Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[1][2][3][4] In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.

Starting from around 2012 the use of ransomware scams has grown internationally.[5][6][7] in June 2013, vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year.[8] CryptoLocker was particularly successful, procuring an estimated US $3 million before it was taken down by authorities,[9] and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over US $18m by June 2015.[10]


The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional facehugger in the movie Alien.[11] Cryptoviral extortion is the following three-round protocol carried out between the attacker and the victim.[1]

  1. [attackervictim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victimattacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attackervictim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.

The symmetric key is randomly generated and will not assist other victims. At no point is the attacker's private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.

Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a malicious attachment or embedded link in a Phishing email or a vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media.[12][13][14]

Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself,[15] or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired.[16] The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim's files in such a way that only the malware author has the needed decryption key.[1][17][18]

Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including wire transfers, premium-rate text messages,[19] pre-paid voucher services such as paysafecard,[5][20][21] and the digital currency Bitcoin.[22][23][24] A 2016 survey commissioned by Citrix claimed that larger businesses are holding bitcoin as contingency plans.[25]

Other Languages
Afrikaans: Losprysware
العربية: رانسوم وير
भोजपुरी: रैनसमवेयर
čeština: Ransomware
dansk: Ransomware
Deutsch: Ransomware
eesti: Lunavara
Ελληνικά: Ransomware
español: Ransomware
euskara: Ransomware
français: Rançongiciel
galego: Ransomware
한국어: 랜섬웨어
हिन्दी: रैनसमवेयर
hrvatski: Ransomware
Bahasa Indonesia: Perangkat pemeras
íslenska: Gagnagíslataka
italiano: Ransomware
Basa Jawa: Ransomware
Kiswahili: Programufidia
lumbaart: Ransomware
മലയാളം: റാംസംവെയർ
Bahasa Melayu: Perisian tebusan
монгол: Ransomware
Nederlands: Ransomware
polski: Ransomware
português: Ransomware
română: Ransomware
Simple English: Ransomware
slovenčina: Ransomware
srpskohrvatski / српскохрватски: Ucjenjivački softver
svenska: Ransomware
Türkçe: Fidye virüsü
українська: Ransomware
Tiếng Việt: Mã độc tống tiền
中文: 勒索軟體