Ransomware
Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money (ransom) is paid.
Ransomware is a category of malicious software (malware) that encrypts a victim's files or locks their system, rendering it inaccessible. The attacker then demands a ransom payment, typically in cryptocurrency, in exchange for the decryption key or the restoration of access. The attack vector often involves social engineering tactics, such as phishing emails with malicious attachments or links, or exploiting software vulnerabilities. Once executed, the ransomware establishes persistence, often disabling system restore points and security software. It then proceeds to identify and encrypt target files based on predefined criteria (e.g., file extensions). Some variants also exfiltrate sensitive data before encryption, adding a threat of public disclosure if the ransom is not paid (double extortion). The ransom demand is usually time-limited, increasing pressure on the victim. Recovery typically involves restoring from clean backups, using decryption tools if available (though often not), or paying the ransom, which is generally discouraged due to the risk of non-delivery of the key and funding criminal activities. Mitigation strategies include robust backup solutions, regular security awareness training, prompt patching of systems, and deploying advanced endpoint detection and response (EDR) solutions.
graph LR
Center["Ransomware"]:::main
Pre_cryptography["cryptography"]:::pre --> Center
click Pre_cryptography "/terms/cryptography"
Rel_distributed_denial_of_service_ddos["distributed-denial-of-service-ddos"]:::related -.-> Center
click Rel_distributed_denial_of_service_ddos "/terms/distributed-denial-of-service-ddos"
Rel_whale_crypto["whale-crypto"]:::related -.-> Center
click Rel_whale_crypto "/terms/whale-crypto"
Rel_encryption["encryption"]:::related -.-> Center
click Rel_encryption "/terms/encryption"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 Explain Like I'm 5
It's like a kidnapper who sneaks into your house and puts a lock on your toy box, then demands money to give you the key so you can play with your toys again.
🤓 Expert Deep Dive
Ransomware operates by leveraging cryptographic primitives, most commonly symmetric [encryption](/en/terms/symmetric-encryption) algorithms like AES for bulk data encryption, combined with asymmetric encryption (e.g., RSA) for securely exchanging the symmetric key. The initial infection vector is critical, often exploiting zero-day vulnerabilities or social engineering to bypass perimeter defenses and gain execution on endpoints. Post-execution, ransomware employs techniques to ensure persistence and evade detection, such as rootkit functionalities, disabling security services, and employing anti-debugging measures. Advanced variants exhibit polymorphic or metamorphic capabilities to evade signature-based detection. The economic model relies on the perceived value of the encrypted data and the victim's willingness to pay, often facilitated by the pseudonymous nature of cryptocurrencies like Bitcoin. The double and triple extortion models, involving data exfiltration and DDoS attacks, represent an escalation of tactics to increase leverage.