Ransomware Explained: Understanding the Ransomware Ecosystem

Ransomware

Explained

Understanding the Ransomware Ecosystem – From RaaS Operators to Ransom Demands to How Ransomware Attacks Work

While its origins stretch back decades, it’s only in more recent years that ransomware has become a major threat for organizations of all sizes and industries, with ransomware-as-a-service (RaaS) operators and affiliates dominating the threat landscape.

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees — is the key to defending against it.

Even when a company employs leading-edge security tools and robust processes throughout its organization, it still is at risk. But exploring the world of ransomware and the motives of threat actors can help you better understand where your organization may be vulnerable and how you can protect it more effectively.

Table of Contents

01

The History of Ransomware

The ransomware we know today began decades ago with a floppy disk. Since then, it’s seen evolution after evolution, driven by technological advances such as email, bitcoin, and the dark web.

The highlights include:

1980s AND 90s
1989

First Recorded Attack

Ransomware has existed since the 1980s, with the first recorded attack occurring in 1989. This first strain of ransomware — the AIDS Trojan — was easy to remove, rendering it ineffective.
Read More

EARLY 2000s
2006

Archievus Appears

The first strain to use advanced RSA encryption —Archievus — appears.

2010s
2010

Cryptocurrencies

Bitcoin, along with other cryptocurrencies, gain popularity, giving threat actors an avenue for collecting often untraceable, digital payment.

 
2012

Ransomware-as-a-service Arrives

The first instance of ransomware-as-a-service (RaaS) occurs with Reveton ransomware. The malware would impersonate local law enforcement, threatening victims with arrest or criminal charges if they did not pay.

 
2017

WannaCry Impact

WannaCry ransomware hits hundreds of thousands of devices across more than 150 countries, making it one of the biggest ransomware attacks in history.

 
2018

Data Exfiltration

Ransomware starts to utilize data exfiltration, first executed with the GrandCrab strain, which was integrated with a file-stealing malware.

 
2019

Dark Web Leak Sites

Leak sites begin to pop up on the dark web, exposing victims to further financial and reputational losses, as well as allowing for stolen credentials and personally identifiable information (PII) to be used in future attacks.

VIEW FULL TIMELINE

Want to explore ransomware’s dark history in full?

See our complete timeline.

View Full Timeline

02

Ransomware Groups Behind Dominant Ransomware Variants in 2024

Focusing on engagements in which the Arctic Wolf Incident Response team confidently attributed an attack to a particular ransomware variant, the five variants we encountered the most in 2024 were BlackCat (AlphV), LockBit 3.0, Akira, Royal, and BlackBasta.

Group Name

Akira

First Observed

2023

Victims in 2024

215

Preferred Initial Access Method

Lack of MFA

Full Breakdown
 

Akira

icon

First Observed:

2023

icon

Claimed Victims in 2024:

215

icon

Preferred Initial Access Method:

Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access. Read Blog

Key Traits

Akira practices multi-extortion tactics and hosts a dark site where, should a victim fail to comply with ransom demands, they are listed alongside stolen data.

Notable Moments:

Starting in October 2023, Arctic Wolf Labs has investigated several cases of Royal and Akira ransomware victims being targeted1 in follow-on extortion attacks, which have involved victims being contacted for extortion after the original compromise took place.

Sources

Group Name

LockBit 3.0

Initially “ABCD,” changed name to LockBit in 2020

First Observed

2020

Victims in 2024

775

Preferred Initial Access Method

Varies

Full Breakdown

LockBit 3.0

icon

First Observed:

2019Initially “ABCD,” changed name to LockBit in 2020

icon

Claimed Victims in 2023:

926

icon

Preferred Initial Access Method:

VariesThe group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.

Key Traits

Known for targeting critical infrastructure, LockBit 3.0 functions as an RaaS model and often extorts data while demanding extremely high ransoms. They also tend to publish data to dark web leak sites before payment,1 promising to delete the data upon payment.

Notable Moments:

LockBit 3.0 is one of the most prolific groups operating and is responsible for more than 1,700 attacks since 2020, taking in over $91 million USD in ransoms.2 In February 2024, the National Crime Agency (NCA) of Britain and the Federal Bureau of Investigation (FBI) announced the seizure of the group’s infrastructure (including their leak site), 34 servers, the closure of 14,000 rogue accounts, and the freezing of 200 cryptocurrency accounts, as well as five indictments against members of the group.

Sources

Group Name

Play

First Observed

2022

Victims in 2024

386

Preferred Initial Access Method

Remote Monitoring and Management (RMM) tool exploitation and Remote Desktop Protocol (RDP) exploitation

Full Breakdown

Play

icon

First Observed:

June 2022

icon

Claimed Victims in 2023:

386

icon

Preferred Initial Access Method:

Remote Monitoring and Management (RMM) tool exploitation and Remote Desktop Protocol (RDP) exploitation

Notable Moments:

Known for exploiting ConnectWise ScreenConnect and SimpleHelp – both popular RMM tools utilized by a wide range of organizations, Play has become known for both its proliferation and high ransom demands, with a median initial ransom demand of $5,595,000 (USD), which are often followed by the use of scare tactics to intice quick payment.

Sources

Group Name

Fog

First Observed

2024

Victims in 2024

24

Preferred Initial Access Method

Compromised virtual private network (VPN) credentials or system vulnerabilities

Full Breakdown

Fog

First Observed:

May 2024

icon

Claimed Victims in 2023:

199

icon

Preferred Initial Access Method:

Compromised virtual private network (VPN) credentials or system vulnerabilities

Notable Moments:

With a focus on targeting organizations within the education sector, Fog often uses a double extortion scheme and has been linked back to both Akira and Conti, though the group doesn’t appear to have a singular, centralized operation. Fog is known for negotiating ransoms and had a median starting ransom demand of $610,000 (USD) in 2024.

Sources

Group Name

Black Suit

First Observed

2023

Victims in 2024

116

Preferred Initial Access Method

Phishing

Full Breakdown

Black Suit

First Observed:

May 2023

icon

Claimed Victims in 2023:

116

icon

Preferred Initial Access Method:

Phishing

Key Traits

An evolution of Royal – one of the top ransomware groups of 2023 – Black Suit is known for data exfiltration and extortion prior to encryption and is infamous for calling victims on the phone with an ominous message, particularly right at the beginning of ransom negotiations.

Notable Moments:

Targeting primarily manufacturing and other critical infrastructure organizations, this group has an average starting ransom demand of $650,000 (USD) but is known to demand a ransom as high as $60 million (USD). In late 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation resulted in the seizure of domains used by the BlackSuit ransomware group.

Sources

The Blurred Lines of the Ransomware Ecosystem

While ransomware variants originate from specific ransomware operators, behind the scenes, the ransomware ecosystem has blurred lines:
Alliance icon
Individual ransomware groups often work with many different affiliates
Incognito icon
Affiliates may use several different ransomware variants — from different groups — concurrently
The ransomware groups behind some of the most in-use variants have made claim to some of the biggest attacks in recent memory, including:

The U.K. Royal Mail and Boeing By: Lockbit

CDK GlobalBy: black suit

The City of OaklandBy: Play

Krispy Kreme By: play

Nissan Australia By: Akira

LockBit, and a handful of other ransomware groups, dominated the RaaS space in 2024, as they did the year prior. This demonstrates both the continuing effectiveness of their operating models and their ability to evade law enforcement — or at least it did.

Law Enforcement Gains Success Striking Back

Despite some of the more prolific groups that have remained active over multi-year periods, international law enforcement operations are having success taking down ransomware operations,1 shuttering dark web marketplaces,2 and closing cryptocurrency mixers/tumblers3 that facilitate laundering of ransomware proceeds.

Hive

One of the most active ransomware operators of 2022, Hive, was infiltrated and taken down in January 2023, as announced by Europol and the U.S. Department of Justice.4
The RaaS group’s payment and data leak sites were seized as part of the international law enforcement operation. This operation captured the group’s decryption keys and offered them to victims worldwide, saving victims over $130 million in potential ransom payments.

AlphV

AlphV, also known as BlackCat, made headlines multiple times in late 2023. First, with their move to file a with the Securities and Exchange Commission (SEC) against a victim company5 as a new pressure tactic, outing the victim for not filing a disclosure in response to becoming one of the group’s latest victims.
By December, AlphV found themselves in the crosshairs of international law enforcement, when the FBI disrupted its operations and released a decryption tool that allowed compromised victims to recover their data. In response to an escalating game of tug-of-war with law enforcement, AlphV promptly moved victim notifications to a different site.6 To date, the new AlphV-owned site continues to post victims.
During this period, which (at least for now) appears to be a temporary setback, AlphV offered incentives to retain its criminal affiliates, who were likely feeling the heat from the close call with the FBI. The FBI operation also gave other ransomware groups like LockBit an opportunity to poach AlphV affiliates.7

In February 2024, the pressure on many of these groups only intensified as the U.S. Department of State announced $15 million (USD) bounties on three of the most prolific RaaS operators: AlphV, LockBit, and Hive.8 A reward of up to $10 million (USD) is available for information leading to the identification or location of any individual(s) who hold a key leadership position in these transnational organized crime groups, along with a reward of up to $5 million (USD) for information leading to the arrest and/or conviction of any individual conspiring to participate in, or attempting to participate in, the three named group’s ransomware activities.

What does this mean for the threat landscape facing today’s organizations?

More groups are competing for the attention and allegiance of more affiliates, with affiliates responding to economic incentives by aligning with groups that have the most reliable tools, strongest track record of fulfilling their agreements, and greatest ability to evade law enforcement.
As the saying goes, no animal is more dangerous than when it’s cornered, and right now ransomware groups are feeling cornered. We expect to see more ambitious ransoms, stricter negotiations, more aggressive naming and shaming, and further experimentation with new tactics throughout 2024.
It’s also possible that some operators will decide to retire altogether or shift to an alternative form of cybercrime, like business email compromise (BEC).

2025 Arctic Wolf Security Operations

The second annual Security Operations Report demonstrates how Arctic Wolf’s world-class SOC closes the effectiveness gap.

Download Report

03

What Is the True Cost of Ransomware?

According to Chainalysis, ransomware payments in 2024 totaled $813.55 million (USD) in 2024. This is a significant drop from 2024, where the total was over a billion, the highest number ever observed, and the average cost of a ransomware attack reached $5.08 million  (USD) source: IBM according to the 2025 IBM Cost of a Data Breach report, up 11% from the average cost of $4.54 million (USD) in the 2022 report. While the global total may have dropped, 2024 saw the largest ransom payment on record. A Fortune 50 company reportedly paid a staggering $75 million (USD) in Bitcoin to the Dark Angels group.

And while most in the cybersecurity community have grown accustomed to seeing these massive ransom payment figures, most of the costs incurred from ransomware attacks have nothing to do with the ransom demanded. Lost productivity and the recovery time required to get IT systems running and back to normal operating levels are significant expenses incurred by organizations in the aftermath of a ransomware attack.

Common Costs Associated with a Ransomware Attack

View a detailed breakdown of expected ransomware costs estimated against an organization’s annual revenue.

Organizations with $0-$25M Annual Revenues

Well-Known Costs:

  • Forensics
  • Incident Response Legal Counsel
  • Restoration & Recovery
  • Notifications to Customers and Vendor Costs
  • PR Costs
  • Regulatory Fines

$409K

Lesser-Known Costs:

  • Ransom Payment
  • Lawsuits
  • Data Mining
  • Credit Monitoring

$1.4M

Where insurance coverage (typically) ends

$338K

Revenue
Downtime
22 days of lost profits1

$61K

Wasted
Payroll

50% of employees not producing for 22 days

$140K

Loss of Future
Revenues
10% drop in profits from lost revenues for the following 3 months 2,4

$972K

Company Valuation
Decline
3% lower stock price after 6 months3,4

Should You Pay the Ransom?

While the FBI does NOT recommend negotiating or paying ransom, the 2023 IBM Cost of Data Breach Report presents some interesting insights regarding how paying or not paying ransom impacts the overall cost of a ransomware event. Organizations that paid the ransom during a ransomware attack achieved only a small difference in total cost, paying $110,000 or 2.2% less compared to victim organizations that didn’t succumb to ransom demands.

However, this data doesn’t include the cost of the ransom itself. With the high cost associated with most ransom demands, organizations that did make payments likely ended up paying more than organizations that didn’t pay the ransom.

How Do Threat Actors Determine Ransom Demands?

Threat actors use a variety of factors to determine an initial ransom demand. Some items that factor into those demands include:

Organization Size icon

The victim organization’s size and financial position, which threat actors use to estimate the organization’s ability to pay.

Industry icon

The victim organization’s industry, which influences their sensitivity to disruption and negative press.

Attack Size icon

The scope of the attack, which typically influences the victim’s ability to recover and the impact to their operations.

icon-orange-gradient-79.png

The victim’s insurance coverage. Some ransomware groups actively seek out cyber insurance policies in a victim’s environment to better inform their ransom demands, typically asking up to the maximum the insurance policy will cover.

Our Recomendation

Arctic Wolf recommends working with a vetted incident response vendor that has experience with ransomware threat actor negotiations. On average, Arctic Wolf Incident Response customers have seen up to 92% reductions from the original ransom request.*

*All cases are different, and ransom reductions are not guaranteed. It is also never a guarantee that threat actors will live up to their word in a ransom situation.

Incident Response In Action

Learn how our IR team stops attacks and swiftly restores your organization to pre-incident operations.

04

Which Industries Are Most Targeted by Ransomware?

Ransomware groups tend to be opportunistic but still favor particular industries. The five most represented industries in Arctic Wolf® Incident Response engagements are:

  • 1:

    Manufacturing

  • 2:

    Healthcare

  • 3:

    Construction

  • 4:

    Legal & Government

  • 5:

    Education & Nonprofit

The median initial ransom demand associated with incidents investigated by Arctic Wolf Incident Response remained the same as in in 2024, at $600,000 (USD). While it can be tempting to posit explanations for the year-over-year consistency, probably the  wisest approach is simply to observe that there is tremendous variation across and within industries, and that specific ransom amounts remain largely unpredictable despite the aggregate figure.

Ransomware & Data Extortion IR Cases by Industry

when we look at the data, we see that five industries that are highly susceptible to both these tactics account for just over two-thirds of ransomware IR cases.

Graph of Top 10 Industries Appearing in Leak Sites

Manufacturing

Manufacturing organizations have more representation on leak sites than any other industry, and threat actors target them aggressively, recognizing that these organizations have little tolerance for production downtime. However, manufacturers can often maintain production without paying ransom, which may cause them to appear more frequently on leak sites.

Healthcare

Healthcare organizations are under regulatory pressure to protect the sensitive data they handle, so they may pay a ransom, removing them from leak sites. Similar pressure applies to legal and governmental entities.
Why These Industries?
The five industries listed above have two major traits in common that make them strong targets for ransomware groups.
They run on legacy software:
When it’s difficult for organizations to regularly update or patch, threat actors gain an opportunity to take advantage of old vulnerabilities to initiate exploits.
They have a low tolerance for downtime:
Threat groups aim to take advantage of the pressure these organizations are under to meet deadlines and produce deliverables, hoping this will lead them to pay quickly and in full. Lost revenue streams from operational downtime can also push organizations to concede to ransom demands.
2025 Threat Report image thumbnail

Report Available

The 2025 Arctic Wolf Threat Report

Explore why three types of cyber incidents account for 96% of incident response cases, which industries may be more prone to specific incidents, and how your organization can stop threats before they escalate by calling in the professionals.

Download Report

05

How Does Ransomware Work?

Root Point of Compromise: Gaining Initial Access

In the modern cybersecurity world of cloud environments and hybrid work, threat actors have become adept at evading security solutions by pivoting rapidly and employing multiple paths to value. Research from the Arctic Wolf Labs 2025 Threat Report shows the two major ways most ransomware attacks begin: external exposure and user action.

External Exposure

In almost two-thirds of the ransomware cases we investigated, threat actors gained initial access to victim environments through external exposure — a system exposed, whether knowingly or inadvertently, to the public Internet.

In 2024, threat actors leveraged external remote access in 59.4% of cases.

Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 33.2%.

External Exposure

External Remote Access

This form of external exposure typically involves identity-based attacks aimed at breaching an organization’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network. External remote access attacks can take a few different forms, including:
Remote Desktop icon
Compromising servers with Remote Desktop Protocol (RDP)
Microsoft Active Directory icon
Compromising servers with Microsoft Active Directory
Using valid credentials purchased from an initial access broker (IAB) on a dark web marketplace

External Exposure

External Exploits

External exploits, however, involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment.
More than a quarter of non-business email compromise (BEC) incidents we investigated — of which the vast majority were ransomware — exploited a known (i.e., not a zero-day) vulnerability.
In theory, an effective patching program could have mitigated the attack or at least forced the threat actor into a different course of action.

Zero-Day Vulnerability

0.4%

While zero-days get all the headlines, they make up a small percentage of cases — just 0.4% of the ransomware incidents by Arctic Wolf.

0 %

Human Risk

While comprising a smaller section of attacks, user action still plays a role in ransomware attacks.

The team at Arctic Wolf Incident Response Labs has identified four major ways that user action can lead to a ransomware attack:

0 %

Phishing: T1566

A user clicks on a malicious link and is tricked into sharing credentials or downloading and executing a malicious attachment within an email.
0 %

Previously compromised credentials: T1078

The threat actor uses credentials that are known to be part of a data breach or credential dump — but that have not yet been deactivated by the victim organization (i.e., user inaction).
0 %

Malicious software download: T1204.002

A user falls prey to a drive-by attack or downloaded software containing hidden malicious functionality.
0 %

Other social engineering

A user is tricked by a tech support scam or some other social engineering attack besides phishing.
It’s important to note that hardening your environment to protect against ransomware will pay deep dividends against all forms of cyber attack, as the same initial access attack vectors are used in many other forms of cyber attack, including BEC and malware attacks.

06

How to Defend Against Ransomware

Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components.
Our Recommendation

By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.​

Number 01

Conduct Basic File Backups

As ransomware evolves, threat actors are now regularly exfiltrating data in the early stages of attack, threatening to release it to the dark web if payment isn’t met (double extortion).

In 71% of Arctic Wolf Incident Response engagements for ransomware, the victim organization was able to leverage backups in some capacity to restore their environment.

It’s best to follow the 3-2-1 principle of file backup, meaning an organization has:
3 copies of data
1 primary, 2 backup
2 copies stored
At separate locations
1 off-site storage
In a secure private cloud
Number 02

Secure The Cloud

With the shared responsibility model, it’s important for organizations to understand where their responsibility lies when keeping their cloud environment safe. A security incident originating from within your organization that destroys or disrupts your cloud data is your responsibility, and many cloud security incidents can be traced back to misconfigurations and/or overly permissive access policies.
Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there (through lateral movement or privilege escalation) to encrypt and/or exfiltrate data.
Number 03

Enforce Identity & Access Controls

Be it through social engineering, the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy malware into critical parts of the network.
Proactive and reactive measures security teams can take to improve credential security include:
  • Implementing MFA
  • Conducting dark web monitoring
  • Hardening Active Directory using tools like PingCastle for visibility
  • Embracing the principle of least privilege access (PolP), supported by a zero-trust access model, role-based access control, and privileged access management (PAM)
  • Delivering comprehensive user security training
Number 04

Ongoing Vulnerability Management

While zero-days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organization goes a long way in hardening their attack surface.
A full vulnerability management program prioritizes continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
aw-bandaid-icon-white-lg.png

Vulnerability remediation

The act of removing a vulnerability through patching or another process
Secure Strategy icon

Vulnerability mitigation

The act of developing a strategy to minimize a threat’s impact if remediation is not possible
Number 05

Employ a 24x7 monitoring, detection, and response solution

Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper endpoint monitoring and detection, unusual behavior in those programs would go unnoticed.
In addition, swift detection and response capabilities allow your organization to stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.

History Shows That Ransomware Groups Aren’t Slowing Down.

If tools alone were enough to solve the problem, they would have by now.

This is an operational problem that needs to be solved, and that’s what Arctic Wolf delivers. Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry.
A
B

Botnet

What Is a Botnet?  A botnet is a network of bot-compromised machines that can be controlled and used to launch massive attacks by a bot-herder.…

READ MORE »

Brute-Force Attack

What Is a Brute-Force Attack? A brute-force attack is a tactic used by threat actors to gain unauthorized access to an account, system, or encrypted…

READ MORE »
C

CIS Controls

What Are the CIS Controls? The Center for Internet Security (CIS) Controls are a prioritized set of cybersecurity best practices that help organizations defend against…

READ MORE »

Cryptojacking

What is Cryptojacking? Cryptojacking is a kind of cyber attack where a threat actor uses an organization’s computing resources—such as servers, endpoints, or cloud infrastructure—to…

READ MORE »

Cyber Attack

What Is a Cyber Attack? A cyber attack is any attempt – successful or otherwise — by cybercriminals to access a cloud or computer network…

READ MORE »

Cyber Risk Assessment

What Is a Cyber Risk Assessment? A cyber risk assessment (also known as a cybersecurity assessment) is a key component of a risk management program.…

READ MORE »

Cyber Threat Intelligence

What is Threat Intelligence? Threat intelligence (often called cyber threat intelligence or CTI) is evidence-based knowledge about existing or emerging cyber threats — what threat…

READ MORE »
D

Dark Web Monitoring

What Is Dark Web Monitoring?  Dark web monitoring is the scanning of the dark web for employee credentials and confidential company information. Dark web monitoring…

READ MORE »

Data Exfiltration

What Is Data Exfiltration? Data exfiltration is the unauthorized transfer or theft of sensitive information from an organization’s network, systems, or devices. This malicious activity…

READ MORE »

DDoS Attack

What is a DDoS Attack? A distributed denial-of-service (DDoS) attack consists of multiple compromised devices or systems (often qualifying as botnets) attacking a target on…

READ MORE »
E

Endpoint

What Is an Endpoint?   An endpoint is any physical device that resides at the end point of a network connection and can communicate on that…

READ MORE »
H

Hypervisor (VMM)

What Is a Hypervisor (VMM)?   A hypervisor is another term for a virtual monitoring machine (VMM), a device that is able to manage multiple virtual…

READ MORE »
I

Incident Response

What Is Incident Response? Incident response (IR) is the structured methodology organizations use to prepare for, detect, contain, eradicate, and recover from cybersecurity incidents. This…

READ MORE »

Initial Access Brokers

What Are Initial Access Brokers?  Initial access brokers (IABs) are threat actors that sell cybercriminals access to organizations’ networks.   Once they have access to an…

READ MORE »

Internet of Things (IoT)

What Is IoT?   “IoT” is short for “Internet of Things,” which is the network of internet-enabled and connected devices. Since the term was first coined…

READ MORE »
K

Keylogger

What Is a Keylogger? A keylogger is a program that monitors user keystrokes on a device. This can be used for both illegal and legitimate…

READ MORE »
L

Lateral Movement

What Is Lateral Movement? Lateral movement is when a threat actor navigates through a breached environment, gaining new access and user privileges as they go.…

READ MORE »
M

Malicious Apps

What Are Malicious Apps? Malicious apps are a method of manipulating users into downloading malware that allows cybercriminals to steal personal information, including login credentials…

READ MORE »

Malware

What Is Malware? Malware, a portmanteau of the words malicious and software, is any software or program that is designed to disrupt and damage a…

READ MORE »

Managed Security Services (MSS)

What Are Managed Security Services? Managed security services (MSS) represent cybersecurity capabilities delivered and operated by third-party providers on behalf of client organizations. These services…

READ MORE »

MTTD and MTTR

What Is MTTD? Mean Time to Detect (MTTD) is the average time it takes a team to discover a security threat or incident.  What Is…

READ MORE »
N

Network Segmentation

What is Network Segmentation?  Network segmentation is the digital architectural technique of dividing an organization’s network into smaller, isolated segments or subnetworks, each with its…

READ MORE »
P

Password Fatigue

What Is Password Fatigue?  Password fatigue is a feeling of stress and/or frustration stemming from the creation and maintenance of passwords for the multitude of…

READ MORE »

Phishing

What is Phishing? One of the most common and tried-and-true social engineering attacks utilized by threat actors, phishing is an email-based ruse that attempts to…

READ MORE »

Polymorphic Virus

What Is a Polymorphic Virus?  A polymorphic virus is malware that can adapt, or “morph,” to avoid detection and circumvent security tools.   The polymorphic virus…

READ MORE »

Pretexting

What Is Pretexting?  Pretexting is a social engineering tactic used by threat actors to gain trust, data, or access to accounts using a fabricated story,…

READ MORE »
R

Ransomware

What Is Ransomware?  Ransomware is a type of malware that freezes a system or data, preventing users from accessing them. The idea behind the attack…

READ MORE »

Ransomware-as-a-Service

What Is Ransomware-as-a-Service (RaaS)? In recent years, threat actors have begun collaborating with each other in a ransomware-as-a-service (RaaS) model to infiltrate organizations. The RaaS…

READ MORE »
S

Security Awareness Training

What Is Security Awareness Training?  Security awareness is a standardized process that provides employees, contractors, vendors, and other third-party stakeholders with cybersecurity education. Security awareness…

READ MORE »

Security Operations (SecOps)

What Is Security Operations (SecOps)? Security operations refers to the people, processes, and technology that all work together to create and manage a security architecture…

READ MORE »

Shadow IT

What Is Shadow IT? Shadow IT is the unauthorized use of any apps, devices, services, technologies, solutions, and infrastructure without the knowledge, approval, and support…

READ MORE »

Social Engineering

What Is Social Engineering? Essentially, social engineering uses psychology to manipulate a person into taking an action. This could be anything from revealing sensitive data…

READ MORE »

Spear Phishing

What Is Spear Phishing? Spear phishing is a specific kind of phishing attack where a threat actor targets a specific person or organization with a…

READ MORE »

Spoofing Attack

What Is a Spoofing Attack?  A spoofing attack is when bad actors impersonate another person or company. The attacker’s goal is to gain the confidence…

READ MORE »

Supply Chain Attack

What Is a Supply Chain Attack? A supply chain attack is when an organization, or multiple organizations, is attacked through a third-party vendor. A third-party…

READ MORE »
T

Threat Actor

What Is a Threat Actor? A threat actor is an individual, or group of individuals, who conduct malicious activities on the internet such as cyber…

READ MORE »

Threat Hunting

What Is Threat Hunting? Threat hunting is a proactive cybersecurity practice in which skilled analysts actively search for hidden threats within an organization’s environment before…

READ MORE »

Trojan Horse

What Is a Trojan Horse?  A Trojan Horse is malware that comes in disguise. Designed to look like a legitimate piece of code or software,…

READ MORE »
U

UEBA

What Is UEBA? UEBA stands for user and entity behavior analytics. It’s a type of cybersecurity solution that uses machine learning algorithms to detect suspicious…

READ MORE »
V

Vishing

What Is Vishing? Vishing is a cybercrime combining voice calls with phishing attacks. So-called “voice phishing” uses multiple tools and strategies, such as social engineering,…

READ MORE »

Vulnerability Management

What Is Vulnerability Management? Vulnerability management is the ongoing process of identifying, assessing, and remediating vulnerabilities within your network or systems.   The four stages of…

READ MORE »
W

Whaling

What Is Whaling?  Essentially, whaling is a spear phishing attack aimed at a high-value target, such as executives, IT department heads, finance department heads, or…

READ MORE »

Wire Transfer Fraud

What Is Wire Transfer Fraud?  The term comes from the original version of this crime which used wire transfers, or the transfer of funds between…

READ MORE »
X

XDR

What Is XDR? Extended Detection and Response (XDR) consolidates the data and tools necessary to provide enhanced visibility, analysis, and response for all system risks…

READ MORE »
Z

Zero Trust

What Is Zero Trust?  Zero Trust is a cybersecurity strategy that eliminates implicit trust within a network or system. In short, it means, “trust no…

READ MORE »

Zero-Day Exploit

What Is a Zero-Day?  A zero-day is a vulnerability in a piece of hardware or software that was previously unknown to the vendor, meaning they…

READ MORE »