What is Ransomware?

Ransomware is a designation given to families of malware that encrypt your personal files and then demand that you pay a ransom payment in order to receive the decryption key. The types of files that ransomware targets range from generic text files and documents, to pictures, to video games, to music, and even beyond. Unfortunately, the type of encryption that's used is so strong that newer versions of some ransomware are completely impenetrable.


Most ransomware families are spread by a special type of Trojan called a "downloader." The purpose of a downloader is to run processes in the background of your machine to download and execute code from a remote server. That code searches your computer for files of a specific type (or types) and then modifies those files by scrambling them with high-end, two-part encryption. After a critical mass of files have been encrypted, the ransomware then typically creates a few different unencrypted documents and/or displays a dialogue on your machine telling you that you've been locked out of your files unless you pay the price.

To add fuel to the fire, many different variants will have a timer imposed upon you for when payment is "due" to them. If you don't pay in time, they either increase the ransom or delete the encryption key from their server, thereby making it impossible to retrieve your files.

To make matters worse, many different ransomware variants will disable the Volume Shadow Copy Service on your machine. This service is used by Windows to perform automatic backups and create restore points. These backups are what you would typically use to "roll back" your computer to before a major change happened.

How did I get infected?

Ransomware downloaders come in all different shapes and sizes, but one thing that's true about all of them is, once they've started, it's almost always already too late. These droppers typically are files that you download from your email, other websites, or P2P servers (such as torrent sites). Another common attack vector is "Drive-By," where an infected website attempts to download and run the malware without you ever getting a chance to stop it.

One of the most frustrating parts of ransomware infections is that they're extremely difficult to clean up. Even if you run antivirus and antimalware scanners, once the damage has been done, there's nothing that these pieces of software can do to reverse it. These tools, including SUPERAntiSpyware, can remove the underlying cause of the infection (the dropper), but the encryption itself can't be reversed in most cases. Sometimes decryptors have been made and are available at the No More Ransom Project.

Some versions of ransomware will display messages saying that they are from the FBI, NSA, INTERPOL, or other law enforcement agencies. They'll accuse you of possessing illegal content and/or visiting illegal websites. This type of scare tactic has fallen out of favor, as people have gotten wise to it. Most modern ransomware simply displays a page admitting freely that you've been infected and displays instructions on how to pay the ransom.

If you have a home or office network, it's also possible that your machine got infected due to sharing a network with an infected machine These infections simply spread out across the drive space they can see, encrypting whatever data they find, regardless of whether it is on the machine that was initially infected.

What about my data?

If your machine has fallen prey to a ransomware attack, there's not a whole lot that can be done with the files that were encrypted. Creating new files without removing the underlying infection is a fool's errand, as they will quickly become encrypted as well.

After coming to terms with the fact that your data has been encrypted, you will find yourself in the middle of an ethical quagmire. If you pay the ransom that is demanded, you have a less than 50% chance of actually unencrypting your files; in addition, you're actively giving these attackers what they want, which is your money. If you don't pay the ransom and no decryptor is available, you will lose access to all your files, some of which may be irreplaceable. This is probably one of the most difficult decisions you will make after an infection.

While we can't tell you whether to pay the ransom or not, one thing that makes it extremely easy to rebound from is the availability of recent backups. If your backups are good, it is far more palatable to format your machine and reinstall the operating system than it is to pay the ransom.

Return to the Malware Glossary page.