Ransomware: A Detailed Educational Explanation

[Student]

Ransomware is one of the most dangerous types of malware, designed to block access to victims' files or systems in order to extort money. Unlike traditional viruses, which can simply damage data, ransomware uses cryptography to encrypt files, making them inaccessible without a special key. It's not only a technical threat but also a business model for cybercriminals, generating billions of dollars annually. In this explanation, we'll explore ransomware mechanisms step by step, including types, historical examples, evolution, and protection methods. All descriptions are presented at a high level, without actionable details, to emphasize the educational aspect and prevent abuse. We rely on data from authoritative sources as of 2025.

What is ransomware and why is it relevant?​

Ransomware is malware that encrypts files or locks systems, demanding a ransom payment to restore access. The ransom is typically paid in cryptocurrency, such as Bitcoin, due to its anonymity. Estimates for 2023–2025 project that global ransomware losses exceed $1 billion annually, with the average ransom for organizations reaching $4 million. Attacks have evolved: they now not only encrypt data but also steal it for "double extortion," threatening to publish the stolen information on the dark web. This makes ransomware a threat not only to individual users but also to companies, hospitals, and government agencies.

Infection Methods: How Ransomware Gets Into a System​

Infection is the first stage of an attack. Ransomware doesn't just appear; it exploits human or software vulnerabilities. Here are the main methods:

• Phishing: The most common method involves malicious emails with attachments (for example, an .exe file disguised as a PDF or Word document) or links to infected websites. When the user opens the attachment, the malware is activated. Phishing relies on social engineering: scammers disguise the emails as official notifications from banks or colleagues.
• Drive-by downloading: Automatic download of malware when visiting an infected website, without the user clicking. This occurs through vulnerabilities in browsers or plugins.
• Vulnerability exploits: Attacks on known software vulnerabilities, such as EternalBlue in Windows (used in WannaCry). Supply chain attacks, where hackers compromise software vendors and distribute malware through updates, will be popular in 2025.
• Remote Access (RDP): Hacking through weak passwords or stolen Remote Desktop Protocol credentials.
• Other vectors: USB drives, pirated software, botnets, or even mobile applications (for Android devices).

In corporate networks, ransomware can spread laterally, moving from one device to another using stolen credentials.

Ransomware Operation Steps: A Step-by-Step Mechanism​

Ransomware operates according to a structured pattern that can take anywhere from minutes to days to complete. Here's a detailed breakdown:

1. Infection and activation: After entering the system, the malware disguises itself as a legitimate process (e.g., a system service) to evade antivirus detection. It may check the environment, including the OS type and the presence of a virtual machine (to avoid sandbox analysis).
2. Scanning and analysis: The program scans disks for valuable files (documents, photos, databases). It avoids system files to prevent complete device failure. In advanced variants, such as human-operated ransomware, hackers manually explore the network, steal data, and escalate privileges. This includes credential dumping (extracting passwords) and persistence (installing backdoors for repeated access).
3. Data encryption: The key stage. Ransomware uses cryptographic algorithms to encrypt files:
   • Symmetric encryption (e.g., AES-256): Fast, uses a single key for encryption and decryption. The key is generated locally.
   • Asymmetric encryption (RSA-2048 or higher): The public key encrypts the symmetric key, and the private key is kept by the attacker. This makes decryption impossible without payment. Some variants, such as Akira, use ChaCha20 for partial encryption (intermittent encryption) to speed up the process and evade detection. Files are renamed, for example, "file.txt" becomes "file.txt.locked" or with a random extension.
4. Deleting backups: To prevent recovery, ransomware deletes shadow copies (shadow copies in Windows) or backups.
5. Ransom demand: A ransom note appears—a text file, screen saver, or email with instructions. The ransom is typically 0.1–10 BTC (equivalent to thousands of dollars). Double/triple extortion also includes the threat of data leakage or DDoS attacks on partners.
6. Post-attack: If the ransom is paid, hackers may provide a decryptor, but are often tricked (according to the FBI, only 10-20% of victims get their files back).

Step	Description	Example of tools/techniques
1. Infection	Login via phishing or exploit	Phishing emails, EternalBlue
2. Scanning	Search for files and vulnerabilities	Lateral movement, credential access
3. Encryption	Application of algorithms	AES + RSA, ChaCha20
4. Deleting backups	Erasing recovery data	VSS deletion (Volume Shadow Copy Service)
5. Ransom	Displaying instructions	Ransom note в TXT или HTML

Types of ransomware​

Ransomware is classified by methods and purposes:

• Encrypting ransomware: Classic - encrypts files (e.g. CryptoLocker).
• Locker ransomware: Locks the screen or device, without encryption (less common).
• Double/Triple extortion: Encryption + data theft + additional threats (Maze, REvil).
• Wiper: Not for ransom, but for data destruction (NotPetya).
• Human-operated: Manually controlled by hackers, as opposed to automated (WannaCry).
• RaaS (Ransomware-as-a-Service): A "as a service" model where developers sell a toolkit to newcomers (LockBit, RansomHub).

Type	Characteristic	Example
Encrypting	Encrypts files	WannaCry
Locker	Blocks access	Android lockers
Double Extortion	Encryption + leak	Maze
RaaS	Rent malware	LockBit
Human-Operated	Manual control	Ryuk

Historical examples and evolution​

Ransomware has been around since 1989 (AIDS Trojan), but the boom began in the 2010s:

• CryptoLocker (2013): 500,000 devices infected, $3 million raised.
• WannaCry (2017): Global epidemic, EternalBlue exploit, losses $4 billion.
• NotPetya (2017): Wiper disguised as ransomware, attack on Ukraine.
• REvil (2019–2022): Double extortion, buyouts up to $800,000.
• LockBit (2019–2024): RaaS, disrupted by law enforcement in 2024.
• RansomHub (2024–2025): New leader, 210+ victims by August 2024.

Evolution: From automated attacks to human-operated ones and RaaS. In 2025, AI helps create phishing, and cryptocurrency helps with anonymity. Groups like BlackCat/ALPHV use Rust for cross-platform support.

Consequences of the attacks​

• Financial: Average loss $4.35 million, including downtime.
• Reputational: Data breaches lead to fines (GDPR).
• Operating Rooms: Hospitals (like in WannaCry) cannot operate.
• Global: 71% of companies affected by 2024–2025.

Ransomware protection and removal​

Prevention (better than cure):

• Regular backups according to the 3-2-1 rule: 3 copies, 2 types of media, 1 offline.
• Software updates and patches.
• Antiviruses with EDR (Endpoint Detection and Response), such as Microsoft Defender.
• Training: Phishing Recognition, MFA (Multi-Factor Authentication).
• Network segmentation to limit lateral movement.

If infected:

• Disconnect the device from the network.
• Don't pay the ransom - it funds the criminals and doesn't guarantee recovery.
• Use antimalware to scan in safe mode.
• Restore from backups.
• Contact specialists (FBI, cybersecurity firms). Removing malware does not decrypt files; this requires decryptors from researchers (such as NoMoreRansom.org).

In conclusion, understanding ransomware helps prevent attacks. It's a matter of cyber hygiene. For further reading, I recommend resources from Check Point, Microsoft, and CSO Online.

 

[Student]

Technical details of ransomware​

Ransomware is a type of malware that encrypts the victim's data or blocks access to the system, demanding a ransom to restore access. For educational purposes, I will describe in detail the technical aspects of ransomware: its structure, operating mechanisms, distribution methods, encryption, communication, and protection. I will also discuss examples and approaches to analysis.

1. Ransomware structure and components​

Ransomware consists of several key components that provide its functionality:

1.1. Executable file​

• Type: Typically an executable file (.exe, .dll, .js, .ps1, etc.) or a script that runs on the victim's device.
• Obfuscation: Code is often obfuscated to make it more difficult for antivirus software to analyze. Polymorphic or metamorphic techniques are used to ensure that each copy of the malware has a unique signature.
• Example: WannaCry used an executable file disguised as legitimate software, obfuscated with packers like UPX.

1.2. Encryption Module​

• Responsible for encrypting the victim's files.
• Uses cryptographic algorithms (usually AES for symmetric encryption and RSA for asymmetric).
• Generates a unique encryption key for each infected device.

1.3. Communication Module​

• Communicates with the command and control (C2) server to transmit data (such as encryption keys) or receive instructions.
• Uses HTTP/HTTPS, Tor or DNS protocols for anonymity.

1.4. Distribution Module​

• Some ransomware (such as WannaCry) includes modules for self-propagation through network vulnerabilities (exploits such as EternalBlue).

1.5. Extortion Interface​

• After encryption, it displays a ransom demand message (usually in a cryptocurrency such as Bitcoin or Monero).
• May include a timer, payment instructions, and links to Tor sites for contacting the extortionists.

2. How ransomware works​

Ransomware follows a sequence of steps to achieve its goal. Here's a typical process:

1. Penetration:
   • Infection through phishing, malicious attachments, compromised websites, vulnerability exploits, or remote access (RDP).
   • Example: Ryuk is often distributed through phishing emails with macros in Word documents.
2. Installation:
   • The malware copies itself to system folders (e.g. %AppData%, %Temp%) and creates entries in the Windows registry for autorun.
   • May disable antivirus software, backup services, or Windows Defender.
3. Information collection:
   • Collects data about the system (OS, architecture, network connections).
   • Some ransomware (such as REvil) scans the network to find other devices.
4. Data encryption:
   • Scans disks for files with certain extensions (.docx, .pdf, .jpg, databases, etc.).
   • Encrypts files using a combination of symmetric (AES-256) and asymmetric (RSA-2048) encryption.
   • Deletes original files and replaces them with encrypted ones (with new extensions, such as .locked, .crypt, .ryuk).
5. Ransom demand:
   • Creates a text file (such as README.txt) or a graphical interface with instructions.
   • Specifies the ransom amount (usually 0.1–10 BTC) and the wallet address.
6. Self-removal (optional):
   • Some ransomware deletes itself after encryption to make analysis more difficult.

3. Technical aspects of encryption​

Encryption is a key part of ransomware, making data recovery virtually impossible without the key.

3.1. Algorithms​

• Symmetric encryption(AES-256):
  • Used for fast file encryption.
  • A unique key is generated for each file or device.
• Asymmetric encryption(RSA-2048 or higher):
  • The public key encrypts the AES symmetric key.
  • The private key is stored by the attackers, making it necessary for decryption.
• Example: WannaCry used AES-128 for files and RSA-2048 for key protection.

3.2. Key generation​

• Keys are generated locally or on a C2 server.
• In some cases (for example, Petya), ransomware uses pseudo-random keys, which sometimes allows data recovery with a weak implementation.

3.3. Target files​

• Ransomware targets files that are critical to the user: documents, images, databases, archives.
• Ignores system files (.exe, .dll) to avoid disrupting the OS.

3.4. Destroying backup copies​

• Modern ransomware (such as Maze) searches for and deletes Windows Volume Shadow Copies using the commands vssadmin delete shadows /all /quiet.

4. Methods of distribution​

Ransomware uses a variety of attack vectors, many of which overlap with carding methods:

4.1. Phishing​

• Emails with malicious attachments (Word/Excel macros, .zip archives) or links to infected websites.
• Example: Emotet delivered ransomware through phishing campaigns.

4.2. Vulnerability Exploits​

• Vulnerabilities in software or network protocols are exploited (for example, EternalBlue for SMB in WannaCry).
• The goal is to gain access to the system without user interaction.

4.3. Remote Access​

• Attacks through weakly protected RDP (Remote Desktop Protocol) ports using stolen credentials.
• Example: Ryuk is often spread via compromised RDPs.

4.4. Compromised Websites​

• Drive-by download: The victim visits an infected website and the malware is downloaded automatically via exploit kits (e.g. Angler, RIG).

4.5. Self-propagation​

• Some ransomware (WannaCry, NotPetya) use worm-like mechanisms to spread across the network by exploiting vulnerabilities.

5. Communication with C2 servers​

Ransomware often communicates with command and control servers to:

• Transfer of encryption keys.
• Receiving instructions (e.g. ransom amount).
• Sending stolen data (in case of double extortion).

Technical details:​

• Protocols: HTTP/HTTPS, DNS, Tor, I2P.
• Traffic obfuscation: Domains generated by algorithms (DGA, Domain Generation Algorithms) are used to make blocking more difficult.
• Example: REvil used Tor to communicate with victims, providing access to a payment portal via .onion addresses.

6. Types of ransomware​

Ransomware is divided into several categories based on its mechanism of action:

1. Crypto-ransomware:
   • They encrypt files and demand a ransom for the key (WannaCry, Ryuk, REvil).
2. Lockers (Locker ransomware):
   • Block access to the device without affecting files (for example, a screen lock with a ransom demand).
3. Double extortion:
   • They combine encryption and data theft, threatening to publish it (Maze, Conti).
4. RaaS (Ransomware-as-a-Service):
   • Platforms where ransomware developers rent out their tools (REvil, DarkSide).

7. Case Studies​

1. WannaCry (2017):
   • Used the EternalBlue exploit to spread across networks.
   • Encrypted files using AES-128 and RSA-2048.
   • Demanded a ransom in Bitcoin (around $300–600).
   • Infected outdated Windows systems without patches.
2. NotPetya (2017):
   • Initially disguised as ransomware, it was actually a tool of destruction.
   • Used a modified EternalBlue and encrypted the MBR (Master Boot Record).
   • It spread through corporate networks, causing billions of dollars in damage.
3. REvil/Sodinokibi (2019–2022):
   • Used the RaaS model.
   • Combined encryption and data theft.
   • Attacked large companies, demanding ransoms of up to $70 million.
4. Ryuk (2018–н.в.):
   • Spread via phishing and RDP.
   • Targets large organizations by encrypting critical data.
   • Often associated with the Emotet and TrickBot Trojans.

8. Analysis and protection​

8.1 Ransomware Analysis​

• Static analysis: Examining code without running it (using disassemblers such as IDA Pro).
• Dynamic Analysis: Run in a sandbox (Cuckoo Sandbox) to observe behavior.
• Network Analysis: Monitoring traffic with Wireshark to identify C2 servers.
• Cryptanalysis: Finding weaknesses in encryption implementations (e.g. weak key generators).

8.2. Protection​

• Software Update: Fixing vulnerabilities (e.g. SMB patches in the case of WannaCry).
• Backup: Regularly create offline copies of your data.
• Antivirus and EDR: Use of behavioral analysis solutions (CrowdStrike, SentinelOne).
• Restrict access: Minimize privileges and disable RDP if it is not needed.
• User Training: Recognizing Phishing and Suspicious Attachments.
• Network segmentation: Limit the spread of ransomware across the network.

8.3. Recovery​

• Decryptors: Some ransomware has weak cryptography, and there are free decryptors for them (for example, from No More Ransom).
• Paying the ransom: Not recommended as there is no guarantee of decryption and it funds cybercrime.

9. Connection with carding (technical aspect)​

Ransomware and carding overlap in the following technical aspects:

• Trojans: Banking Trojans (Emotet, TrickBot) can deliver ransomware or steal card data.
• Phishing: The same phishing platforms are used to deliver malware.
• Darknet: Carding tools (skimmers, databases) and ransomware (RaaS) are sold on the same platforms.
• Cryptocurrency: Both types of attacks use cryptocurrencies for anonymous transactions and laundering.

Conclusion​

Ransomware is complex malware that uses cryptography, network attacks, and social engineering to extort money. Its technical implementation includes obfuscated code, strong encryption (AES/RSA), communication with C2 servers, and various distribution vectors (phishing, exploits, RDP). The connection to carding is evident in the shared tools (Trojans, phishing) and infrastructure (darknet, cryptocurrency). Protection requires software updates, backups, and user education. If you would like to delve deeper into a specific aspect (for example, analysis of specific ransomware or cryptography), let me know!