Ransomware is malicious software that encrypts a device's drive or files and demands payment (ransom) to restore access, making it one of the highest-risk outcomes of a device vulnerability in AP Cybersecurity Unit 4.
Ransomware is a type of malware, which the CED defines as malicious software that can damage a device or network or hand an adversary access to your data (EK 4.1.B.1). What makes ransomware its own category is the goal: it locks you out of your own stuff and then asks for money. It does this by encrypting a device's drive or specific files so you can't read them, then displaying a demand for payment (usually cryptocurrency) in exchange for the decryption key.
In the language of EK 4.1.D.1, ransomware is the attack that "encrypt[s] a device's drive to ransom the data." Think of it as a digital padlock slapped onto your files by someone who keeps the only key. The data isn't necessarily stolen or deleted, it's just made unusable until you pay. That's the difference between ransomware and a wiper that destroys data outright. Ransomware usually arrives the way other malware does, through a virus you executed, a worm spreading on its own, or a trojan hiding inside software that looked harmless (EK 4.1.B.2).
Ransomware lives in Topic 4.1 (Device Vulnerabilities and Attacks) in Unit 4: Securing Devices. It directly supports AP Cybersecurity 4.1.B (identifying the type of malware in an attack), 4.1.C (explaining how adversaries cause loss, damage, disruption, or destruction), and especially 4.1.D, where it's named as a specific risk: an adversary can "encrypt a device's drive to ransom the data" (EK 4.1.D.1). It's also the textbook example of a high risk under EK 4.1.D.2, because locking up a critical server or sensitive data can shut down an entire organization's operations. When you assess and document device risks, ransomware is the worst-case scenario you're trying to prevent.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryMalware Types: Viruses, Worms, and Trojans (Unit 4)
Ransomware is the payload, not the delivery method. A virus, worm, or trojan is often how it gets onto the device in the first place, then the ransomware does the encrypting once it's inside.
Risk Assessment and Criticality (Unit 4)
EK 4.1.D says risk depends on how critical the device is. Ransomware on a personal laptop is bad; ransomware on a server running DNS or DHCP for a whole company is a high-risk catastrophe.
Unpatched Software and Exploits (Unit 4)
EK 4.1.C.1 explains that devices with unpatched software are open doors. Ransomware frequently rides in through a known vulnerability that was never patched, which is why patching is a defense against it.
Anti-malware Defenses (Unit 4)
Anti-malware tools and backups are the counter-move. If you have clean, separate backups, a ransomware demand loses its leverage because you can restore the data instead of paying.
Expect ransomware to show up in multiple-choice questions that ask you to identify the type of malware or the threat being described, like "Which of the following is an example of malware?" or stems describing an attacker who locks up data and demands payment. You should be able to match the scenario (drive encrypted, payment demanded) to the term ransomware, and explain why it's a high-risk attack under EK 4.1.D. No released FRQ has used the word verbatim, but ransomware fits the kind of risk-assessment and impact-analysis prompts Unit 4 rewards, where you classify the malware, explain the loss or disruption, and recommend a defense like patching or backups.
Both render a device unusable, but the goal is different. Ransomware encrypts data and offers it back for a price, so the data still technically exists. A wiper just destroys data or makes the device inoperable with no offer to return it (EK 4.1.D.1 lists both as separate risks). If the attacker wants money, it's ransomware; if they only want destruction, it's a wiper.
Ransomware is malware that encrypts your data and demands payment to unlock it, named directly in EK 4.1.D.1.
It's classified as a high-risk attack because it can shut down critical operations and sensitive data (EK 4.1.D.2).
Ransomware is the payload; it usually arrives via a virus, worm, or trojan that delivered it onto the device.
Patching known vulnerabilities and keeping separate backups are the main defenses, because backups let you restore data without paying.
Ransomware encrypts data (you might get it back); a wiper destroys it (you won't), so don't confuse the two.
Ransomware is malicious software that encrypts a device's drive or files and demands payment to restore access. The CED names it in EK 4.1.D.1 as malware that can "encrypt a device's drive to ransom the data," and it's a classic high-risk attack in Unit 4.
Classically, it locks it. Ransomware encrypts your files so you can't use them, then demands payment for the decryption key. The data isn't necessarily copied or deleted, it's just made unreadable until you pay (or restore from backup).
A wiper destroys data permanently with no offer to return it, while ransomware encrypts data and offers it back for money. A virus is a delivery method (malware activated when you open a file), whereas ransomware is the goal of the attack once it's inside.
Under EK 4.1.D.2, high risk involves compromising sensitive data or critical operations. Ransomware can lock up a critical server or important data, shutting down an organization until it pays or recovers, which is why criticality matters when you assess the risk.
Patch known software vulnerabilities so exploits can't get in (EK 4.1.C.1), run anti-malware tools, and keep clean backups stored separately. Backups are key because they let you restore your data instead of paying the ransom.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.