Skip to main content

What Is Ransomware?

Ransomware anatomy of an attack

Ransomware is a cyberattack (a virus) that is used to extort money.  Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware.

Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated crypto-ransomware, which encrypts information on computers or mobile devices. Both forms post an extortion notification to the user: purchase decryption software or a decryption key or your data will be lost forever.

Anatomy of a Ransomware Attack

A common form of delivering ransomware is through malicious attachments to email messages. Users are convinced against their better judgment – through social engineering – to open the attachment. The attachment is typically a form of self-installing malware, often called a Trojan or virus dropper file.  Once installed, the dropper enrolls in a cyberattacker’s botnet by contacting the botnet command and control (C2).  When contacted, the C2 will generate and return encryption-keying material for the ransomware dropper (and possibly additional malicious code). The ransomware dropper will use the keying material to encrypt personal files on the infected device. It then posts an extortion notification, demanding that the victim pay a ransom payment for a key that will decrypt the now inaccessible data.

Many ransomware attackers threaten victims with permanent loss of their personal files if the ransom is not paid within a 24-hour timeframe. To enhance deception, some ransomware notifications impersonate law enforcement or government agencies and represent the extortion as a fine.

Ransomware Exploits the Public Domain Name System

Ransomware droppers sometimes use hard-coded Internet Protocol (IP) addresses to connect to the C2. When droppers use statically configured IP addresses, investigators can use them to quickly identify and disconnect the ransomware botnet C2s. For evasion purposes, more advanced ransomware identifies a C2 by algorithmically generating domain names. Modern ransomware droppers use the domain name system (DNS) to resolve domain names that the cyberattacker changes frequently, thus hiding effectively from investigators.

Don't Pay the Ransom!

Law enforcement and security experts agree: don’t pay the ransom! There is no reason to trust that the cyberattacker will provide you with the means to decrypt your personal files should you pay. The cyberattacker could disappear, continue to extort you or send you decryption keys that do not work.  

Proactively Defend Against Ransomware

“Back up” to defend against ransomware. By regularly archiving personal or sensitive data to an external device or cloud, you render a cyberattacker’s threats meaningless. Be particularly careful to back up files when you travel.

Next, use the Internet safely. Consider taking these measures to minimize the likelihood of ransomware infection:

  • Keep your laptop “patch current.”
  • Do not share folders.
  • Keep your antivirus up to date.
  • Use a trusted DNS resolver.
  • Disable macro execution. 
  • Try anti-ransom protection.

After that, make sure that you have the means to quickly restore the operating system, applications and archived data to your device in case your device is infected with ransomware. Businesses and individuals alike should investigate what are called image recovery services.

You can protect yourself in other ways; see 22 Ransomware Prevention Tips.

If You Are Held for Ransom…

Remember: don’t pay! Contact a techie friend, a reputable computer repair service or your organization’s IT department to help you identify the ransomware. They can also help you locate trusted repositories for deleted file recovery or rescue disk software, ransomware removal kits or decryptors and online repositories of recovery keys. One such resource is, which despite  its unusual appearance, is reliable.

Don’t Be a Victim 

With cyberattackers using more sophisticated means to launch ransomware attacks, users need to be proactive and do everything they can to prevent these attacks from occurring. Be informed. Stay vigilant.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."