Cybersecurity Glossary

Air Gapping is a security measure that ensures a device or system has limited or no connectivity and is physically isolated from any other device or system such as the public Internet or a local area network. This means the device has no interface controllers connected to other networks, creating a physical or conceptual “air gap."

Anti-Ransomware is a software or tool designed to prevent, detect, and respond to ransomware attacks on computer systems and networks. Most endpoint protection solutions were trained on characteristics that all malware share, including some ransomware samples in the mix. But ransomware does not behave like other malware, so training detection models on the few characteristics that ransomware shares with other malware leave a lot of room for missed detections. Conversely, anti-ransomware detection models are trained on characteristics that all ransomware share to deliver more efficient and effective detection of ransomware attacks.

Antivirus (AV) is legacy a software tool designed to detect and prevent known commodity malware from executing a device or network. AV does not provide protection against novel, polymorphic repacked or otherwise altered forms of malware. AV requires human analysis and detection signature development as well as daily updates and lengthy scanning procedures that require a lot of resources and significantly impact productivity while only offering a modicum of protection. AV is best suited for personal computing use, but does not offer the level of protection organizations require from advance threats.

Archiveus Trojan was one of the earliest ransomware viruses created that encrypts files on a victim's computer and demands payment in exchange for the decryption key.

Artificial intelligence (AI) is a vast branch of computer science concerned with a development in software that allows computer systems to perform tasks that imitate human cognitive intelligence. The use of advanced machine learning (ML) algorithms to automate and enhance the detection, prevention and response to cyberattacks.

Cyberattacks that are customized to compromise high-value targets and large organizations.

Bitcoin is a decentralized digital currency that is often used as a form of payment in ransomware attacks due to its anonymity and difficulty to trace.

Short for “robot network” a botnet is a network of computers or multiple devices that are under control of an attacker or attacking party. When a system or computer is compromised it becomes a “bot” and is controlled by the “bot-herder” or “bot-master.”

Crypto ransomware is another term for malicious software that encrypts a victim's files and demands payment in exchange for the decryption key.

A digital or virtual currency that uses cryptography for security and operates independently of a central bank, often used as a form of payment in ransomware attacks due to its anonymity and difficulty to trace.

Cyber insurance is a type of insurance policy that reduces the financial risk to businesses and individuals in the event of a cyberattack. Cyber insurance is a good complement to a robust security program, but it is not a replacement for an active defense posture. In order to make a claim against a cyber insurance policy, insurers typically require the insured to deploy and maintain adequate security controls. Failure to adhere to the security requirements may render the policy unenforceable and negate any claims.

The unauthorized transfer of sensitive or confidential data from a computer or network to an external location or attacker-controlled server. Today's more complex ransomware operations are multi-staged attacks,\ where the threat actors are looking to infiltrate as much of the targeted network as possible while exfiltrating sensitive data along the way. They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems. In some cases, the attackers will demand an additional payment for the stolen data in addition to the initial ransom.

The process of converting encrypted data back into its original, readable form using a key or password. In a ransomware attack, the threat actors typically offer to provide a decryption key to restore systems and data. Decrypting in this manner is a manual process that needs to be conducted on every impacted device, and often the decryption keys provided by attackers either fail or return corrupted data. Organizations can protect their data and make it more easily recoverable in the event of a ransomware attack if they maintain isolated data backups.

Double extortion is a ransomware tactic where cybercriminals not only encrypt the victim's data but also threaten to release sensitive information unless a ransom is paid. Other forms of double extortion, sometimes referred to as triple or quadruple extortion include threatening denial of service attacks (DoS), threatening to expose customer or partner data, short-selling a company's stock, or other tortious business interference tactics.

Endpoint Detection and Response (EDR) is a security solution that allows security teams to monitor, detect and investigate suspicious activity on hosts and endpoints. It employs automation that allows security teams to quickly identify and respond to threats. EDR is a powerful tool for protecting endpoints but has serious shortcomings with regard to things like preventing the abuse of user credentials, protecting the larger network and cloud deployments, or leveraging telemetry from other sources.

Encryption is the process of converting data into a code to prevent unauthorized access or modification during transmission or storage. In the final stages of a ransomware attack, threat actors deploy the ransomware payload and encrypt the target's data, files and systems rendering them inaccessible. They typically will offer a decryption key in exchange for a ransom payment ranging from hundreds to tens of millions of dollars.

An encryption key is a code or password used to encrypt and decrypt data in order to protect it from unauthorized access or theft in the event of a ransomware attack. In the final stages of a ransomware attack, threat actors deploy the ransomware payload and encrypt the target's data, files and systems rendering them inaccessible. They typically will offer a decryption key in exchange for a ransom payment ranging from hundreds to tens of millions of dollars.

Endpoint Detection and Response (EDR) is a security solution that allows security teams to monitor, detect and investigate suspicious activity on hosts and endpoints. It employs automation that allows security teams to quickly identify and respond to threats. EDR is a powerful tool for protecting endpoints but has serious shortcomings with regard to things like preventing the abuse of user credentials, protecting the larger network and cloud deployments, or leveraging telemetry from other sources.

Endpoint Protection (EPP) is a security solution that protects individual devices, such as laptops and mobile devices, from cyber threats such as ransomware.

Extended Detection and Response (XDR) is a comprehensive security solution that extends EDR by correlating telemetry from multiple sources beyond endpoints (network, cloud, identity, etc.) to detect, investigate, and respond to advanced threats such as multi-stage ransomware attacks. XDR holds much promise, but it is still in its infancy and has years of development ahead before it can deliver on its promised potential.

Immutability refers to the security and integrity of an organization’s critical data, especially backup data, and the assurance that this data cannot be altered or destroyed.

Incident response (IR) is the set of immediate actions that an organization takes in response to a cyber attack or data breach. A tested IR plan, or playbook, can help address incidents efficiently and contain them before they spread.

A technique used by cyber criminals to evade detection by abusing legitimate network tools, binaries, and processes already present on a targeted system to carry out their attacks.

Locker ransomware is an earlier type of ransomware that encrypts a victim's files and demands payment in exchange for the decryption key, while also locking the victim out of their system.

Managed Detection and Response (MDR) is a service that offers third-party threat detection and response that are otherwise undertaken in-house. MDR offers enhanced protection to organizations that either do not have the personnel or resources to support security operations or find managed services for some aspects of security operations to be financially optimal.

Machine learning (ML) is a branch of Artificial Intelligence (AI) that uses algorithms to teach computer systems to learn and program themselves in order to classify data and/or predict future outcomes.

Machine learning in security refers to the use of algorithms and statistical models to analyze and identify patterns in data to detect and prevent cyberattacks, including ransomware.

Malware is malicious software, code, and scripts that are designed to harm or exploit computer systems. Ransomware is a type of malware which encrypts files and demands payment for their release.

Managed Detection and Response (MDR) is a service that offers third-party threat detection and response that are otherwise undertaken in-house. MDR offers enhanced protection to organizations that either do not have the personnel or resources to support security operations or find managed services for some aspects of security operations to be financially optimal.

A Managed Security Service Provider (MSSP) is a third-party company that provides cybersecurity services to organizations, including monitoring, threat detection, incident response, and remediation.

Next Generation Antivirus (NGAV) is a type of cybersecurity software that uses advanced techniques such as machine learning and behavioral analysis to detect and prevent ransomware attacks.

Phishing is a type of social engineering attack where a threat actor sends fraudulent emails or messages to trick individuals into revealing sensitive information or downloading malware.

A Cyber Security Playbook defines the roles and responsibilities for members of an organization in response to a cyber security incident. It identifies the communications team and a contact liaison between the board and the rest of the organization. Playbooks also establish formal processes and procedures to ensure that required steps are systematically followed during the response and investigation. This helps organizations meet and comply with regulatory frameworks like NIST or GDPR. Playbooks support procedures, like breach notification and technical processes such as malware reverse engineering.

Ransomware-as-a-Service (RaaS) operators provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits.

Ransomware is a type of malware that encrypts a victim’s data, files, and systems before a ransom demand is paid and the attackers provide the victim with a decryption key to restore access.

A ransomware attack uses malicious code to encrypt a victim’s data, files, and systems until a ransom payment is received and the attackers provide the victim with a decryption key to restore access.

A ransomware campaign is a coordinated attack operation designed to compromise and infect multiple targets with ransomware to encrypt data, files, and systems until a ransom payment is received and the attackers provide the victim with a decryption key to restore access.

References to ransomware gangs are generally in regard to Ransomware-as-a-Service (RaaS) operators who provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits. Ransomware variants and ransomware gangs often share the same nomenclature, but that is not always the case.

The proactive measures taken to prevent ransomware attacks, such as implementing security software, training employees on safe online practices, and regularly backing up important data.

Businesses of all sizes are vulnerable to cyberattacks like ransomware. To protect against this increasing risk, business owners can invest in endpoint protection solutions and educate themselves about how to prevent, mitigate and be resilient against the potential impact of ransomware attack on operations.

Ransomware recovery is the incident response, investigation, and remediation procedures that address a ransomware attack and its potential impact to a victim organization.

The process of restoring data and systems to the previous unencrypted state before a ransomware attack occurred.

Ransomware-as-a-Service (RaaS) operators provide the attack platform and other mechanisms to carry out ransomware attack campaings. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates and more for a portion of the ransom proceeds.

Resilience is the ability of an organization, tool, or environment to adapt to changing conditions and prepare for, withstand, and recover quickly from disruption.

The ability of a system or organization to withstand and recover from cyberattacks, including ransomware, through proactive measures such as backups, incident response plans, and employee training.

A Service Level Agreement (SLA) is a document that defines the level of service expected from a vendor. It lists the specific metrics to measure the services rendered and compensatory actions if those service levels are not achieved. An SLA is a critical component of any technology vendor contract.

A Security Operations Center (SOC) is an organization’s central command post that monitors and analyzes data from across all of its networks, devices, and databases. The goal is to improve the overall security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. Some organizations outsource their SOC functions and infrastructure to a third-party technology vendor such as an MSP or MSSP.

Scareware is a type of malicious software that tricks users into believing their computer is infected with a virus or other malware, and then prompts them to purchase fake antivirus software or pay a ransom to remove the supposed threat.

Social engineering attacks are the most common way ransomware operators get initial access to a targeted network. Phishing via malicious emails or messages on social platforms is a favorite tactic. Specially crafted emails are designed to trick targets into clicking malicious links, opening tainted attachments, or providing sensitive information like user credentials. Attackers who have already successfully infiltrated a network may also use social engineering techniques to compromise identities that have more user privileges at a targeted organization, like network admins and company executives.

A simulated scenario designed to test an organization's response to a cyberattack, allowing them to identify weaknesses and improve its incident response plan.

The proactive process of searching for and identifying potential cyber threats and active attacks before they can cause harm to a system or network.

The amount of time it takes for a ransomware attack to encrypt a victim's data and demand payment for its release.

Triple extortion is a technique where cybercriminals not only encrypt the victim's data but also apply multiple extortion methods to compel a ransom payment, like threatening to attack a victim's customers or partners or commencing a denial of service attack (DoS) in addition to the threat of leaking compromised data if a ransom payment is not received. See "Double Extortion" for more details.

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the party responsible for patching or otherwise fixing the flaw.