0PricingLogin
Security+ Academy · Lesson

Ransomware and Cryptolockers

Examine the ransomware kill chain from initial access and encryption to ransom demand, and learn defensive strategies including immutable backups.

What Is Ransomware?

Ransomware is malware that denies access to data or systems and demands payment — typically in cryptocurrency — for restoration. The defining characteristic is extortion: the victim's own data becomes leverage against them. Modern ransomware operations are sophisticated criminal enterprises generating billions of dollars annually. The 2021 Colonial Pipeline attack disrupted fuel supply across the US East Coast; the 2020 Universal Health Services attack impacted 400 hospitals. Ransomware is among the most severe threats organizations face today, combining technical sophistication with significant business impact.

Ransomware Kill Chain

Ransomware attacks follow a predictable sequence. Initial access: phishing email, RDP brute-force, or exploitation of a public-facing vulnerability. Persistence: install backdoor and disable security tools. Lateral movement: spread through the network to maximize infection scope and compromise backup systems. Data exfiltration: steal sensitive data before encrypting (double extortion). Encryption: encrypt files across all accessible systems simultaneously. Ransom demand: leave ransom note with payment instructions and threat to publish stolen data if unpaid. Understanding each phase reveals defensive opportunities at every step.

# Ransomware kill chain defensive opportunities:
# Phase 1 (Initial Access): Email gateway, patch management, MFA
# Phase 2 (Persistence):    EDR behavior detection
# Phase 3 (Lateral Move):   Network segmentation, least privilege
# Phase 4 (Exfiltration):   DLP, network monitoring (large data transfer)
# Phase 5 (Encryption):     EDR file activity monitoring, honeypot files
# Phase 6 (Impact):         Immutable backups enable recovery without payment

All lessons in this course

  1. Viruses, Worms, and Trojans
  2. Ransomware and Cryptolockers
  3. Rootkits, Spyware, and Keyloggers
  4. Fileless Malware and Living-off-the-Land Attacks
← Back to Security+ Academy