Ransomware: A Detailed Educational Explanation

[Student]

Ransomware is one of the most dangerous types of malware, designed to block access to victims' files or systems in order to extort money. Unlike traditional viruses, which can simply damage data, ransomware uses cryptography to encrypt files, making them inaccessible without a special key. It's not only a technical threat but also a business model for cybercriminals, generating billions of dollars annually. In this explanation, we'll explore ransomware mechanisms step by step, including types, historical examples, evolution, and protection methods. All descriptions are presented at a high level, without actionable details, to emphasize the educational aspect and prevent abuse. We rely on data from authoritative sources as of 2025.

What is ransomware and why is it relevant?​

Ransomware is malware that encrypts files or locks systems, demanding a ransom payment to restore access. The ransom is typically paid in cryptocurrency, such as Bitcoin, due to its anonymity. Estimates for 2023–2025 project that global ransomware losses exceed $1 billion annually, with the average ransom for organizations reaching $4 million. Attacks have evolved: they now not only encrypt data but also steal it for "double extortion," threatening to publish the stolen information on the dark web. This makes ransomware a threat not only to individual users but also to companies, hospitals, and government agencies.

Infection Methods: How Ransomware Gets Into a System​

Infection is the first stage of an attack. Ransomware doesn't just appear; it exploits human or software vulnerabilities. Here are the main methods:

• Phishing: The most common method involves malicious emails with attachments (for example, an .exe file disguised as a PDF or Word document) or links to infected websites. When the user opens the attachment, the malware is activated. Phishing relies on social engineering: scammers disguise the emails as official notifications from banks or colleagues.
• Drive-by downloading: Automatic download of malware when visiting an infected website, without the user clicking. This occurs through vulnerabilities in browsers or plugins.
• Vulnerability exploits: Attacks on known software vulnerabilities, such as EternalBlue in Windows (used in WannaCry). Supply chain attacks, where hackers compromise software vendors and distribute malware through updates, will be popular in 2025.
• Remote Access (RDP): Hacking through weak passwords or stolen Remote Desktop Protocol credentials.
• Other vectors: USB drives, pirated software, botnets, or even mobile applications (for Android devices).

In corporate networks, ransomware can spread laterally, moving from one device to another using stolen credentials.

Ransomware Operation Steps: A Step-by-Step Mechanism​

Ransomware operates according to a structured pattern that can take anywhere from minutes to days to complete. Here's a detailed breakdown:

1. Infection and activation: After entering the system, the malware disguises itself as a legitimate process (e.g., a system service) to evade antivirus detection. It may check the environment, including the OS type and the presence of a virtual machine (to avoid sandbox analysis).
2. Scanning and analysis: The program scans disks for valuable files (documents, photos, databases). It avoids system files to prevent complete device failure. In advanced variants, such as human-operated ransomware, hackers manually explore the network, steal data, and escalate privileges. This includes credential dumping (extracting passwords) and persistence (installing backdoors for repeated access).
3. Data encryption: The key stage. Ransomware uses cryptographic algorithms to encrypt files:
   • Symmetric encryption (e.g., AES-256): Fast, uses a single key for encryption and decryption. The key is generated locally.
   • Asymmetric encryption (RSA-2048 or higher): The public key encrypts the symmetric key, and the private key is kept by the attacker. This makes decryption impossible without payment. Some variants, such as Akira, use ChaCha20 for partial encryption (intermittent encryption) to speed up the process and evade detection. Files are renamed, for example, "file.txt" becomes "file.txt.locked" or with a random extension.
4. Deleting backups: To prevent recovery, ransomware deletes shadow copies (shadow copies in Windows) or backups.
5. Ransom demand: A ransom note appears—a text file, screen saver, or email with instructions. The ransom is typically 0.1–10 BTC (equivalent to thousands of dollars). Double/triple extortion also includes the threat of data leakage or DDoS attacks on partners.
6. Post-attack: If the ransom is paid, hackers may provide a decryptor, but are often tricked (according to the FBI, only 10-20% of victims get their files back).

Step	Description	Example of tools/techniques
1. Infection	Login via phishing or exploit	Phishing emails, EternalBlue
2. Scanning	Search for files and vulnerabilities	Lateral movement, credential access
3. Encryption	Application of algorithms	AES + RSA, ChaCha20
4. Deleting backups	Erasing recovery data	VSS deletion (Volume Shadow Copy Service)
5. Ransom	Displaying instructions	Ransom note в TXT или HTML

Types of ransomware​

Ransomware is classified by methods and purposes:

• Encrypting ransomware: Classic - encrypts files (e.g. CryptoLocker).
• Locker ransomware: Locks the screen or device, without encryption (less common).
• Double/Triple extortion: Encryption + data theft + additional threats (Maze, REvil).
• Wiper: Not for ransom, but for data destruction (NotPetya).
• Human-operated: Manually controlled by hackers, as opposed to automated (WannaCry).
• RaaS (Ransomware-as-a-Service): A "as a service" model where developers sell a toolkit to newcomers (LockBit, RansomHub).

Type	Characteristic	Example
Encrypting	Encrypts files	WannaCry
Locker	Blocks access	Android lockers
Double Extortion	Encryption + leak	Maze
RaaS	Rent malware	LockBit
Human-Operated	Manual control	Ryuk

Historical examples and evolution​

Ransomware has been around since 1989 (AIDS Trojan), but the boom began in the 2010s:

• CryptoLocker (2013): 500,000 devices infected, $3 million raised.
• WannaCry (2017): Global epidemic, EternalBlue exploit, losses $4 billion.
• NotPetya (2017): Wiper disguised as ransomware, attack on Ukraine.
• REvil (2019–2022): Double extortion, buyouts up to $800,000.
• LockBit (2019–2024): RaaS, disrupted by law enforcement in 2024.
• RansomHub (2024–2025): New leader, 210+ victims by August 2024.

Evolution: From automated attacks to human-operated ones and RaaS. In 2025, AI helps create phishing, and cryptocurrency helps with anonymity. Groups like BlackCat/ALPHV use Rust for cross-platform support.

Consequences of the attacks​

• Financial: Average loss $4.35 million, including downtime.
• Reputational: Data breaches lead to fines (GDPR).
• Operating Rooms: Hospitals (like in WannaCry) cannot operate.
• Global: 71% of companies affected by 2024–2025.

Ransomware protection and removal​

Prevention (better than cure):

• Regular backups according to the 3-2-1 rule: 3 copies, 2 types of media, 1 offline.
• Software updates and patches.
• Antiviruses with EDR (Endpoint Detection and Response), such as Microsoft Defender.
• Training: Phishing Recognition, MFA (Multi-Factor Authentication).
• Network segmentation to limit lateral movement.

If infected:

• Disconnect the device from the network.
• Don't pay the ransom - it funds the criminals and doesn't guarantee recovery.
• Use antimalware to scan in safe mode.
• Restore from backups.
• Contact specialists (FBI, cybersecurity firms). Removing malware does not decrypt files; this requires decryptors from researchers (such as NoMoreRansom.org).

In conclusion, understanding ransomware helps prevent attacks. It's a matter of cyber hygiene. For further reading, I recommend resources from Check Point, Microsoft, and CSO Online.