Crypto ransomware (or cryptomalware) is malware that encrypts data on the victim’s device and demands a ransom to restore it. Crypto ransomware can attack both individuals and businesses. It’s often distributed under the ransomware-as-a-service model.
Crypto-ransomware attacks tend to play out as follows:
- The cybercriminals deliver the malware to the user’s device – for example, through a malicious link in an e-mail, a hacked account or a software vulnerability.
- It encrypts all or part of the data on the device. Most types of crypto-ransomware ignore programs and system files that the device needs to remain functional.
- The malware leaves a ransom note on the device with the attackers’ contact details and instructions for the victim. The note can be placed in a folder with the encrypted files, set as desktop wallpaper, displayed in the browser, or delivered in some other way. The ransom is usually demanded in cryptocurrency. Often, the cybercriminals offer to restore a small file for free to prove they have the decryption key.
Since late 2019, attackers have been stealing victims’ files before encrypting them so as to use the threat of publication as leverage. Ransomware that employs this tactic is also known as leakware or doxware.
Most crypto-ransomware uses a hybrid encryption scheme that employs both symmetric algorithms (data is encrypted and decrypted with the same key) and asymmetric ones (data is encrypted and decrypted with different keys). Under this two-pronged approach, files are encrypted using the symmetric method (which is usually faster), while the asymmetric method is used to encrypt the secret key. This way, the attackers don’t have to transfer the decryption key or store it on the victim’s device in unencrypted form.
Common encryption algorithms include:
- Symmetric: Advanced Encryption Standard (AES), ChaCha20, Salsa20, RC4
- Asymmetric: RSA and Elliptic-curve Diffie-Hellman (ECDH)
Among the best-known strains of crypto-ransomware are CryptoLocker, Bad Rabbit, Petya, WannaCry, Conti/Ryuk, Hive, LockBit, Maze, REvil, and BlackCat.