Browse Definitions :
Volunteers join forces to tackle COVID-19 security threats cyberextortion

Malware vs. ransomware: What's the difference?

Ransomware is a type of malware. It encrypts files and demands a ransom before allowing victims to regain access.

Cyber attacks are taking place globally, and no one is safe. As the technology advances, so do scammers and cybercriminals. These attacks exploit digital device weaknesses, enabling attackers to access systems and files.

The terms malware and ransomware are often used interchangeably, but this is wrong. Ransomware is a subset of the greater malware umbrella term.

Here is an explanation of each term, and how they differ.


Malware is an umbrella term for any malicious code or program that gives an attacker explicit control over a system. It's a broad term that refers to all types of malicious programs, including:

  • Ransomware. This type of malware infects a computer system and encrypts the data. Attackers then demand a ransom to decrypt the data so the victim can regain access.
  • Rootkits. This delivery method for other malwares hides in the deepest corner of a computer. It delivers malicious payloads such as keyloggers and spyware.
  • Scareware. This is an app or webpage that pops up and attempts to frighten victims into buying unnecessary software or providing their financial data.
  • Spammers. Malicious code sets up shop on a computer and pumps out thousands and thousands of spam emails. This type of malware uses a victim's system as an email blast platform.
  • Spyware. Spyware records the activities of unwitting users -- such as websites they visit and information about their computer systems. Spyware that records keystrokes is called a keylogger. It is designed to steal credit card numbers, passwords, bank account numbers and other sensitive data.
  • Trojans. A Trojan malware looks like an innocuous file but secretly delivers a malicious payload.
  • Viruses. This is a generic term for malware that does nothing but damage your computer and delete files.
  • Worms. This is a standalone program that can self-replicate and spread over a network. They aren't very common anymore and were often forms of mischief.


Ransomware is malware that takes a computer system hostage. Attackers then demand those users pay a ransom to regain access to their system. Ransomware is usually delivered as an attachment via email but can also be downloaded from the web.

Ransomware operates like a Trojan in that the malicious payload is delivered by another source. Once the payload infects a system, it executes the download of the ransomware software.

Ransomware is malware that takes a computer system hostage. Attackers then demand those users pay a ransom to regain access to their system.

The ransomware then scours the infected computer system for vital files -- such as Word documents and Excel sheets -- and encrypts them with an unbreakable encryption key. This locks victims out of their systems.

The victim's computer is useless except to do one thing -- pay the ransom. With some malware, a computer can be booted using a flash drive. This drive has a special operating system and anti-malware software to clean the infected system. But ransomware takes over a computer so thoroughly that it's doubtful a victim can get their operating system back.

And even if a victim can get access to the encrypted files, they will be useless because they are encrypted. To decrypt files and regain access to the system, victims need a decryption key, which is obtained by paying a ransom to the attackers. Ransom is usually demanded in bitcoin or other cryptocurrencies because they are easier to move around.

Learn how Colonial Pipeline operations came to a halt when a ransomware attack infected its systems.

Differences between malware and ransomware

Here is a side-by-side glance of how malware and ransomware function:

Malware Ransomware
Any malicious code designed to do a variety of actions, including damaging files and stealing bank account information. Specifically designed to lock victims out of their computer and files until a ransom is paid.
Delivered in many ways, including email, USB drives, network worms, Trojans and visiting malicious websites. Primary form of infection is targeted email attacks with malicious attachments.
Much malware can be stopped or removed by antivirus software. Extremely hard if not impossible to remove once infected.
Some malware exists just to be a jerk or remotely take over a computer. Ransomware is severe criminal activity because it involves financial blackmail.
It can significantly degrade a computer's performance. It completely takes over a computer.

Protecting against malware and ransomware

Effective antivirus protection should be used at all levels of the enterprise -- including end user computers and servers -- along with a firewall. Effective security means securing all layers of the network, not just the endpoint.

The antivirus market is enormous, and there are many kinds of software to choose from. Choose carefully and thoroughly, getting input from security experts, peers and colleagues. Also, look over AV-Test, a neutral antivirus software test organization.

Another way businesses can protect themselves from a ransomware attack is to create system backups. This enables businesses to restore their data without paying a ransom. 

Above all, businesses must train staff to never open attachments from unknown senders. Good antivirus software scans all attachments when they come into a user's inbox, but if a malicious payload gets through, common sense needs to prevail.

Even if an attachment comes from a known sender, it's a good idea to check and see if that person sent it. A common method of malware replication is to go through an infected user's address book and send malicious code to every address it finds. Ransomware operates like this as well.

Next Steps

17 ransomware removal tools to protect enterprise networks

Prepare and conduct a ransomware tabletop exercise

The history and evolution of ransomware

What is ransomware as a service?

How to prevent ransomware: 6 key steps to safeguard assets

Dig Deeper on Threat management

  • quantum key distribution (QKD)

    Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.

  • Common Body of Knowledge (CBK)

    In security, the Common Body of Knowledge (CBK) is a comprehensive framework of all the relevant subjects a security professional...

  • buffer underflow

    A buffer underflow, also known as a buffer underrun or a buffer underwrite, is when the buffer -- the temporary holding space ...

  • benchmark

    A benchmark is a standard or point of reference people can use to measure something else.

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with 3D data.

  • organizational goals

    Organizational goals are strategic objectives that a company's management establishes to outline expected outcomes and guide ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

Customer Experience
  • database marketing

    Database marketing is a systematic approach to the gathering, consolidation and processing of consumer data.

  • cost per engagement (CPE)

    Cost per engagement (CPE) is an advertising pricing model in which digital marketing teams and advertisers only pay for ads when ...

  • B2C (Business2Consumer or Business-to-Consumer)

    B2C -- short for business-to-consumer -- is a retail model where products move directly from a business to the end user who has ...