Ransomware is a type of malicious software that encrypts a victim's files or locks them out of their system, then demands a payment — usually in cryptocurrency — to restore access. It is one of the fastest-growing cyber threats globally, and Malaysia has seen a significant increase in ransomware incidents targeting businesses, government agencies, hospitals, and educational institutions.
In Malaysia, CyberSecurity Malaysia and NACSA have issued multiple advisories warning organisations about the rising sophistication of ransomware campaigns. The double extortion model, where attackers steal sensitive data before encrypting it and threaten to publish it, has made ransomware even more dangerous. Prevention through backups, patches, and employee awareness is far cheaper than recovery.
How Ransomware Works
Ransomware typically enters a system through phishing emails containing malicious attachments or links, compromised websites, or exploited software vulnerabilities. Once activated, it scans the system for valuable files and encrypts them using strong cryptographic algorithms, making them inaccessible without the decryption key.
The attacker then displays a ransom note demanding payment, usually in Bitcoin or other cryptocurrencies, in exchange for the decryption key. Some variants threaten to permanently delete data if payment is not made within a deadline, while others exfiltrate sensitive data and threaten public release — a tactic known as double extortion.
Types of Ransomware
Ransomware comes in several forms, each with different characteristics:
- Crypto Ransomware: Encrypts files and demands payment for the decryption key. This is the most common and damaging variant.
- Locker Ransomware: Locks the victim out of the entire device without encrypting files, displaying only the ransom demand.
- Double Extortion Ransomware: Encrypts files AND steals data, threatening to publish sensitive information if the ransom is not paid.
- Ransomware-as-a-Service (RaaS): Ransomware toolkits sold or rented to less technically skilled criminals, lowering the barrier to entry for cybercriminals.
- Wiper Disguised as Ransomware: Appears to be ransomware but is actually designed to destroy data permanently, often used in cyber warfare.
Impact in Malaysia
Ransomware attacks in Malaysia have targeted critical infrastructure including healthcare systems, municipal councils, and universities. The financial impact extends beyond the ransom itself — downtime, data recovery costs, reputational damage, and regulatory penalties under the PDPA can be devastating. In some cases, organisations have paid ransoms only to receive incomplete decryption keys or no keys at all.
Small and medium enterprises (SMEs) are particularly vulnerable because they often lack dedicated cybersecurity teams and backup infrastructure. Attackers specifically target SMEs knowing they are more likely to pay to avoid prolonged downtime.
Prevention and Protection
- Maintain regular, tested backups stored offline or in a separate network segment
- Keep all operating systems, software, and firmware updated with the latest security patches
- Implement network segmentation to limit the spread of infection
- Use endpoint detection and response (EDR) solutions on all devices
- Train employees to recognise phishing emails and suspicious downloads
- Restrict administrative privileges to only those who absolutely need them
- Develop and test an incident response plan specific to ransomware scenarios
When to Report
Report Ransomware Immediately If:
Your files are encrypted and you see a ransom demand
You notice unusual network activity or unauthorised access
Multiple devices on your network are affected simultaneously
Sensitive data may have been exfiltrated before encryption
Malaysian organisations that experience a data breach, including ransomware incidents involving personal data, are required to notify the Personal Data Protection Department (JPDP) under the PDPA. Reporting to CyberSecurity Malaysia via the Cyber999 portal also helps national threat intelligence. CyberSecurity Malaysia and law enforcement strongly advise against paying ransoms, as payment does not guarantee data recovery and funds criminal operations.
Key Statistics
RM 565M
Estimated losses from cybercrime including ransomware in Malaysia
11 seconds
A ransomware attack occurs every 11 seconds globally
75%
Of ransomware victims who paid were attacked again