDuring a ransomware event, every hour costs money. Pre-decided roles, contacts, and first actions save days.
  • Relying on antivirusRansomware bypasses signature-based AV routinely. EDR with behavioral detection plus tested IR is the baseline.
Common Questions

Ransomware frequently asked questions

Not if you have a working recovery plan. Payment offers no guarantee of decryption, funds criminal activity, and is increasingly legally risky (OFAC sanctions on some groups). Law enforcement engagement is the first call.
Usually yes, with significant caveats. Insurers increasingly require MFA, EDR, and tested backups before issuing coverage, and many have sub-limits for ransomware.
Sophos reports an average of 24 days for full recovery without paying. With paid decryption, average recovery still runs 23 days. Tested immutable backups cut this dramatically.
Yes. Ransomware can encrypt SharePoint, OneDrive, and connected cloud storage. SaaS backup and M365 tenant hardening are part of the defense.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

Immutable Backup

Policies that adapt to device, location, and risk signals.

Incident Response

A security model that verifies every request as if it came from an open network.

BCDR

Give users only the access they need — nothing more.

EDR

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Are your backups ransomware-proof?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day