Ransomware

What Is Ransomware?

Ransomware is a class of malicious software designed to deny victims access to their own files or systems until a ransom payment is made, typically in cryptocurrency. The attack model relies on cryptographic techniques to make data irretrievable without a decryption key held by the attacker. First documented in 1989 with the PC Cyborg Trojan, which encoded filenames on infected disks, ransomware became a commercially sophisticated criminal enterprise by the mid-2000s. By 2021, global ransomware damages were estimated at $20 billion annually, a figure that had grown from roughly $325 million just six years earlier.

Ransomware sits at the intersection of cryptography, network security, and cybercrime economics. Unlike earlier malware aimed at disruption or data theft, ransomware is designed for extortion: the attacker's goal is a financial transaction, not the destruction of data. This business logic has driven steady evolution in both the technical sophistication of the software and the organizational sophistication of the criminal groups that deploy it.

Encryption Mechanisms

Modern ransomware relies on hybrid encryption schemes that combine symmetric and asymmetric cryptography. The malware generates a symmetric key, typically using AES, to rapidly encrypt the victim's files. It then encrypts that symmetric key using an RSA public key whose paired private key is stored on the attacker's command-and-control server. The result is that decryption is computationally infeasible without the attacker's private key, regardless of the computing resources available to the victim. The original academic blueprint for this approach was presented by Young and Yung at the 1996 IEEE Security and Privacy Symposium, where they demonstrated that public-key cryptography could be weaponized against computer users.

The main categories of ransomware reflect different levels of technical escalation. Scareware displays alarming warnings without actually encrypting data. Locker ransomware blocks access to operating system functions, typically through a screen lock. Crypto ransomware, the most damaging variant, encrypts individual files and is almost impossible to reverse if the implementation is cryptographically sound.

Delivery and Propagation

Ransomware reaches victim systems through several established vectors. Phishing emails remain the dominant entry point: a message contains either a malicious attachment with embedded downloader code or a link to a site that delivers the payload. Remote Desktop Protocol (RDP) vulnerabilities have enabled a second major class of attacks, especially against organizations whose remote-access infrastructure is misconfigured or exposed. Supply chain compromises, in which attackers infect software updates or managed service provider tools, allow ransomware to spread to many organizations through a single trusted channel.

Once inside a network, ransomware often includes a lateral movement phase before the encryption payload activates. Attackers enumerate accessible file shares, network drives, and backup systems to maximize the scope of encryption. Some variants exfiltrate data before encrypting it, enabling a double-extortion model: the victim faces both the loss of access and the threatened publication of sensitive information.

Detection and Defense

Defending against ransomware draws on layered security controls. The NIST Cybersecurity Framework provides a widely adopted structure for managing ransomware risk, covering identification, protection, detection, response, and recovery. Effective defenses include immutable offline backups that the malware cannot reach, endpoint detection tools that recognize encryption activity by its behavioral signature rather than by matching known malware samples, and network segmentation that limits lateral movement. Multi-factor authentication reduces the risk of RDP-based entry. Organizations that have experienced attacks consistently report that backup integrity and recovery testing are the single most important factors in limiting damage. CISA's ransomware guidance for critical infrastructure consolidates federal technical recommendations and maintains an updated list of known ransomware variants and their indicators of compromise.

Applications

Ransomware defense research and practice has applications across:

  • Critical infrastructure protection in energy, water, and healthcare sectors
  • Endpoint detection and response (EDR) system design
  • Cryptographic protocol analysis and vulnerability assessment
  • Incident response planning and recovery orchestration
  • Cyber insurance risk modeling and policy design
Loading…