1. Scroll
  2. /
  3. Guides
  4. /
  5. What is ransomware? How does it work and how to remove it?


02.08.2022 23:38

What is ransomware? How does it work and how to remove it?

Software & applications

Ransomware is extremely harmful software that will not be easy to remove. Viruses of this type use advanced encryption methods to take control of the device. Check how to protect yourself from ransomware.

Ransomware – what is it?

Ransomware is one type of malware, i.e. malicious software. Its name is a combination of the English words ransom and software. Its task is to block the owner from accessing the computer. In return for regaining access, hackers demand payment in the form of money – traditional or cryptocurrencies.


Your computer can become infected when you install an application pretending to be a legitimate program, open an email attachment, or through malvertising. The latter method spreads ransomware using advertisements on websites. The user doesn’t even have to click on anything. The mere fact of placing a malicious ad may be enough to download ransomware.

Although a computer is an example of an infected device in this text, it should be remembered that the target of an attack can be any equipment that allows access to the Internet, including smartphones and tablets.

How ransomware works

To make it harder for a victim to remove the lock on their own, ransomware is encrypted in various ways. Formerly symmetric encryption, which uses the same key for encryption and decryption (the key can be found in the operating system). The target of the attack can find him and remove the blockade by himself. Therefore, criminals no longer use this type of encryption.

Hackers use asymmetric encryption. They are divided into client and server-side encryption and hybrid. Client-side asymmetric encryption uses the public key to encrypt the data and the private key to decrypt it. For this purpose, the RSA method uses large complex number prime factors. RSA is used by the internet HTTPS protocol for securely transmitting data over the World Wide Web.

Related: How to block websites? All about blocking websites on your computer and phone


In this method, the files of the compromised computer are first encrypted. The private key is then transferred to the criminal’s server and removed from the local memory of the victim’s device. However, if the computer is disconnected from the Internet before the encryption is completed, the private key will not reach the criminal’s server, which will prevent him from extorting a ransom.

However, this problem is solved by the asymmetric encryption on the server side. This method also uses the RSA algorithm and a pair of keys – public and private. Encryption occurs every time your computer connects to the World Wide Web. In this way, hackers eliminate the risk that the private key will not reach their server. The only way to deal with this type of solution is to intercept the key while it is being sent and then make it publicly available. If this happens, the ransomware becomes useless and you have to write a new program.

AIDS ransomware
AIDS – an example of the first ransomware / Source: wikipedia.org

The most difficult to crack is hybrid encryption using all of the above methods. Regardless of the complexity of the encryption, ransomware works as much as encrypting access to a device or data.

Types of ransomware

Ransomware can take many forms. Some are simply burdensome for the aggrieved party, while others pose a serious threat to data security. One type of ransomware is scareware. This type of attack consists in displaying messages, e.g. with the help of pop-up windows, that the computer is infected. Scareware usually does not steal data stored on the disk. Its purpose is to intimidate the user with the possibility of losing them and irritate the messages that appear. In return for allegedly helping to remove the nonexistent virus, criminals want payment.

Works similarly The screen locker. In short, getting infected with it makes it impossible to use the device. This type of ransomware encrypts the main table of files on the hard drive, preventing you from logging into your computer. After launching it, the owner sees a full-screen display informing about the detection of illegal content on the disk. This could be, for example, pirated audio and video files or a version of Windows. To emphasize the seriousness of the situation, the board features the logo of one of the law enforcement agencies, e.g. the police or the prosecutor’s office. It should be remembered that no public institution ever contacts a citizen in this way. Even less so, it does not offer help in getting rid of illegal files for money.

Doxware is a type of ransomware that copies the user’s files on the hacker’s computer. In return for money, he offers to return your data. If the payment is not made, the offender threatens to make private information public.

Crypto-ransomware is software that encrypts access to local or cloud-based files. With it, the hacker steals and encodes data using one of the methods described above. It is a very effective way of putting pressure on the victim of an attack, because no program can break the code created by the criminal. He can make it available in exchange for a ransom. If the aggrieved user does not pay him, he will lose access to the data irretrievably.

Examples of ransomware attacks

The first ransomware in history was AIDS (another name – PC Cyborg). It was written in 1989 by Joseph L. Popp, a doctor in evolutionary biology from Harvard. The motives of his actions are unknown to this day. It is probable that it was a form of revenge for refusing to hire him at the WHO (World Health Organization).

Popp took advantage of the weakness of the European laws of the time. Contrary to the US, there was no cybercrime law in Europe at the time.

Access ransom

The victims were people and companies participating in one of the AIDS conferences and the list of subscribers of the “PC Business World” magazine. On floppy disks sent by priority mail from London PC Cyborg Corporation, placed a questionnaire assessing the risk of HIV infection.

The PC Cyborg ransomware consisted of two directories: the harmless AIDS.EXE containing the poll and INSTALL.EXE, which installed five folders with hidden functions on the disk. The malicious files encrypted the data saved on the disk and contained a flowchart after restarting the computer. Exactly after the 90th restart, the screen prompted the need to turn on the printer. When this was launched, a payment request letter was automatically printed.

It was not an explicit demand for blackmail. The owner was asked to pay a fee for an allegedly expired software license. $ 189 had to be sent by postal order to a mailbox in Panama.

The symmetric cipher was fairly easy to break.written for this purpose, AIDSOUT for this ransomware removal and AIDSCLEAR helped to get rid of this malicious application.

Dr. Popp’s victims have been since 10 to 20 thousand individuals and businesses. He planned to produce another 2 million floppy disks. However, he was detained at the airport in Amsterdam, drawing attention to himself with a suitcase marked “Doctor Popp has been poisoned”. Considered insane, he was never convicted. He then returned to research work.

Related: No internet connection – what to do when your Internet connection is not working properly?

The widespread access to the Internet has facilitated the distribution of ransomware. At the end of 2004, many people fell victim to the developers of GPCode. This Trojan created two registry keys. One to monitor if it is run at every system startup, and the other to check the progress of encrypting files with the extensions: .doc, .xls, .jpg, .zip, .rar and .html. Each infected file contained an instruction requesting an e-mail address to which a notification to pay the amount of $ 100 or $ 200 was sent to an account at Liberty Reserve digital currency service from Costa Rica.


In 2007 WinLock was created. This ransomware displayed pornographic content on the computer screen and made it impossible to use the device. The display was unlocked after sending a paid SMS.

One of the most dangerous Ransomware to date has been CryptoLocker. This program, launched in 2013, used advanced military-grade encryption. The private key needed to regain access to the computer was stored on a remote server. Unfortunately, CryptoLocker has proven to be very effective. Without paying the ransom, it was virtually impossible to receive the private key.

Petya and its later improved version – NotPetya in addition to data encryption, it also infected an MFT (master file table) file needed to read the directory structure and boot Windows. The victim of the attack was, among other Maersk concern, responsible for about 20% of sea transport. On June 27, 2017, the company’s IT department began accepting reports from other employees about a system message informing about the need to repair the drive or directly requesting a ransom. A global network of 4,000 servers and 45 thousand computers has been paralyzed for two weeks. Losses related to its return to operation amounted to USD 300 million.

ransomware monit

Maersk’s computers ran on Windows. However, this does not mean that users of competing software are safe. In 2016, KeRanger appeared on Mac OSX. It was installed with an update to Transmission, the BitTorrent client. After launching it, malicious files were copied on the disk. This was invisible to the user for the first three days after the attack. The files were then encrypted using the 2048-bit RSA algorithm. Later, a message was displayed about the need to pay 1 bitcoin to the account number provided. Bitcoin blackmail was quickly detected. Apple updated its native antivirus XProtect, which prevented the further spread of ransomware on Mac computers.

Android was also affected by ransomware in 2020. AndroidOS MalLocker.B was posted on frequently crafted websites and forums. It didn’t encrypt the data – instead, it blocked access to the smartphone’s content. It displayed a payment request prompt in two ways. It appeared after clicking the Home button or pretended to be an incoming call. Due to the ease of detection, users downloading applications from Google Play were not exposed to smartphone infection.

How to remove ransomware?

The easiest way to remove ransomware is suggested by the criminals themselves. It is enough to pay and access to the computer and the data stored on it will be restored. However, this is the worst method to deal with this problem. The hacker blackmail should be ignored. Handing over the money to him will only encourage him to attack again. There is also no certainty that he will give us access to the files.


Related: How was the first computer made? The history of computers in a nutshell

For many weaker encryption methods, decryptor ransomware can help. However, keep in mind that there is no universal ransomware decryption tool. The program should be selected for a specific type of attack. In the case of many simpler methods, infected files can be identified, for example, by the extension that has been added to it. For example, ransomware such as Bitcryptor, CoinVault, and CryptXXX add the .crypt extension.

However, be aware of the risk of using decryptor ransomware yourself. A badly chosen one can encrypt your files even more. To get rid of the malicious application, it is best to leave the device in the hands of a specialist.

Another solution might be to use a program that scans your files. With its help, data cannot be recovered, but the ransomware itself is removed from the disk, preventing further files from being infected.

You can also restore your system from a backup. Regular backups allow you to always have an up-to-date system image. After restoration, all files, including ransomware, are deleted and a system with unencrypted data is installed in their place. The backup copy restores the state before the hacking attack. The last solution is to reinstall the operating system. However, this involves the loss of all data.

Unfortunately, regardless of the method chosen, we can never be sure that we will regain access to the stolen data. Many ransomware, such as Petya, is written in such a way that encrypted files can no longer be accessed again. This is also another reason why you shouldn’t pay the ransom to hackers.

How to protect yourself from Ransomware?

The first line of defense is to use security software. The antivirus not only detects ransomware that has already been installed, but also monitors your hard drive. It is also constantly updated to detect newly emerged viruses. Antivirus software should be installed not only on a computer, but also on mobile devices.

It is also important to use up-to-date software. Old, unsupported software no longer gets security patches. An example of this is Windows 7, whose support ended on January 14, 2020. This system is therefore more vulnerable to attacks than Windows 10.

And since we are already on Windows 10, in the case of this and other supported systems , do not ignore the update messages. You should also not neglect updating individual applications such as web browsers and plugins installed in them (e.g. AdBlock).

Be careful when navigating the internet. It is not recommended to open emails from unknown sources, let alone open attachments or links contained in them. On pages where we provide sensitive information, such as bank pages, you should pay attention to the green padlock icon. It is on the left side of the address bar and it means that your site is well secured. You should also check the domain name.

It is worth remembering that applications should be downloaded from reliable sources. Such are the official websites of software developers and application repositories, such as Microsoft Store, App Store and Google Play.

Computer viruses are almost as old as information technology itself. For years, there has been a constant race between hackers and those who want to prevent their intentions. Although there is no tool that will effectively protect us against malware once and for all, by following certain rules, we are able to reduce the risk of falling victim to hackers.



Leave a Reply

Your email address will not be published.