{"id":21817,"date":"2026-07-08T11:00:00","date_gmt":"2026-07-08T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/"},"modified":"2026-07-10T22:17:44","modified_gmt":"2026-07-10T22:17:44","slug":"what-is-ransomware-definition-process-protection","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/","title":{"rendered":"What Is Ransomware? Definition, Process, and Protection"},"content":{"rendered":"<div class=\"st-definition\">\n<p><strong>What is Ransomware?<\/strong> Ransomware is malware that blocks access to data and systems, typically by encryption. The release is only offered by the perpetrators in exchange for ransom. BSI classifies it as an attack on availability and as a form of digital extortion. Modern attacks usually combine encryption with data theft and the threat of publication.<\/p>\n<\/div>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Mechanics:<\/strong> Encryption cripples systems, with the key the attackers demand ransom. Stolen data serves as a second pressure tool.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Process:<\/strong> Attackers gain entry via phishing, vulnerabilities or open remote access, spread across the network and only encrypt at the end.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Protection:<\/strong> Tested offline backups, network segmentation, MFA and consistent patching most effectively reduce the risk.<\/li>\n<\/ul>\n<\/div>\n<h2>How a Real Attack Unfolds<\/h2>\n<p>A ransomware incident begins long before the visible encryption. The most common entry vectors are phishing emails with malicious attachments, exploitable vulnerabilities in externally reachable systems, and poorly secured remote access such as RDP. The BSI (Federal Office for Information Security) has listed these three vectors at the top for years.<\/p>\n<p>After gaining initial access, attackers secure persistent access and expand their privileges, often using stolen credentials and administrator accounts. They then move laterally through the network, typically via services such as SMB or RDP. MITRE ATT&#038;CK (a globally recognized adversary tactic framework) describes these phases as Lateral Movement.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:1.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">950 Displays<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">Ransomware attacks in Germany in the reporting period 2024\/2025<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">Source: BSI Situation Report 2025<\/p>\n<\/div>\n<p>Before encryption, attackers in the majority of cases exfiltrate data. Only afterwards does the actual encryption commence, referred to in MITRE ATT&#038;CK as technique T1486. The ransom demand thus appears at the end of an operation that often lasts days or weeks. Exactly within this timeframe, effective detection can still mitigate the damage.<\/p>\n<h2>Double Extortion as a Business Model<\/h2>\n<p>Double extortion means: attackers demand ransom for decryption and also threaten to publish the stolen data. The BSI (Federal Office for Information Security) notes this dual leverage in most ransomware incidents. Paying the ransom does not guarantee data recovery nor does it prevent a leak.<\/p>\n<p>Behind these attacks lies collaborative crime. In the Ransomware-as-a-Service model, operators provide the malware and infrastructure, while partners carry out the attacks and both split the proceeds. According to the BSI\u2019s threat report, around 80 percent of the displayed attacks in Germany targeted small and medium-sized enterprises. The perpetrators look for reachable targets with weak defenses, not high\u2011profile names.<\/p>\n<h2>What Companies Need to Check Now<\/h2>\n<p>The most effective protection starts before encryption. Backups determine recovery, so they should be stored separately from the production network and regularly tested for recoverability. Segmentation limits spread, MFA secures the access points attackers most often use.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">CHECK NOW<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Create backups following the 3-2-1 principle, keep one copy offline, test restoration<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Segment the network so that a compromised client does not endanger the entire network<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Enforce MFA for all remote accesses and privileged accounts<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Prioritize security updates on externally reachable systems<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Document an incident-response plan, clarify reporting paths and rehearse the worst case<\/li>\n<\/ul>\n<\/div>\n<h2>Distinguishing Related Terms<\/h2>\n<p>Ransomware targets extortion: attackers offer a key for payment. Wiper malware, however, irreversibly destroys data, making ransom payment impossible. Traditional malware such as spyware or banking trojans pursues different objectives, ranging from espionage to account takeover.<\/p>\n<p>A common misconception concerns backups. They restore availability, but the confidentiality of stolen data remains compromised. Relying solely on backups, victims negotiate under pressure in double extortion scenarios. Poorly isolated backups are also frequently encrypted alongside the primary data.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is locked. Tapping unlocks the answer.<\/p>\n<details>\n<summary><strong>Should you pay the ransom?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The BSI advises against it. Payment does not guarantee decryption or deletion of stolen data and funds further attacks. Affected parties should file a report.<\/p>\n<\/details>\n<details>\n<summary><strong>Are backups sufficient protection?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Backups are central for recovery, but they do not solve the problem of stolen data. In cases of double extortion, the threat of publication remains. Moreover, backups must be offline and tested, otherwise they become encrypted as well.<\/p>\n<\/details>\n<details>\n<summary><strong>How do attackers get into the network?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The most common methods are phishing emails, exploitable vulnerabilities in externally reachable systems, and poorly secured remote access such as RDP.<\/p>\n<\/details>\n<details>\n<summary><strong>What is double extortion?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The attackers encrypt systems and steal data beforehand. In addition to ransom for decryption, they threaten to publish the data. The BSI observes this pattern in the majority of cases.<\/p>\n<\/details>\n<details>\n<summary><strong>What reporting obligations apply in the event of an incident?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">NIS2-regulated entities report significant incidents to the BSI in three stages: early warning within 24 hours, follow-up within 72 hours, final report within a month at the latest. If personal data are involved, the GDPR notification to the data protection authority also applies.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/05\/south-westphalia-it-the-lesson-of-municipal-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/suedwestfalen-it-akira-post-mortem-kommunale-it-sicherheit-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">S\u00fcdwestfalen IT: The Lesson of Municipal IT<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/24\/when-hci-turns-backup-into-an-attack-surface\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/wenn-hci-auch-das-backup-absichern-muss-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When HCI Turns Backup into an Attack Surface<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/25\/from-when-the-reporting-deadline-clock-really-starts-ticking\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/nis2-dora-dsgvo-meldefristen-vergleich-startpunkt-incident-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">From When the Reporting Deadline Clock Really Starts Ticking<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/05\/25\/gemini-cli-cvss-10-rce-what-cloud-architects-need-to-patch-now-in-ci-cd\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-gemini-cli-cvss-10-rce-ghsa-wpqr-cloud-c-29982197.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Gemini-CLI CVSS 10 RCE: What Cloud Architects Need to Patch Now in CI\/CD<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/ai-action-month-cyber-analytics-for-smes-without-it-teams\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-mai-aktionsmonat-was-kostenfreie-ki-cybe-31405833-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">AI Action Month: Cyber Analytics for SMEs Without IT Teams<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/tech-mandates-on-the-supervisory-board-nis2-the-eu-ai-act-and-the-skills-gap\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-tech-mandate-aufsichtsrat-nis2-eu-ai-act-39094777-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Tech Mandates on the Supervisory Board: NIS2, the EU AI Act, and the Skills Gap<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Ransomware explained: how attacks unfold, what double extortion means, and five key BSI-recommended protection measures.","protected":false},"author":50,"featured_media":21798,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"ransomware","_yoast_wpseo_title":"What Is Ransomware? Definition, Process, and Protection","_yoast_wpseo_metadesc":"Ransomware explained: how attacks work, what double extortion is, and five proven BSI-recommended protection strategies.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ransomware-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ransomware-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[263],"tags":[],"class_list":["post-21817","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheitslexikon-en"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":21790,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=21817"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21817\/revisions"}],"predecessor-version":[{"id":21827,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21817\/revisions\/21827"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/21798"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=21817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=21817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=21817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}