What is Ransomware? The Complete Executive Guide for 2026

How Modern Ransomware Works

Ransomware in 2026 bears little resemblance to the primitive screen-locking malware of the early 2010s. Modern ransomware operations are sophisticated criminal enterprises with professional infrastructure, affiliate programs, negotiation specialists, and customer service portals designed to maximize payment rates.

The Double-Extortion Model

The dominant ransomware model since 2020 is double extortion: attackers first exfiltrate sensitive data, then encrypt the victim's systems, then demand payment both for the decryption key and for the promise not to publish the stolen data. This dual leverage transforms ransomware from a business continuity problem into a data breach event. Even organizations with robust backups that can restore systems without paying the ransom still face the threat of sensitive customer data, financial records, intellectual property, and employee information being published on attacker-operated leak sites.

The double-extortion model is why ransomware recovery is more expensive than it appears. The ransom itself is one cost. The breach notification obligations, regulatory investigations, customer notification, credit monitoring services, and legal exposure from the data theft component are often larger in aggregate than the ransom demand.

Ransomware-as-a-Service

The professionalization of ransomware is most visible in the Ransomware-as-a-Service (RaaS) model. RaaS operators maintain the ransomware platform — the encryption software, the negotiation infrastructure, the payment processing, the decryption key management — and recruit affiliates who conduct the actual intrusions. Affiliates receive a percentage of each ransom payment, typically 70-80%, while the RaaS operator takes the remainder for platform maintenance. This model has dramatically lowered the technical barrier to conducting ransomware attacks. An affiliate does not need to write malware — they need only the skills to achieve initial access and deploy the payload. Initial access brokers, a separate criminal market segment, sell pre-established access to corporate networks to RaaS affiliates, further decomposing the attack chain into commodity services.

The Ransomware Attack Chain

Modern ransomware attacks follow a consistent operational pattern. Initial access is achieved through phishing, credential spraying, exploitation of unpatched vulnerabilities, or purchase from initial access brokers. The attacker establishes persistence and deploys post-exploitation tooling — typically Cobalt Strike, Metasploit, or similar frameworks — to maintain control. Reconnaissance maps the network architecture, identifies backup infrastructure, locates sensitive data repositories, and identifies domain controllers. Data exfiltration moves sensitive files to attacker-controlled infrastructure before encryption begins. Backup destruction targets Volume Shadow Copies, backup software agents, and network-attached backup storage to prevent recovery without paying the ransom. And finally, encryption deploys across the environment — often simultaneously from the domain controller, maximizing the scope of impact.

Why PE-Backed Companies Are Primary Ransomware Targets

Ransomware groups conduct targeting research before selecting victims. The criteria they optimize for are payment capacity, likelihood of paying, and operational urgency that drives willingness to pay quickly.

PE-backed companies check all three criteria. They typically have cyber insurance with ransomware coverage — which ransomware negotiators specifically ask about during payment negotiations to calibrate demands to policy limits. They operate under financial performance pressure that makes extended downtime material to investor returns. And they frequently lack the security maturity of publicly traded companies that face SEC disclosure requirements and investor scrutiny of security investments.

The PE angle also creates a specific vulnerability during deal processes. Companies undergoing M&A transactions are often distracted, IT teams are stretched by integration work, and security governance is deprioritized relative to deal execution. Ransomware groups monitor regulatory filings and news sources for M&A announcements specifically because the post-announcement period is a window of elevated vulnerability.

Sectors with Elevated Ransomware Risk

Healthcare is the highest-risk sector for ransomware due to the operational urgency of system availability — a hospital whose electronic health records are encrypted cannot safely deliver patient care, creating life-safety pressure to pay quickly. Manufacturing is high-risk due to operational technology systems that control production lines and cannot tolerate extended downtime. Legal and professional services firms are targeted for the sensitivity of client data they hold and the reputational damage of that data being published. Financial services firms are targeted for both operational urgency and the sensitivity of financial data.

Recovery Capability is the Other Half of Ransomware Resilience

Prevention controls reduce the likelihood of a ransomware incident. Recovery capability determines whether the organization can recover without paying the ransom. The two are not substitutes — they are paired requirements. An organization with strong prevention controls and weak recovery capability is one successful attack away from a ransom payment decision. An organization with strong recovery capability and weak prevention controls will experience more incidents but can recover from each without payment.

Mature ransomware resilience requires immutable, offline, and tested backups for all critical systems and data. Immutable means the backups cannot be modified or deleted by an attacker who has obtained domain administrator access. Offline means the backups are not continuously connected to production systems where they could be encrypted in place. Tested means recovery has been validated under realistic conditions, not merely confirmed to exist. The Maersk case demonstrated the difference between having backups and having recoverable backups — the organization had backups, but the time required to actually restore from them was measured in weeks rather than the days the business required.

The board-level questions are: When was the last full ransomware recovery exercise conducted? What was the measured recovery time? Were backups verified to restore within defined RTO? An organization that can answer yes to all three has addressed the three phases — prevention, detection, and recovery — that together constitute meaningful ransomware resilience.

Change Healthcare: When Ransomware Hits Healthcare Infrastructure at Scale

The February 2024 ransomware attack on Change Healthcare — a UnitedHealth Group subsidiary that processes approximately 40% of US healthcare claims — is the largest healthcare-sector ransomware event in documented history. The ALPHV/BlackCat ransomware group gained access through compromised credentials on a Citrix remote access portal that did not have MFA enabled. They moved laterally through the environment over approximately nine days before deploying ransomware. The encryption event took claims processing systems offline across thousands of healthcare providers. Pharmacies could not process insurance claims. Hospitals could not receive payments. Physicians could not verify patient coverage. The operational disruption lasted weeks. UnitedHealth Group paid a $22M ransom. Total estimated financial impact exceeded $872M in the first quarter after the attack, including restoration costs, provider assistance payments, and operational disruption. The entry point was a single Citrix portal without MFA.