Ransomware Glossary: Key terms and definition

Explore key terms and definitions related to ransomware, from attacks to payments, to better understand this growing threat. Read the full glossary now.

Back to glossary

Ransomware glossary: Key terms explained

Ransomware threats are one of the most dangerous cybersecurity issues today. It is a type of malicious software (malware) that blocks access to files or systems, usually by encrypting them and demanding payment for decryption. This glossary entry covers everything you need to know about ransomware, including how it works, its history, types, prevention, and how to respond to an attack.

What is ransomware?

Ransomware is a malicious form of software that encrypts files or systems and demands a ransom to restore access. Victims are typically presented with a ransom note instructing them to pay in cryptocurrency. However, paying does not guarantee file recovery and often encourages further attacks.

Types of ransomware

Understanding the types of ransomware is key to building a strong defense:

  • Scareware: Fake alerts that scare users into paying for unnecessary software.

  • Screen lockers: Full-screen messages that block access to the system.

  • Crypto ransomware: Encrypts valuable files and demands payment for a decryption key. Ransomware code is designed to encrypt files and demand payment for their release, making it a critical component of these attacks.

What is locker ransomware?

Locker ransomware locks the entire device rather than specific files. Locker ransomware often targets Windows users, exploiting vulnerabilities in the operating system to lock the entire device. It typically presents a message demanding payment to restore access. This variant spreads through phishing, infected software, or vulnerabilities in outdated systems.

What is crypto ransomware?

Crypto ransomware is a particularly malicious type of ransomware that uses encryption to lock a victim’s files, rendering them inaccessible without a decryption key. This form of ransomware targets sensitive data, such as documents, videos, and photos, and demands a ransom in exchange for the decryption key. Often, these attacks come with countdown timers, threatening that if the ransom isn’t paid within a specified time, all files will be deleted. The growing prevalence of crypto ransomware is alarming due to its ability to encrypt critical data and extort significant sums of money from victims. This type of ransomware attack underscores the importance of robust cybersecurity measures and regular data backups.

How does ransomware work?

Ransomware attacks follow these steps:

  1. Infection via phishing or malicious downloads that infects computers

  2. Execution and file encryption

  3. Display of ransom note

  4. Potential double extortion, threatening to leak stolen data

The encryption process

Ransomware uses strong encryption algorithms (e.g., AES, RSA) to create encrypted data, locking files and making them inaccessible. Attackers hold the only decryption key. The process often completes within minutes, targeting commonly used file types such as documents, spreadsheets, and images.

Ransomware attack vectors

Common entry points for ransomware include:

  • Phishing emails

  • Exploited vulnerabilities

  • Infected software

  • Compromised websites

  • Social engineering tactics

Ransomware hackers often exploit these entry points to deploy their malicious software and initiate attacks.

Phishing attack

A phishing attack is one of the primary methods used to initiate ransomware attacks. In a phishing attack, cybercriminals send emails containing malicious files or links to unsuspecting users. When the user opens the file or clicks the link, the malware is released onto their device, allowing the attacker to gain access to the system. Phishing attacks can be highly effective, but they are also preventable. Educating employees and staff on how to identify suspicious emails and avoid clicking on unknown links or downloading attachments from untrusted sources is crucial. By fostering awareness and vigilance, organizations can significantly reduce the risk of falling victim to phishing attacks and subsequent ransomware infections. Want to dive deeper? Learn more about how phishing works and how to defend against it.

Data exfiltration

Data exfiltration involves the unauthorized removal of data from a device and is a common tactic used in ransomware attacks. In these scenarios, ransomware actors not only encrypt the victim’s files but also steal sensitive data. They then threaten to release this data publicly unless the ransom is paid. This double extortion tactic increases the pressure on victims to comply with the ransom demands. The consequences of data exfiltration can be severe, including reputational damage, financial loss, and potential legal ramifications. Protecting against data exfiltration requires robust security measures, including encryption, access controls, and continuous monitoring of data flows.

Ransomware attack tactics

Cybercriminals use various tactics to deploy ransomware:

  • Phishing attacks

  • Exploiting vulnerabilities

  • Drive-by downloads

  • Insider threats

  • Ransomware-as-a-service (RaaS)

Ransomware attackers use these tactics to infiltrate systems and deploy their malicious software.

History of ransomware

  • 1989: AIDS Trojan – the first known ransomware, spread via floppy disks.

  • 2006: Archiveus Trojan – used RSA encryption.

  • 2013: CryptoLocker – introduced strong encryption and Bitcoin payment. CryptoLocker specifically targeted Microsoft Windows, leveraging its widespread use to maximize its impact.

  • 2017: WannaCry and NotPetya – global ransomware outbreaks with massive impact.

Notable ransomware attacks

  • WannaCry: Spread via EternalBlue vulnerability in Windows, affecting 150+ countries.

  • NotPetya: Disguised as ransomware but aimed to destroy data, not extort.

Consequences of ransomware attacks

  • Financial loss: recovery costs, ransom, downtime

  • Data loss: compromised or deleted sensitive files

  • Reputation damage: loss of customer trust

  • Operational disruption: halted business processes

  • Compliance issues: fines due to regulatory breaches

The impact on a ransomware victim can be devastating, leading to significant financial and operational challenges.

Ransomware prevention

  • Use updated antivirus and firewalls

  • Educate employees about phishing

  • Apply software patches regularly

  • Maintain offline or secure cloud backups

  • Implement a zero-trust security model

  • Use data encryption and access control

  • Conduct regular security audits

  • Regularly scan and secure backup data to ensure it is not compromised during an attack

Detecting ransomware

  • Monitor system logs and unusual activity

  • Use antivirus and anti-malware software

  • Deploy intrusion detection systems (IDS)

  • Utilize security information and event management (SIEM)

  • Enable real-time monitoring and alerts

  • Collaborate with agencies like the Cybersecurity and Infrastructure Security Agency (CISA) for threat intelligence and support

Responding to a ransomware attack

  • Disconnect infected devices from the network

  • Report the attack to authorities and your IT team

  • Avoid paying the ransom

  • Restore from clean backups to regain access to your systems

  • Use decryption tools (if available)

  • Perform post-attack analysis to prevent future incidents

Removing ransomware with a decryption key

Some ransomware variants can be removed using decryption tools from trusted sources to unlock encrypted files. However, many use strong encryption that can’t be bypassed. In some cases, systems may need to be wiped and restored.

Cryptocurrency and ransomware

Cryptocurrency, particularly Bitcoin, has become the preferred payment method in ransomware attacks. The rise of cryptocurrency has facilitated an increase in ransomware attacks, as it provides a convenient and anonymous way for attackers to receive payments. Bitcoin is the most commonly demanded cryptocurrency in these attacks due to its widespread acceptance and difficulty in tracing transactions. The use of cryptocurrency in ransomware attacks has made it easier for attackers to extort money from victims while maintaining their anonymity. This trend highlights the need for enhanced cybersecurity measures and awareness to prevent ransomware infections and mitigate their impact. Want to see how these attacks play out in the real world? Explore our article on crypto heists and modern-day digital robberies.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is a business model that has revolutionized the ransomware landscape. RaaS allows developers to create and sell ransomware tools to attackers, significantly lowering the barrier to entry for launching ransomware attacks. This model has democratized ransomware, enabling even those with limited technical skills to purchase pre-built tools and infrastructure to carry out attacks. The proliferation of RaaS has made it more challenging for security teams to detect and prevent ransomware attacks, as the tools and infrastructure are constantly evolving. To combat this threat, organizations must invest in advanced threat intelligence, managed detection, and incident response capabilities to stay a step ahead of malicious actors.

Read our in-depth article on Ransomware-as-a-Service and how it works to better understand this growing threat.

Ransomware in the future

Emerging ransomware trends include:

  • Use of artificial intelligence (AI) to enhance attacks

  • Ransomware targeting cloud infrastructure

  • Exploitation of Internet of Things (IoT) devices

  • Growth of ransomware-as-a-service (RaaS)

  • Increasingly sophisticated phishing and social engineering tactics

  • Emergence of triple extortion tactics, where attackers also target clients and customers of the affected organization

Final thoughts

Ransomware is a critical threat in today’s digital world. Understanding how it works – and how to prevent and respond to it – is essential for protecting your data, your systems, and your organization. A combination of proactive cybersecurity measures, regular backups, and ongoing education remains the best defense against ransomware.

Protecting confidential information is crucial to mitigating the impact of ransomware attacks.

This post has been updated on 09-04-2025 by Sofie Meyer.

Author Sofie Meyer

About the author

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

Similar definitions

On-premises software Non-volatile memory (NVM) Inference Interweb Algorithm Internet protocol television (IPTV) Understanding Telemetry Data Definition What are credentials? Intranet Persistence in Cybersecurity: A Full Guide Project management office (PMO) Obsolete Syllogism Encoding CAPTCHA Advantages: Understanding the benefits