Ransomware

Edit · View history

Ransomware

Ransomware is a type of malware that encrypts a victim's files or locks access to a system, demanding a ransom payment—usually in cryptocurrency—in exchange for restoring access. It has become one of the most financially damaging forms of cybercrime, affecting individuals, businesses, hospitals, and government agencies worldwide.

History

The first known ransomware, the AIDS Trojan (also called PC Cyborg), was distributed via floppy disks in 1989. It used symmetric cryptography and demanded a payment of $189 to a postal box. Modern ransomware emerged in the mid-2000s with variants like Reveton, which posed as law enforcement warnings. The widespread use of Bitcoin beginning around 2013 enabled anonymous payment, fueling a surge in attacks such as CryptoLocker (2013) and WannaCry (2017), the latter of which exploited the EternalBlue vulnerability and affected hundreds of thousands of computers in over 150 countries.

Operation

Ransomware typically infects a system through phishing emails, malicious downloads, or exploit kits. Once executed, it communicates with a command-and-control server to obtain an encryption key. Files are encrypted using strong algorithms like AES or RSA, and the victim is presented with a ransom note instructing payment. Some variants also threaten to publish stolen data (double extortion), as seen in the REvil and DarkSide gangs.

Mitigation and response

Experts recommend regular offline backups, patching systems promptly, using reputable antivirus software, and training users to recognize phishing attempts. Law enforcement agencies generally advise against paying ransoms, as doing so funds criminal activity and does not guarantee file recovery. Many organizations instead rely on decryption tools developed by security researchers for older or poorly implemented strains.