GLOSSARY · Security
Ransomware
Malware that encrypts a victim's files (and increasingly, exfiltrates them) then demands payment for decryption keys and non-disclosure. The financially defining cyber threat to small and medium business since 2017.
Detailed definition
Ransomware evolved from a nuisance into the dominant existential threat to small businesses over the last decade. The modern variant is rarely just encryption — most ransomware groups now run “double extortion”: they exfiltrate sensitive data before encrypting it, then threaten to publish or sell the data even if the victim restores from backup. The financial damage from a single successful attack routinely runs into hundreds of thousands of dollars even before the ransom itself.
The modern attack chain
A ransomware deployment is the end of a multi-step intrusion, not the beginning. Understanding the chain is how you defend against it.
- Initial access — usually phishing (stolen credentials) or an unpatched vulnerability on an internet-facing system
- Persistence + reconnaissance — attacker establishes a foothold, looks around, identifies the most valuable systems
- Privilege escalation — using stolen credentials or local vulnerabilities to gain administrator access
- Lateral movement — pivoting through the network to reach backup systems, file servers, databases
- Exfiltration — copying valuable data out for the second extortion layer
- Encryption — only at the very end, often timed for a weekend or holiday to maximize pressure
The encryption itself is the loudest, fastest, most visible step. Everything before it is quieter — and stoppable.
Layered defense
No single product stops ransomware. The defenders that survive these attacks have layered controls that interrupt the chain at multiple points:
- MFA everywhere stops most initial-access attempts at the credential step
- Aggressive patching closes the unpatched-vulnerability vector
- Email security + awareness training catches the phishing that started it
- EDR with file-rollback catches the malware before encryption completes
- Network segmentation limits lateral movement once an attacker is in
- Privileged access management prevents single-credential compromise from becoming full-domain compromise
- Immutable, tested backups ensure the encryption step doesn’t cost you the business — provided you’ve also verified offline copies exist that the attacker couldn’t reach
Most clients we onboard have two or three of these layers; few have all of them. The work of an MSP, in practice, is closing those gaps before the chain runs.
HOW WE HELP
Related Bytes Unlimited services
Need help applying Ransomware to your business?
We've done this kind of work across New York. First conversation is free.