---
title: "Ransomware — AP Cybersecurity Definition & Exam Guide"
description: "Ransomware is malware that encrypts a device's data and demands payment to unlock it. Learn how it maps to Unit 4 device vulnerabilities and the AP exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/ransomware"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Ransomware — AP Cybersecurity Definition & Exam Guide

## Definition

Ransomware is malicious software that encrypts a device's drive or files and demands payment (ransom) to restore access, making it one of the highest-risk outcomes of a device vulnerability in AP Cybersecurity Unit 4.

## What It Is

Ransomware is a type of **[malware](/ap-cybersecurity/key-terms/malware "fv-autolink")**, which the CED defines as [malicious](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink") software that can damage a device or network or hand an adversary access to your data (EK 4.1.B.1). What makes ransomware its own category is the goal: it locks you out of your own stuff and then asks for money. It does this by encrypting a device's drive or specific files so you can't read them, then displaying a demand for payment (usually cryptocurrency) in exchange for the decryption key.

In the language of EK 4.1.D.1, ransomware is the attack that "[encrypt](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2 "fv-autolink")[s] a device's drive to ransom the data." Think of it as a digital padlock slapped onto your files by someone who keeps the only key. The data isn't necessarily stolen or deleted, it's just made unusable until you pay. That's the difference between ransomware and a wiper that destroys data outright. Ransomware usually arrives the way other malware does, through a virus you executed, a worm spreading on its own, or a trojan hiding inside software that looked harmless (EK 4.1.B.2).

## Why It Matters

Ransomware lives in **Topic 4.1 (Device Vulnerabilities and Attacks)** in **[Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices**. It directly supports **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 4.1.B** (identifying the type of malware in an attack), **4.1.C** (explaining how adversaries cause loss, damage, disruption, or destruction), and especially **4.1.D**, where it's named as a specific risk: an adversary can "encrypt a device's drive to ransom the data" (EK 4.1.D.1). It's also the textbook example of a **high risk** under EK 4.1.D.2, because locking up a critical server or sensitive data can shut down an entire organization's operations. When you assess and document device risks, ransomware is the worst-case scenario you're trying to prevent.

## Connections

### Malware Types: Viruses, Worms, and Trojans (Unit 4)

Ransomware is the payload, not the delivery method. A [virus](/ap-cybersecurity/key-terms/virus "fv-autolink"), worm, or trojan is often how it gets onto the device in the first place, then the ransomware does the encrypting once it's inside.

### Risk Assessment and Criticality (Unit 4)

EK 4.1.D says [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") depends on how critical the device is. Ransomware on a personal laptop is bad; ransomware on a server running DNS or DHCP for a whole company is a high-risk catastrophe.

### Unpatched Software and Exploits (Unit 4)

EK 4.1.C.1 explains that devices with unpatched software are open doors. Ransomware frequently rides in through a known [vulnerability](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") that was never patched, which is why patching is a defense against it.

### Anti-malware Defenses (Unit 4)

Anti-malware tools and backups are the counter-move. If you have clean, separate backups, a ransomware demand loses its leverage because you can restore the data instead of paying.

## On the AP Exam

Expect ransomware to show up in multiple-choice questions that ask you to identify the type of malware or the threat being described, like "Which of the following is an example of malware?" or stems describing an attacker who locks up data and demands payment. You should be able to match the scenario (drive encrypted, payment demanded) to the term ransomware, and explain why it's a high-risk attack under EK 4.1.D. No released FRQ has used the word verbatim, but ransomware fits the kind of risk-assessment and impact-analysis prompts Unit 4 rewards, where you classify the malware, explain the loss or disruption, and recommend a defense like patching or backups.

## ransomware vs wiper / data-destruction malware

Both render a device unusable, but the goal is different. Ransomware encrypts data and offers it back for a price, so the data still technically exists. A wiper just destroys data or makes the device inoperable with no offer to return it (EK 4.1.D.1 lists both as separate risks). If the attacker wants money, it's ransomware; if they only want destruction, it's a wiper.

## Key Takeaways

- Ransomware is malware that encrypts your data and demands payment to unlock it, named directly in EK 4.1.D.1.
- It's classified as a high-risk attack because it can shut down critical operations and sensitive data (EK 4.1.D.2).
- Ransomware is the payload; it usually arrives via a virus, worm, or trojan that delivered it onto the device.
- Patching known vulnerabilities and keeping separate backups are the main defenses, because backups let you restore data without paying.
- Ransomware encrypts data (you might get it back); a wiper destroys it (you won't), so don't confuse the two.

## FAQs

### What is ransomware in AP Cybersecurity?

Ransomware is malicious software that encrypts a device's drive or files and demands payment to restore access. The CED names it in EK 4.1.D.1 as malware that can "encrypt a device's drive to ransom the data," and it's a classic high-risk attack in Unit 4.

### Does ransomware steal your data or just lock it?

Classically, it locks it. Ransomware encrypts your files so you can't use them, then demands payment for the decryption key. The data isn't necessarily copied or deleted, it's just made unreadable until you pay (or restore from backup).

### How is ransomware different from a wiper or a virus?

A wiper destroys data permanently with no offer to return it, while ransomware encrypts data and offers it back for money. A virus is a delivery method (malware activated when you open a file), whereas ransomware is the goal of the attack once it's inside.

### Why is ransomware considered a high-risk attack?

Under EK 4.1.D.2, high risk involves compromising sensitive data or critical operations. Ransomware can lock up a critical server or important data, shutting down an organization until it pays or recovers, which is why criticality matters when you assess the risk.

### How do you defend against ransomware on the AP exam?

Patch known software vulnerabilities so exploits can't get in (EK 4.1.C.1), run anti-malware tools, and keep clean backups stored separately. Backups are key because they let you restore your data instead of paying the ransom.

## Related Study Guides

- [4.1 Device Vulnerabilities and Attacks](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/ransomware#resource","name":"Ransomware — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/ransomware","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/ransomware#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:28.280Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/ransomware#term","name":"ransomware","description":"Ransomware is malicious software that encrypts a device's drive or files and demands payment (ransom) to restore access, making it one of the highest-risk outcomes of a device vulnerability in AP Cybersecurity Unit 4.","url":"https://fiveable.me/ap-cybersecurity/key-terms/ransomware","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.D"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is ransomware in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"Ransomware is malicious software that encrypts a device's drive or files and demands payment to restore access. The CED names it in EK 4.1.D.1 as malware that can \"encrypt a device's drive to ransom the data,\" and it's a classic high-risk attack in Unit 4."}},{"@type":"Question","name":"Does ransomware steal your data or just lock it?","acceptedAnswer":{"@type":"Answer","text":"Classically, it locks it. Ransomware encrypts your files so you can't use them, then demands payment for the decryption key. The data isn't necessarily copied or deleted, it's just made unreadable until you pay (or restore from backup)."}},{"@type":"Question","name":"How is ransomware different from a wiper or a virus?","acceptedAnswer":{"@type":"Answer","text":"A wiper destroys data permanently with no offer to return it, while ransomware encrypts data and offers it back for money. A virus is a delivery method (malware activated when you open a file), whereas ransomware is the goal of the attack once it's inside."}},{"@type":"Question","name":"Why is ransomware considered a high-risk attack?","acceptedAnswer":{"@type":"Answer","text":"Under EK 4.1.D.2, high risk involves compromising sensitive data or critical operations. Ransomware can lock up a critical server or important data, shutting down an organization until it pays or recovers, which is why criticality matters when you assess the risk."}},{"@type":"Question","name":"How do you defend against ransomware on the AP exam?","acceptedAnswer":{"@type":"Answer","text":"Patch known software vulnerabilities so exploits can't get in (EK 4.1.C.1), run anti-malware tools, and keep clean backups stored separately. Backups are key because they let you restore your data instead of paying the ransom."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"ransomware"}]}]}
```
