Ransomware
Definition
Ransomware is a type of malicious software that prevents an organization from accessing its systems or data—most commonly by encrypting files—and then demands payment to restore access or to avoid leaking stolen information. Modern ransomware campaigns often combine encryption with data theft (“double extortion”), threatening to publish sensitive customer, employee, or business data if the victim does not pay. Ransomware typically enters environments through phishing, stolen credentials, exposed remote access services, unpatched vulnerabilities, or compromised suppliers. Its impact can include operational downtime, loss of data availability and integrity, regulatory and contractual notifications, financial losses, and reputational harm. In the CyberSecure Canada context, ransomware is a major threat scenario addressed through baseline cybersecurity controls that emphasize prevention (e.g., access control, multi-factor authentication, patching, secure configuration, and awareness), detection (e.g., monitoring and logging), and resilience (e.g., tested backups and recovery procedures, incident response readiness). Equivalent ransomware risk management expectations appear across other security and assurance frameworks, typically requiring layered controls, clear response playbooks, and verifiable recovery capabilities.
Real-World Examples
Startup restores from immutable backups
A small SaaS company detects file encryption on a build server, isolates the host, and restores clean data from immutable backups after validating recovery steps.
Scaleup runs a ransomware tabletop exercise
A growing fintech conducts a tabletop exercise covering containment, decision-making, customer communications, and recovery objectives to reduce downtime in a real incident.
Enterprise contains lateral movement
A large enterprise segments networks, enforces least privilege, and uses centralized monitoring to stop ransomware spread beyond one business unit while recovery proceeds.
Ransomware is malware that blocks access to systems or data—often by encrypting files—and demands payment to restore access or prevent stolen data from being leaked.
Attackers gain access, escalate privileges, disable defenses, encrypt or lock data, and increasingly steal data for extortion, then demand payment and set deadlines.
Common signs include mass file renaming or encryption, unusual CPU or disk activity, disabled security tools, inaccessible shared drives, and ransom notes appearing on endpoints.
Prevent ransomware with layered controls such as MFA, patching, secure configuration, phishing resistance, least privilege, network segmentation, and well-tested backups.
High-impact controls include MFA on remote access, rapid vulnerability patching, least privilege, segmentation, email protections, monitoring, and offline/immutable backups with restore tests.
It should define containment steps, roles and approvals, evidence preservation, communications, legal and notification workflows, recovery priorities, and criteria for restoring systems safely.
Paying is a high-risk decision: it may not restore data, can encourage repeat targeting, and can create legal and compliance complications; organizations should follow established decision processes.
Recovery typically involves isolating affected systems, rebuilding from known-good images, restoring from validated backups, rotating credentials, and confirming the attacker no longer has access.
Reporting depends on obligations, but often includes internal leadership, insurers, relevant regulators, contractual partners, and affected individuals when sensitive data exposure is suspected.
Backups enable restoration without paying, and immutable storage helps prevent attackers from deleting or encrypting backup copies, provided restores are regularly tested end-to-end.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
