In our daily lives, whether walking, eating, or driving, we develop certain reflexes and safety
rules. In the same way, we must adopt a similar level of awareness when using technology.
Unfortunately, many people fail to internalize this culture of caution while using technological
devices. Simple precautions such as not sharing passwords, avoiding suspicious links, or
applying updates on time are often neglected. These oversights open the door wide for some of
the most dangerous criminals of the cyber world. One of the threats that has most exploited
these opportunities in recent years is ransomware. Imagine turning on your computer one
morning only to discover that all the files you have accumulated over years of effort are
locked and that the attacker is demanding ransom. That is exactly the nightmare ransomware
brings to reality. In this paper, we will examine step by step what ransomware is, how it
works, and how we can protect ourselves from this digital extortion method. Technology has
become an indispensable part of our lives, and the risks it brings are as real as the dangers we
encounter in everyday life.
What is Ransomware?
Ransomware, also known as ransom software, extortion software, or ransom virus, refers to a
family of malicious software designed to deny access to data on infected systems and demand
ransom from users. A ransomware virus secretly installs itself on a victim’s device (computer,
smartphone, wearable, etc.), holds data hostage through cryptovirology and cryptoviral
extortion, or threatens to publish the data until a ransom is paid. A simple ransomware virus
locks the system in a way that is difficult to reverse and displays a message demanding
payment to unlock it. More advanced malware encrypts the victim’s files, rendering them
inaccessible, and requires ransom payment for decryption.
Mechanism of Operation
File-encrypting ransomware was first discovered and implemented by Young and Yung at
Columbia University. Presented at the 1996 IEEE Security & Privacy Conference, this
method, called cryptoviral extortion, is carried out through the following three-step protocol
between the attacker and the victim:
1) Attacker → Victim: The attacker generates a key pair and embeds the corresponding
public key into the malware. The malicious software is deployed onto the system.
2) Victim → Attacker: The malware generates a random symmetric key to encrypt the
victim’s data. Then, it uses the embedded public key to encrypt the symmetric key. This
process, known as hybrid encryption, produces a small asymmetric ciphertext alongside
the symmetric ciphertext. To prevent recovery, the original plaintext is deleted. The user is
shown a message containing the encrypted key and instructions for payment.
3) Attacker → Victim: Once payment is received, the attacker uses their private key to
decrypt the asymmetric ciphertext and sends the symmetric key to the victim. The victim
can then decrypt their data. Since the symmetric key is randomly generated, it is useless to
other victims. The attacker’s private key is never revealed to the victim.
History of Ransomware
The first known ransomware, the AIDS Trojan, was created in 1989 by Joseph Popp. It
encrypted filenames on the hard drive, blocked access, and displayed a message stating that
the license had expired. Victims were instructed to send $189 to the “PC Cyborg Corporation.”
However, due to a design flaw, the decryption key could be extracted from the malware itself.
In 1996, Adam L. Young and Moti Yung introduced the use of public-key cryptography in
ransomware, marking a turning point. They developed an experimental crypto-virus using
RSA and the Tiny Encryption Algorithm (TEA) for hybrid encryption. In this system, only the
encryption key was embedded in the malware, while the decryption key remained with the
attacker. This became known in the literature as cryptoviral extortion. From 2005 onwards,
ransomware became more sophisticated. Trojans such as Gpcode, TROJ.RANSOM.A,
Archiveus, Krotten, Cryzip, and MayArchive began using longer RSA keys. In 2008,
Gpcode.AK was discovered, employing a 1024-bit RSA key considered nearly impossible to
crack. In 2013, CryptoLocker, which collected payments via Bitcoin, turned ransomware into
a global threat once again, generating millions of dollars in revenue. It was followed by
CryptoDefense (which mistakenly stored keys on infected systems by using Windows’ API),
as well as variants targeting NAS devices. In 2015, ransomware attacks on Linux-based web
servers also became widespread. Today, some ransomware variants use Tor-based commandand-control servers to conceal attackers’ locations. This technology is also sold on the dark
web “as a service,” allowing individuals with little technical knowledge to run ransomware
campaigns. Symantec classifies ransomware as one of the most dangerous cyber threats today
because it targets not only digital data but also the operations and reputations of organizations.
Example of Ransomware Attack: Colonial Pipeline
One of the most prominent examples of a ransomware attack occurred in 2021, targeting the
energy infrastructure of the United States. This case demonstrated that ransomware can
threaten not only digital data but also national security and economic stability. On May 7,
2021, the Colonial Pipeline, an American oil pipeline system originating in Houston, Texas,
and carrying gasoline and jet fuel mainly to the Southeastern United States, suffered a
ransomware attack that disrupted computerized equipment controlling the pipeline. The
company halted all pipeline operations to contain the attack. Under FBI supervision, Colonial
Pipeline paid the ransom demanded by the hackers (75 Bitcoin or $4.4 million USD) within a
few hours. After receiving payment, the DarkSide group provided an IT tool to restore the
system. However, the tool required a long processing time to return the system to full
functionality. On May 9, the Federal Motor Carrier Safety Administration issued a regional
emergency declaration for 17 states and Washington, D.C., to maintain fuel supply lines. It
was the largest cyberattack on oil infrastructure in U.S. history. The FBI and media sources
identified the hacker group DarkSide as responsible. The group was also believed to have
stolen 100 gigabytes of data from company servers the day before the attack. On June 7, the
Department of Justice announced that it had recovered 63.7 Bitcoin (about 84% of the
ransom). However, due to a crash in Bitcoin’s value in late May, the recovered funds were
worth only about $2.3 million USD, roughly half their original value. This incident became
one of the first high-profile corporate cyberattacks that originated not from a direct system
breach but from a leaked employee password likely found on the dark web.
Types of Ransomware
- Leakware (Doxware): Instead of blocking access, it threatens to publish stolen data.
- Mobile Ransomware: Targets mainly Android devices, locking the screen rather than
encrypting files. - Reveton: Known as the “Police Trojan,” it demands ransom using fake law enforcement
warnings. - CryptoLocker: Uses 2048-bit RSA encryption to lock files and demands Bitcoin payment.
- CryptoLocker.F and TorrentLocker: Spread through email; newer versions have patched
vulnerabilities. - CryptoWall: Targets Windows systems and also encrypts filenames.
- Fusob: A mobile variant that demands iTunes gift cards via fake authority messages.
- Prevention Methods
- Ransomware, especially in newer versions, may not be immediately detected by security
software. - Early detection helps preserve remaining data but may not recover already encrypted files.
- Deception technology can be used to trick ransomware with decoy files.
- Critical data should be backed up offline and stored isolated from the network.
- Updated antivirus and security policies reduce risks but cannot guarantee full protection.
- In some cases, decryption tools may restore files, but success is not always guaranteed.
- References
- U.S. Department of Justice. (2021, June 7). Department of Justice seizes $2.3 million in
cryptocurrency paid to the ransomware extortionists DarkSide [Press release]. U.S.
Department of Justice. https://www.justice.gov/archives/opa/pr/department-justice-seizes23-million-cryptocurrency-paid-ransomware-extortionists-darkside - Reuters. (2021, June 8). U.S. seizes $2.3 mln in bitcoin paid to Colonial Pipeline hackers.
Reuters. https://www.reuters.com/business/energy/us-announce-recovery-millionscolonial-pipeline-ransomware-attack-2021-06-07 - Wikipedia contributors. (2025, August). Colonial Pipeline ransomware attack. Wikipedia.
https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack - Trend Micro. (2021, May 12). What we know about DarkSide ransomware and the U.S.
pipeline attack. Trend Micro. https://www.trendmicro.com/en_us/research/21/e/what-we-k
now-about-darkside-ransomware-and-the-us-pipeline-attac.html - Reuters. (2021, May 9). Colonial Pipeline hackers stole data on Thursday. Reuters (via
Bloomberg News). https://www.reuters.com/business/energy/colonial-pipeline-hackers-sto
le-data-thursday-bloomberg-news-2021-05-09 - Axios. (2021, May 19). Colonial Pipeline CEO says company paid hacker group $4.4
million. Axios. https://www.axios.com/2021/05/19/colonial-pipeline-darkside-4-millionransomware - Wikipedia contributors. (2025, August). Ransomware. Wikipedia.
https://en.wikipedia.org/wiki/Ransomware