Ransomware (malware) - Operation

Operation

Ransomware typically propagates like a conventional computer worm, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program will then run a payload: such as one that will begin to encrypt personal files on the hard drive. More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. Some ransomware payloads do not use encryption. In these cases, the payload is simply an application designed to effectively restrict interaction with the system, typically by overriding explorer.exe in the Windows registry as the default shell, or even modify the master boot record, not allowing the operating system to start at all until it is repaired.

Ransomware payloads, especially ones which do not encrypt files, utilize elements of scareware to coax the user into paying for its removal. The payload may, for example, display notices purportedly issued by companies or law enforcement agencies which falsely claim that the user's system had been used for illegal activities, or contains illegal content such as pornography and unlawfully obtained software. Some ransomware payloads imitate Windows XP's product activation notices, falsely claiming that their computer's Windows installation is counterfeit or requires re-activation.

In any case, the ransomware will attempt to extort money from the system's user by forcing them to purchase either a program to decrypt the files it had encrypted, or an unlock code which will remove the locks it had applied. These payments are often delivered using either a wire transfer, premium-rate text messages, or through an online payment voucher service such as Ukash or Paysafecard.