Ransomware.

Ransomware encrypts files, databases, virtual machines or whole storage volumes and then displays a note demanding cryptocurrency in exchange for the decryption key. Modern operators usually run "double-extortion" campaigns: they steal data before encryption and threaten to publish it on leak sites if the victim refuses to pay. Initial access is typically gained through phishing, exposed RDP/VPN portals, software vulnerabilities, or compromised credentials.

Real campaigns show the pattern. WannaCry (May 2017) wormed across networks using the EternalBlue SMB exploit. The Colonial Pipeline incident (May 2021) — caused by DarkSide affiliates entering through a leaked VPN password with no MFA — halted fuel delivery across the US East Coast. Weeks later, REvil exploited a zero-day in Kaseya's VSA management software (CVE-2021-30116) to push ransomware downstream to between 800 and 1,500 businesses in a single supply-chain hit, then demanded a $70 million universal decryptor.

flowchart LR
  A[Initial access<br/>phishing / RDP / VPN] --> B[Recon and privilege escalation]
  B --> C[Data exfiltration]
  C --> D[Mass encryption]
  D --> E[Ransom note + leak-site threat]
  E --> F{Victim pays?}
  F -->|Yes| G[Decryptor maybe provided]
  F -->|No| H[Data leaked / systems lost]

Effective defences include offline and immutable backups, EDR/XDR, MFA on all remote access, rapid patching, network segmentation, least-privilege accounts, and a tested incident response plan. Paying does not guarantee recovery and may fund further attacks.