Tech Accelerator What is ransomware? Definition and complete guide

Prev Next

Feature

Malware vs. ransomware: What's the difference?

Ransomware is a type of malware, or malicious software. While all ransomware is malware, not all malware is ransomware.

Andy Patrizio

By

Andy Patrizio

Published: 31 Aug 2023

Cyber attacks are escalating globally, and no one is safe. The number of ransomware attacks, in particular, has exploded in recent years.

While a layperson might use the terms malware and ransomware interchangeably, it's important to know that doing so is not always accurate. Rather, ransomware is a subset of malware. All ransomware is malware, but not all malware is ransomware. Also note that some ransomware variants qualify as other types of malware, such as Trojans and worms.

What is malware?

Malware is an umbrella term for any malicious software that enables an attacker to perform some degree of unauthorized activity on a device or in a system. Threat actors often deliver malware via phishing or other social engineering attacks, or by exploiting unpatched software vulnerabilities.

A wide variety of malware exists, including the following types:

Adware. Some adware is legitimate, showing advertisements to consenting users while they interact with a given application. Malicious adware aims to trick users into downloading other types of malware, such as spyware, to their devices.
Ransomware. This type of malware takes private digital resources hostage. Attackers demand ransom payments in exchange for returning victims' access to their computer systems and data.
Rootkits. A rootkit is software that can give a cybercriminal remote administrative control over a device, without alerting the user. A threat actor might use a rootkit to steal data or to co-opt a computer into a botnet. Rootkits also deliver other types of malware, such as keyloggers and spyware.
Scareware. Scareware is a type of malware that tries to frighten victims into falsely believing threat actors have already compromised their devices. Scareware tactics often include pop-up windows or phishing emails that urge users to download -- and often pay for -- corrective security software, which is actually dummy software or malware in disguise. The goal of a scareware attack could be to steal financial credentials, infect devices with additional malware or both.
Spammers. If attackers seize control of an account or device, they can deploy malicious code that pumps out thousands and thousands of spam emails. This type of malware hijacks a victim's system to use as an email blast platform, or spambot.
Spyware. Spyware records the activities of unwitting users, such as websites they visit and information about their computer systems. Spyware that records keystrokes is called a keylogger. It is designed to steal credit card numbers, passwords, bank account numbers and other sensitive data.
Trojans. Trojan horse malware looks like an innocuous file or program, but secretly delivers a malicious payload. Ransomware that attackers deliver via phishing emails is also a kind of Trojan, in that the malicious payloads hide within seemingly harmless attachments or links.
Viruses. Virus is a generic term for malware that can damage devices; copy, encrypt, steal and delete data; hijack devices for use in botnets; and more. Viruses spread when users inadvertently download them, often by clicking malicious links or opening suspicious email attachments.
Worms. A worm is malicious software that can self-replicate once inside a system and spread laterally, infecting multiple devices across a network. Unlike a virus, a worm can propagate automatically, without requiring additional victims to click links or download files.

Graphic displaying the different types of malware. — Ransomware is just one type of malware.

What is ransomware?

Ransomware is malware that locks down or encrypts digital resources, ranging from entire computer systems to select data. Ransomware operators hold these systems and files hostage, demanding ransom payments in exchange for restoring access.

Cybercriminals typically conceal ransomware in an infected attachment or malicious link and deliver it via a phishing attack. Alternatively, they can exploit software vulnerabilities or unsecured Remote Desktop Protocol (RDP) environments.

This article is part of

What is ransomware? Definition and complete guide

Once ransomware has successfully infected a system, threat actors scour the system for files containing sensitive data, such as personally identifiable information, financial information and health records. They then might encrypt the data, exfiltrate it or both.

In increasingly common double extortion ransomware cases, attackers both block users' access to their own resources and threaten to publish their sensitive data online. In triple extortion ransomware attacks, malicious actors add a third threat, such as launching a DDoS attack or extorting the victim's employees, partners or customers.

To decrypt its files and regain system access, an organization needs the attackers' decryption key, which it can theoretically obtain by paying the ransom. But not all victims that pay ransoms see their data fully restored. In some cases, the attackers install secret backdoors in systems so that they can repeatedly attack the same targets. Or attackers simply might not follow through with their side of the deal.

Cybercriminals usually demand ransoms in bitcoin or other cryptocurrencies because they are easier than traditional currency to send and receive anonymously, without interference from law enforcement or banks.

Learn how Colonial Pipeline operations came to a halt when a ransomware attack infected its systems.

What are the differences between malware and ransomware?

This is somewhat of a trick question, as ransomware is a type of malware.

Some ransomware even qualifies as multiple types of malware. WannaCry, for example, is both ransomware and a worm -- also known as a cryptoworm. Many ransomware programs are also Trojans, with attackers disguising them in apparently innocuous email attachments.

Here is a side-by-side glance at malware and ransomware:

	Malware	Ransomware
Goal	Any malicious code designed to perform a variety of unauthorized actions, including damaging digital resources, stealing data and disrupting IT services.	Malicious code specifically designed to lock victims out of their own systems until they make ransom payments. Can also involve extortion, in which attackers exfiltrate data and threaten to publish it online.
Delivery	Delivered in many ways, including via email, USB drives, network worms, Trojans and malicious websites.	Primarily delivered via targeted phishing attacks, RDP attacks or exploited software vulnerabilities.
Removal	Some types of malware can be stopped or removed by antivirus software.	Hard to remove once an infection has occurred and the system has been locked or encrypted.
Motive	Motives for malware vary, ranging from idle criminal mischief to financial gain to nation-state espionage.	The motive in a ransomware attack is financial gain. As such, ransomware qualifies as serious criminal activity.
Technical effects	Range from mild performance degradation on a single device to total destruction of an enterprise network.	Often brings all digital activity to a halt until users pay the ransom, restore the system from backup or rebuild the system from scratch.

How can organizations protect against ransomware and other malware?

Because ransomware often spreads via phishing attacks, many experts agree that an organization's most important defense is an educated, cautious user base. Security awareness training is key in preventing ransomware attacks.

Ransomware-specific security awareness training should educate users to never open email attachments or click links from unknown senders, and to regard even messages from known senders with healthy skepticism. If an email from an existing contact seems at all unusual, the user should confirm via another communication channel that the other person's account has not been compromised.

Another way businesses can protect themselves from ransomware attacks is to create offline data backups. Reliable backups should ideally enable them to restore their data without paying ransoms. Note that this will not protect against extortion-based ransomware attacks in which bad actors threaten to leak or publicly share stolen data.

Enterprises should also employ defense-in-depth security strategies that include some combination of the following:

Allowlists/blocklists.
Antimalware.
Antivirus.
Email security gateways.
Endpoint detection and response.
Endpoint protection.
Extended detection and response.
Firewalls.
Intrusion detection and prevention.
Least-privilege access control.
Managed detection and response.
Multifactor authentication.
Network traffic analysis.
Zero-trust network access.

Next Steps

17 ransomware removal tools to protect enterprise networks

Prepare and conduct a ransomware tabletop exercise

The history and evolution of ransomware

What is ransomware as a service (RaaS)?

Ransomware trends, statistics and facts

Dig Deeper on Threat management

Search Networking

What is fiber to the home (FTTH)?
Fiber to the home (FTTH) is the installation and use of optical fiber from a central point to individual buildings to provide ...
What is an SDN controller (software-defined networking controller)?
A software-defined networking controller is an application in SDN architecture that manages Flow control for improved network ...
What is nslookup?
Nslookup is the name of a program that lets users enter a hostname and find out the corresponding Internet Protocol address or ...

Search Security

What is a CISO (chief information security officer)?
The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an ...
What is biometric authentication?
Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify ...
What is cloud infrastructure entitlement management (CIEM)?
Cloud infrastructure entitlement management (CIEM) is a modern cloud security discipline for managing identities and privileges ...

Search CIO

What is a procurement plan?
A procurement plan -- also called a procurement management plan -- is a document that is used to manage the process of finding ...
What is a quantum circuit? Quantum vs. classical circuit
Quantum circuits are systems consisting of logic gates that operate on quantum bits (qubits) to process information and perform ...
What is prescriptive analytics?
Prescriptive analytics is a type of data analytics that provides guidance on what should happen next.

Search HRSoftware

What is a talent pool?
A talent pool is a database of job candidates who have the potential to meet an organization's immediate and long-term needs.
What is a 360 review?
A 360 review, or 360-degree review, is a continuous performance management strategy aimed at helping employees at all levels ...
What is a talent pipeline?
A talent pipeline is a pool of candidates who are ready to fill a position.

Search Customer Experience

What is mobile CRM?
Mobile CRM, or mobile customer relationship management, enables those working in the field or remote employees to use mobile ...
What is field service management (FSM)?
Field service management (FSM) is a system of managing off-site workers and the resources they require to do their jobs ...
What are customer service and support?
Customer service is the support organizations offer to customers before, during and after purchasing a product or service.

Close