Ransomware
Ransomware is malware that encrypts data or entire systems, or blocks access to them, and extorts a ransom in exchange for restoring access.
Ransomware (extortion software) is a form of malware that, after infecting a system, deliberately encrypts files, storage media or entire IT environments and denies legitimate users access. In return for decryption, the attackers demand a ransom, usually in cryptocurrency. A widespread variant today is so-called double extortion: before encryption, data is exfiltrated and the publication of the stolen information is threatened as additional leverage. For years, the German Federal Office for Information Security (BSI) has rated ransomware as one of the greatest threats to the information security of businesses and public administration.
Typical entry points include phishing emails with malicious attachments or links, unpatched vulnerabilities in publicly accessible services, compromised credentials, and inadequately secured remote access such as RDP or VPN. After initial access, attackers often move laterally through the network, escalate privileges and disable backups before triggering the actual encryption. Effective countermeasures therefore require a layered approach combining patch and vulnerability management, network segmentation, multi-factor authentication and the least-privilege principle, together with tested, offline or immutable backups following the 3-2-1 rule.
From a legal perspective, a ransomware incident touches several sets of obligations. Operators of critical infrastructure and essential as well as important entities within the meaning of the NIS2 Directive are subject to risk-management and reporting duties; a significant incident must be reported within 24 hours as an early warning and in more detail within 72 hours. Where personal data is affected, the obligations under Articles 33 and 34 GDPR additionally apply. The BSI and law enforcement authorities explicitly advise against paying a ransom, since recovery is not guaranteed and payments finance the criminal business model.
Legal Basis
Art. 21 and Art. 23 NIS2 Directive (EU) 2022/2555; Section 8b BSIG; Art. 33 and Art. 34 GDPR; ISO/IEC 27001 (A.8 Technological controls)
Practical Example
On a Monday morning, a mid-sized mechanical engineering company discovers that its file servers and ERP system have been encrypted; a ransom note in the directories demands payment in Bitcoin. The information security officer activates the incident response plan, isolates the affected segments from the network and brings in the CSIRT. Because the company qualifies as an important entity under NIS2, it submits an initial notification to the BSI within 24 hours and, together with the data protection officer, assesses the reporting obligation under Art. 33 GDPR. Rather than paying, the team restores from offline, tested backups and closes the exploited VPN vulnerability through patching and MFA.