← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.4

Ransomware — SY0-701

CompTIA Security+ SY0-701 concept page for Ransomware (D2/2.4): grounded definition, mental model, exam traps, and related concepts.

WHAT IT IS

Ransomware is malware — hardware, firmware, or software intentionally inserted into a system for harmful purposes — that encrypts a victim's data (converting plaintext into ciphertext using a cryptographic algorithm and key) and then issues a demand for payment in exchange for the decryption key needed to restore the data to usable form.

The core harm is to availability: the NIST glossary defines availability as "ensuring timely and reliable access to and use of information." Ransomware directly prevents that access by holding the decryption key outside the victim's control.

Mental model

Think of ransomware as a padlock attack: the attacker swaps your lock for their own. The data is still there — nothing is deleted — but you cannot open it without their key. Every other property (integrity, stored contents) may be intact; the single lever the attacker holds is the cryptographic key required for decryption.

This framing clarifies why ransomware is primarily an availability attack, not a confidentiality or integrity attack on the encrypted files themselves.

When to use it

Use the table below when a scenario describes malware that withholds access — the exam tends to pair ransomware against other malware types and against denial-of-service attacks that also disrupt availability.

FeatureRansomwareDenial-of-Service (DoS)
Primary CIA impactAvailability (encrypted data inaccessible)Availability (service/resource unreachable)
MechanismCryptographic transformation of data; decryption key withheldPrevention of authorized access to resources or delaying time-critical operations
LeverageDecryption key held by attackerOngoing attack traffic or resource exhaustion
Attacker demandPayment for the decryption keyNone inherent (disruption is the goal)
Data stateData exists; rendered as ciphertextData/service exists; access path is blocked

Signal phrase that points to ransomware specifically: the scenario mentions encryption of files, a demand, and a key or payment condition. Signal phrase for DoS: prevention of access without an encryption or payment element.

COMMON MISCONCEPTION

Ransomware is only an availability attack.

This is the exam's primary trap. Candidates learn the "availability" framing — correctly — but then overlook scenarios where ransomware also threatens confidentiality. NIST defines confidentiality as "preserving authorized restrictions on information access and disclosure." If an attacker exfiltrates data before encrypting it (sometimes called "double extortion" in industry parlance), confidentiality is also compromised: the attacker has gained access to information in violation of authorized restrictions, even if the victim's copy is still present on disk as ciphertext.

On an exam scenario, read carefully: if the scenario describes data copied or sent outside the organization alongside the encryption event, confidentiality is impacted in addition to availability.

A secondary misconception: paying for the decryption key guarantees data recovery. Nothing in the definition of decryption — "the process of transforming ciphertext into plaintext using a cryptographic algorithm and key" — assumes the key the attacker provides is correct or complete. The mechanism of decryption is sound; whether the attacker honors the exchange is a separate question.

How it shows up on the exam

Cognitive target: Apply/analyze — you must map a described scenario to the correct threat category and identify which CIA properties are affected.

Pattern to recognize: The exam presents a scenario in which systems are inaccessible, files cannot be opened, and users receive a message demanding action before access is restored. The task is to identify the threat type and the primary security property violated.

Candidates often confuse ransomware with:

  • General malware — ransomware is a subset of malware (software intentionally inserted for harmful purposes), so "malware" is never wrong but is less precise; a well-written item will have a more specific correct answer.
  • DoS attacks — both disrupt availability, but DoS is defined as "the prevention of authorized access to resources or the delaying of time-critical operations" without the encryption-and-demand mechanism that defines ransomware.
  • Integrity attacks — ransomware does not alter or destroy data in the sense NIST means ("guarding against improper information modification or destruction"); the data is transformed reversibly by encryption, not corrupted.

When a scenario describes encrypted files and a payment demand, availability is the primary impacted property. When the same scenario also describes data leaving the organization, add confidentiality.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.