THREAT BRIEFING · 10.07.2026 DEENFRES

Security Glossary

What Is Ransomware? Definition, Process, and Protection

By Benedikt Langer · July 8, 2026 · 5 min read

What is Ransomware? Ransomware is malware that blocks access to data and systems, typically by encryption. The release is only offered by the perpetrators in exchange for ransom. BSI classifies it as an attack on availability and as a form of digital extortion. Modern attacks usually combine encryption with data theft and the threat of publication.

Key Takeaways

  • Mechanics: Encryption cripples systems, with the key the attackers demand ransom. Stolen data serves as a second pressure tool.
  • Process: Attackers gain entry via phishing, vulnerabilities or open remote access, spread across the network and only encrypt at the end.
  • Protection: Tested offline backups, network segmentation, MFA and consistent patching most effectively reduce the risk.

How a Real Attack Unfolds

A ransomware incident begins long before the visible encryption. The most common entry vectors are phishing emails with malicious attachments, exploitable vulnerabilities in externally reachable systems, and poorly secured remote access such as RDP. The BSI (Federal Office for Information Security) has listed these three vectors at the top for years.

After gaining initial access, attackers secure persistent access and expand their privileges, often using stolen credentials and administrator accounts. They then move laterally through the network, typically via services such as SMB or RDP. MITRE ATT&CK (a globally recognized adversary tactic framework) describes these phases as Lateral Movement.

950 Displays

Ransomware attacks in Germany in the reporting period 2024/2025

Source: BSI Situation Report 2025

Before encryption, attackers in the majority of cases exfiltrate data. Only afterwards does the actual encryption commence, referred to in MITRE ATT&CK as technique T1486. The ransom demand thus appears at the end of an operation that often lasts days or weeks. Exactly within this timeframe, effective detection can still mitigate the damage.

Double Extortion as a Business Model

Double extortion means: attackers demand ransom for decryption and also threaten to publish the stolen data. The BSI (Federal Office for Information Security) notes this dual leverage in most ransomware incidents. Paying the ransom does not guarantee data recovery nor does it prevent a leak.

Behind these attacks lies collaborative crime. In the Ransomware-as-a-Service model, operators provide the malware and infrastructure, while partners carry out the attacks and both split the proceeds. According to the BSI’s threat report, around 80 percent of the displayed attacks in Germany targeted small and medium-sized enterprises. The perpetrators look for reachable targets with weak defenses, not high‑profile names.

What Companies Need to Check Now

The most effective protection starts before encryption. Backups determine recovery, so they should be stored separately from the production network and regularly tested for recoverability. Segmentation limits spread, MFA secures the access points attackers most often use.

CHECK NOW

  • Create backups following the 3-2-1 principle, keep one copy offline, test restoration
  • Segment the network so that a compromised client does not endanger the entire network
  • Enforce MFA for all remote accesses and privileged accounts
  • Prioritize security updates on externally reachable systems
  • Document an incident-response plan, clarify reporting paths and rehearse the worst case

Distinguishing Related Terms

Ransomware targets extortion: attackers offer a key for payment. Wiper malware, however, irreversibly destroys data, making ransom payment impossible. Traditional malware such as spyware or banking trojans pursues different objectives, ranging from espionage to account takeover.

A common misconception concerns backups. They restore availability, but the confidentiality of stolen data remains compromised. Relying solely on backups, victims negotiate under pressure in double extortion scenarios. Poorly isolated backups are also frequently encrypted alongside the primary data.

Frequently Asked Questions

Each question is locked. Tapping unlocks the answer.

Should you pay the ransom?

The BSI advises against it. Payment does not guarantee decryption or deletion of stolen data and funds further attacks. Affected parties should file a report.

Are backups sufficient protection?

Backups are central for recovery, but they do not solve the problem of stolen data. In cases of double extortion, the threat of publication remains. Moreover, backups must be offline and tested, otherwise they become encrypted as well.

How do attackers get into the network?

The most common methods are phishing emails, exploitable vulnerabilities in externally reachable systems, and poorly secured remote access such as RDP.

What is double extortion?

The attackers encrypt systems and steal data beforehand. In addition to ransom for decryption, they threaten to publish the data. The BSI observes this pattern in the majority of cases.

What reporting obligations apply in the event of an incident?

NIS2-regulated entities report significant incidents to the BSI in three stages: early warning within 24 hours, follow-up within 72 hours, final report within a month at the latest. If personal data are involved, the GDPR notification to the data protection authority also applies.

Editor’s Picks

Editor’s PickSüdwestfalen IT: The Lesson of Municipal ITEditor’s PickWhen HCI Turns Backup into an Attack SurfaceEditor’s PickFrom When the Reporting Deadline Clock Really Starts Ticking

More from the MBF Media Network

cloudmagazinGemini-CLI CVSS 10 RCE: What Cloud Architects Need to Patch Now in CI/CDMyBusinessFutureAI Action Month: Cyber Analytics for SMEs Without IT TeamsDigital ChiefsTech Mandates on the Supervisory Board: NIS2, the EU AI Act, and the Skills Gap

Further reading

A magazine by Evernine Media GmbH