Ransomware is malicious software that denies a victim access to their own data or systems and demands payment to restore it. The most common form encrypts the victim’s files so they cannot be opened, then displays a ransom note demanding payment, typically in cryptocurrency, in exchange for the decryption key. NIST’s Ransomware Risk Management profile (NISTIR 8374) describes ransomware as an attack in which adversaries encrypt an organization’s data and demand payment to restore access, sometimes also stealing the data and threatening to publish it.
Cryptocurrency made the model practical at scale. Because payments can be sent pseudonymously and are hard to reverse or trace, attackers can collect ransoms from victims worldwide without an obvious money trail. Demands range from a few hundred dollars against individuals to millions against large organizations.
The 2017 WannaCry outbreak showed how fast ransomware can spread. According to the CISA / US-CERT alert (TA17-132A), WannaCry propagated by exploiting a Windows SMB vulnerability (MS17-010), spreading worm-like across networks and infecting tens of thousands of systems in over 150 countries within days. Microsoft had released a patch in March 2017, but unpatched machines remained vulnerable. The U.S. government later attributed WannaCry to North Korea.
The same year, the NotPetya malware used similar spreading techniques but was designed to destroy data rather than collect ransom reliably, and it caused billions of dollars in damage to global companies. Ransomware has repeatedly crippled critical services, including hospitals forced to divert patients and ports and logistics operations brought to a halt, making it one of the most damaging classes of modern cybercrime.