Ransomware is a type of malicious software that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid. Any action is possible once a device or system is infected and there is no guarantee that paying the ransom will return access or not delete the data. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. [1] The ransomware may also encrypt the computer's Master File Table (MFT) [2] [3] or the entire hard drive. [4] Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files [5] since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

While initially popular in Russia, the use of ransomware scams has grown internationally; [6] [7] [8] in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012. [9] Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which procured an estimated US $3 million before it was taken down by authorities, [10] and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015. [11].


The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and is the following three-round protocol carried out between the attacker and the victim. [12]

  1. [attackervictim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victimattacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attackervictim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.

The symmetric key is randomly generated and will not assist other victims. At no point is the attacker's private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.

Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media. [13] [14] [15]

Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself, [16] or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired. [17] The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim's files in such a way that only the malware author has the needed decryption key. [12] [18] [19]

Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including wire transfers, premium-rate text messages, [20] pre-paid voucher services such as Paysafecard, [6] [21] [22] and the digital currency Bitcoin. [23] [24] [25] A 2016 census commissioned by Citrix revealed that larger businesses are holding bitcoin as contingency plans. [26]

Other Languages
العربية: رانسوم وير
भोजपुरी: रैनसमवेयर
čeština: Ransomware
dansk: Ransomware
Deutsch: Ransomware
eesti: Lunavara
español: Ransomware
français: Ransomware
한국어: 랜섬웨어
हिन्दी: रैनसमवेयर
hrvatski: Ransomware
Bahasa Indonesia: Perangkat pemeras
íslenska: Gagnagíslataka
italiano: Ransomware
Basa Jawa: Ransomware
lumbaart: Ransomware
magyar: Ransomware
монгол: Ransomware
Nederlands: Ransomware
norsk bokmål: Løsepengevirus
polski: Ransomware
português: Ransomware
română: Ransomware
русский: Ransomware
Simple English: Ransomware
slovenčina: Ransomware
svenska: Ransomware
Türkçe: Fidye virüsü
українська: Ransomware
Tiếng Việt: Mã độc tống tiền
中文: 勒索軟體