Ransomware is malicious software that encrypts files, locks the computer, and retains control until the user pays a certain amount of money. Ransomware can appear in two forms — either by locking your screen with a full-screen image or
webpage to prevent you from accessing your PC, or by encrypting your files so they can’t be opened. 1
While each ransomware variant has its own twist, there are a few key components that most ransomware types follow:
Email-borne infection – Although some variants have been known to attack via drive-by download advertising, malicious websites, or peer-to-peer network file sharing, ransomware typically attacks through spoofed emails, and the end user is tricked into opening an attachment. 2 It often arrives in zip files with enticingly common names, and the zip file contains an .exe, which downloads onto the target computer, adding a key to the Windows Registry, allowing it to run.
Covert communication – Once downloaded, the malware establishes communication with a command-and-control server. For example, CryptoLocker, which started the modern ransomware craze, relies on a domain generation algorithm and hops between new servers routinely to avoid detection.
Advanced encryption – Once the server connection is established, CryptoLocker generates a pair of encryption keys — one public, one private — using the huge RSA-2048 bit encryption algorithm and military-grade 256-bit AES encryption.
Most ransomware variants use a 256-AES (Advanced Encryption Standard) key or a 2048-RSA key, but some even go as far as 4096-RSA.
Bitcoin ransom – After encryption is complete, the cybercriminals usually demand Bitcoin or some form of payment for the key to unencrypt infected files. 3
Ransomware works quickly and quietly in the background before it unveils itself to
users asking for ransom.
Tight deadline – A pop-up window usually tells the victim that important files have been encrypted and sets a time limit for payment before the private encryption key is destroyed and the files are lost forever.4