Browse Definitions :
ransomware cyberextortion

Malware vs. ransomware: What's the difference?

Ransomware is a type of malware. It encrypts files and demands a ransom before allowing victims to regain access.

Cyber attacks are taking place globally, and no one is safe. As the technology advances, so do scammers and cybercriminals. These attacks exploit digital device weaknesses, enabling attackers to access systems and files.

The terms malware and ransomware are often used interchangeably, but this is wrong. Ransomware is a subset of the greater malware umbrella term.

Here is an explanation of each term, and how they differ.


Malware is an umbrella term for any malicious code or program that gives an attacker explicit control over a system. It's a broad term that refers to all types of malicious programs, including:

  • Ransomware. This type of malware infects a computer system and encrypts the data. Attackers then demand a ransom to decrypt the data so the victim can regain access.
  • Rootkits. This delivery method for other malwares hides in the deepest corner of a computer. It delivers malicious payloads such as keyloggers and spyware.
  • Scareware. This is an app or webpage that pops up and attempts to frighten victims into buying unnecessary software or providing their financial data.
  • Spammers. Malicious code sets up shop on a computer and pumps out thousands and thousands of spam emails. This type of malware uses a victim's system as an email blast platform.
  • Spyware. Spyware records the activities of unwitting users -- such as websites they visit and information about their computer systems. Spyware that records keystrokes is called a keylogger. It is designed to steal credit card numbers, passwords, bank account numbers and other sensitive data.
  • Trojans. A Trojan malware looks like an innocuous file but secretly delivers a malicious payload.
  • Viruses. This is a generic term for malware that does nothing but damage your computer and delete files.
  • Worms. This is a standalone program that can self-replicate and spread over a network. They aren't very common anymore and were often forms of mischief.


Ransomware is malware that takes a computer system hostage. Attackers then demand those users pay a ransom to regain access to their system. Ransomware is usually delivered as an attachment via email but can also be downloaded from the web.

Ransomware operates like a Trojan in that the malicious payload is delivered by another source. Once the payload infects a system, it executes the download of the ransomware software.

Ransomware is malware that takes a computer system hostage. Attackers then demand those users pay a ransom to regain access to their system.

The ransomware then scours the infected computer system for vital files -- such as Word documents and Excel sheets -- and encrypts them with an unbreakable encryption key. This locks victims out of their systems.

The victim's computer is useless except to do one thing -- pay the ransom. With some malware, a computer can be booted using a flash drive. This drive has a special operating system and anti-malware software to clean the infected system. But ransomware takes over a computer so thoroughly that it's doubtful a victim can get their operating system back.

And even if a victim can get access to the encrypted files, they will be useless because they are encrypted. To decrypt files and regain access to the system, victims need a decryption key, which is obtained by paying a ransom to the attackers. Ransom is usually demanded in bitcoin or other cryptocurrencies because they are easier to move around.

Learn how Colonial Pipeline operations came to a halt when a ransomware attack infected its systems.

Differences between malware and ransomware

Here is a side-by-side glance of how malware and ransomware function:

Malware Ransomware
Any malicious code designed to do a variety of actions, including damaging files and stealing bank account information. Specifically designed to lock victims out of their computer and files until a ransom is paid.
Delivered in many ways, including email, USB drives, network worms, Trojans and visiting malicious websites. Primary form of infection is targeted email attacks with malicious attachments.
Much malware can be stopped or removed by antivirus software. Extremely hard if not impossible to remove once infected.
Some malware exists just to be a jerk or remotely take over a computer. Ransomware is severe criminal activity because it involves financial blackmail.
It can significantly degrade a computer's performance. It completely takes over a computer.

Protecting against malware and ransomware

Effective antivirus protection should be used at all levels of the enterprise -- including end user computers and servers -- along with a firewall. Effective security means securing all layers of the network, not just the endpoint.

The antivirus market is enormous, and there are many kinds of software to choose from. Choose carefully and thoroughly, getting input from security experts, peers and colleagues. Also, look over AV-Test, a neutral antivirus software test organization.

Another way businesses can protect themselves from a ransomware attack is to create system backups. This enables businesses to restore their data without paying a ransom. 

Above all, businesses must train staff to never open attachments from unknown senders. Good antivirus software scans all attachments when they come into a user's inbox, but if a malicious payload gets through, common sense needs to prevail.

Even if an attachment comes from a known sender, it's a good idea to check and see if that person sent it. A common method of malware replication is to go through an infected user's address book and send malicious code to every address it finds. Ransomware operates like this as well.

Next Steps

17 ransomware removal tools to protect enterprise networks

Prepare and conduct a ransomware tabletop exercise

The history and evolution of ransomware

What is ransomware as a service?

How to prevent ransomware: 6 key steps to safeguard assets

Dig Deeper on Threat management

  • PCI DSS 12 requirements

    The PCI DSS 12 requirements are a set of security controls businesses must implement to protect credit card data and comply with ...

  • cardholder data (CD)

    Cardholder data (CD) is any personally identifiable information (PII) associated with a person who has a credit or debit card.

  • authentication factor

    An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, ...

  • systems thinking

    Systems thinking is a holistic approach to analysis that focuses on the way that a system's constituent parts interrelate and how...

  • crowdsourcing

    Crowdsourcing is the practice of turning to a body of people to obtain needed knowledge, goods or services.

  • synthetic data

    Synthetic data is information that's artificially manufactured rather than generated by real-world events.

  • employee engagement

    Employee engagement is the emotional and professional connection an employee feels toward their organization, colleagues and work.

  • talent pool

    A talent pool is a database of job candidates who have the potential to meet an organization's immediate and long-term needs.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

Customer Experience
  • needs assessment

    A needs assessment is a systematic process that examines what criteria must be met in order to reach a desired outcome.

  • customer touchpoint

    A customer touchpoint is any direct or indirect contact a customer has with a brand.

  • customer service charter

    A customer service charter is a document that outlines how an organization promises to work with its customers along with ...