What is ransomware and how do you defend against it?

Ransomware is malware that encrypts the victim's files and demands a ransom (typically cryptocurrency) for the decryption key. Modern ransomware also exfiltrates data and threatens publication (double extortion). Famous attacks: WannaCry (2017), NotPetya (2017 — $10B in damages), Colonial Pipeline (2021). Attack chain: phishing email → malware delivery → execution → privilege escalation → lateral movement → data exfiltration → encryption → ransom demand. Defense: (1) Offline, immutable backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite) — test restore regularly. (2) Patch management: most ransomware exploits known vulnerabilities. (3) MFA: prevents credential-based initial access. (4) Email security: DMARC, anti-phishing, sandbox attachments. (5) Network segmentation: limits lateral movement. (6) EDR: detects and contains ransomware behavior. (7) Least privilege: limits encryption scope. (8) Disable RDP or put behind VPN (major ransomware entry vector). (9) Incident response plan.