--- title: What Is Ransomware? Explained for IT Decision-Makers date: 2026-02-03T09:20:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/was-ist-ransomware-einfach-erklärt-für-it-entscheider" section: "Entries: Articles" --- ### Evolution: From CryptoLocker to RaaS [\#](#evolution-from-cryptolocker-to-raas "Evolution: From CryptoLocker to RaaS") #### CryptoLocker (2013 to 2015) [\#](#cryptolocker-2013-to-2015 "CryptoLocker (2013 to 2015)") 2013 marked the turning point: CryptoLocker infected hundreds of thousands of computers and encrypted files using strong asymmetric cryptography. The demand: ransom in Bitcoin. At the time it was a shock. Today CryptoLocker looks primitive. #### WannaCry and NotPetya (2017) [\#](#wannacry-and-notpetya-2017 "WannaCry and NotPetya (2017)") These worms used network exploits (EternalBlue) to propagate themselves. WannaCry alone hit more than 200,000 computers in around 150 countries. The lesson: ransomware no longer requires human interaction. It can self-replicate. #### Ransomware-as-a-Service (RaaS): today [\#](#ransomware-as-a-service-raas-today "Ransomware-as-a-Service (RaaS): today") Today’s reality is professionalised. Cybercriminals offer ransomware as a service. Groups like LockBit, BlackCat, and Cl0p have operated like software companies with affiliate programmes. An attacker does not need to be a technician: they pay, get the malware, and launch their attack. The European Union Agency for Cybersecurity (ENISA) consistently ranks ransomware among the top threats in its annual Threat Landscape reports. --- ### Three Main Types of Ransomware [\#](#three-main-types-of-ransomware "Three Main Types of Ransomware") #### 1. Locker Ransomware (Screen Locker) [\#](#1-locker-ransomware-screen-locker "1. Locker Ransomware (Screen Locker)") Blocks access to the system without encrypting data. The screen displays a message: pay to unlock. This is often easy to remove and is becoming less common, but still encountered. #### 2. Crypto Ransomware [\#](#2-crypto-ransomware "2. Crypto Ransomware") Encrypts files using strong cryptography. This is the current standard. Files are inaccessible until the key is available, and the key is held by the attacker. #### 3. Double Extortion Ransomware [\#](#3-double-extortion-ransomware "3. Double Extortion Ransomware") The modern, more aggressive approach. The attacker: - encrypts the data AND - exfiltrates (steals) the data before encrypting it. You then face two extortion scenarios: ​“pay, or your data stays encrypted” and ​“pay, or we publish your data.” This makes extortion harder to resist: even with working backups, the data may have been leaked. --- ### Why Prevention Alone Is Not Enough [\#](#why-prevention-alone-is-not-enough "Why Prevention Alone Is Not Enough") IT security works in layers. Many organisations focus on prevention: - Endpoint protection (EDR, antivirus) - Email filtering - Patch management - Employee training This is necessary, but not sufficient. Why? 1. Prevention is never 100 percent effective. Even the best EDR solution does not stop all zero-days or social engineering attacks. 2. Insider threats and misconfigurations exist. A disgruntled administrator or a misconfiguration can bypass the best defences. 3. Patch gaps always exist. Days or weeks pass between vulnerability disclosure and patching. This is why recoverability is the key to real protection. An organisation with automated, tested, immutable, air-gapped backups can recover from a ransomware attack within hours to days, regardless of how far the attack progressed. EU regulation reflects this shift. The NIS2 Directive (Directive (EU) 2022⁄2555) requires backup management and crisis management as part of risk management measures. GDPR Article 32 requires the ability to restore availability and access to personal data in a timely manner after an incident. --- ### Impact: What the Numbers Show [\#](#impact-what-the-numbers-show "Impact: What the Numbers Show") - Roughly seven in ten organisations report being attacked within a year (Veeam Ransomware Trends 2025). - 89 percent of attacks targeted backup repositories; on average, about a third of those repositories were modified or deleted (Veeam 2025). - 49 percent of organisations with encrypted data paid the ransom (Sophos State of Ransomware 2025). - Industry reports consistently show that total recovery costs (downtime, restoration, forensics) amount to a multiple of the ransom demand itself. These figures make one thing clear: ransomware is no longer an IT problem. It is a business risk with board-level relevance, and under NIS2, management bodies carry personal responsibility for approving and overseeing cybersecurity risk measures. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") Is backup the only thing that helps against ransomware? Backups are necessary but not sufficient. They must be combined with prevention (EDR, patch management). The key requirement: backups must be automated, offline or immutable, and regularly tested. Why do companies pay the ransom even when they have backups? Several reasons: backups are too old (RPO too high), not tested (recovery failed), or destroyed (ransomware also deleted the backups). Or the risk of a data leak (double extortion) is judged too high. Can I decrypt the data myself? Usually not. If your data is encrypted with modern ransomware, you need the attacker’s private key. Free decryptors exist only for a few older families. A clean backup is the reliable way out, supported by professional incident response. --- ### Further Resources [\#](#further-resources "Further Resources") → Ransomware Protection: Guide for IT Decision-Makers (/en/blog/ransomware-schutz-leitfaden/) → How Ransomware Destroys Backups: Technical Analysis (/en/blog/wie-ransomware-backups-zerstoert/) → Ransomware-as-a-Service: How the Shadow Economy Works (/en/blog/ransomware-as-a-service/) → Silent Brick System: Hardware Air Gap Backup (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)