Ransomware

Ransomware is a type of malware that encrypts files on a victim's computer or network, making them inaccessible. Attackers demand a ransom — almost always in cryptocurrency — in exchange for the decryption key.

How ransomware works

1. Malware is delivered via phishing email, malicious link, or software vulnerability
2. It encrypts files across the local machine and connected network drives
3. A ransom note appears demanding payment to a specific cryptocurrency wallet
4. The victim sends cryptocurrency to the attacker's address
5. The attacker (ideally) provides a decryption key

Why cryptocurrency is used

• No chargebacks — crypto transactions are irreversible, unlike bank transfers
• No identity required — wallet addresses can be created anonymously
• Cross-border — payments move globally without banks or regulators blocking them
• Obfuscation — attackers use mixing services and privacy coins (Monero) to obscure the money trail

Bitcoin is the most common ransom currency, though Monero is increasingly preferred by sophisticated attackers due to its stronger privacy.

Notable attacks

• WannaCry (2017) — infected 200,000+ computers in 150 countries, demanded Bitcoin
• Colonial Pipeline (2021) — crippled US fuel infrastructure; $4.4M paid in Bitcoin, most later recovered by the FBI

Protection

• Keep regular offline backups
• Apply software updates and security patches promptly
• Use multi-factor authentication
• Train employees to recognize phishing attempts
• Segment networks to limit lateral movement

See also

• Phishing
• Private key
• Open source