malware
verifiedCite
While every effort has been made to follow citation style rules, there may be some discrepancies. Please refer to the appropriate style manual or other sources if you have any questions.
Select Citation Style
Feedback
Corrections? Updates? Omissions? Let us know if you have suggestions to improve this article (requires login).
Thank you for your feedback

Our editors will review what you’ve submitted and determine whether to revise the article.

print Print
Please select which sections you would like to print:
verifiedCite
While every effort has been made to follow citation style rules, there may be some discrepancies. Please refer to the appropriate style manual or other sources if you have any questions.
Select Citation Style
Feedback
Corrections? Updates? Omissions? Let us know if you have suggestions to improve this article (requires login).
Thank you for your feedback

Our editors will review what you’ve submitted and determine whether to revise the article.

Also known as: cryptoviral extortion
ransomware
ransomware
Also called:
cryptoviral extortion
Related Topics:
cybercrime
malware
trojan
extortion

ransomware, malicious software (malware) that permanently blocks access to data or devices until the owner of the data pays a ransom. Ransomware generally works by gaining access to a computer system as a Trojan horse virus and encrypting the system’s files so that they cannot be accessed without a decryption key (see also computer virus). The program then demands payment in the form of hard-to-trace cryptocurrency, such as Bitcoin. The technical term for this method of blackmail is cryptoviral extortion.

Origins and development

The first documented ransomware, known as “AIDS Trojan,” was introduced in 1989. American biologist Joseph Popp, who later claimed that he had created the virus to raise money for AIDS research, distributed 20,000 infected floppy disks to attendees of the World Health Organization (WHO) AIDS conference. Once Popp’s victims had loaded the disks’ contents onto their hard drives, the AIDS Trojan virus waited until the users had rebooted their computers 90 times—upon which the names of users’ files were encrypted. Later a fraudulent request for the users to pay up to $378 “for your software lease” appeared—the payment to be mailed to “PC Cyborg Corporation” at a post office box in Panama. The experts who analyzed the operation noted that Popp’s plan had three flaws: a slow expensive distribution method, a serious design failure (decryption was relatively easy), and physically traceable ransom payments.

For the next decade, this new form of blackmail was studied more often than it was executed. In 1992 South African software engineer Sebastiaan von Solms and Israeli cryptographer David Naccache published a paper titled “On Blind Signatures and Perfect Crimes,” wherein they suggested that blind digital signatures—such as those now used in cryptocurrency transactions—might lead to a perfect ransomware crime. About 1995 Columbia University researchers Adam L. Young and Moti Yung foresaw the business model for modern ransomware, which they presented in a 1996 article explaining not only how the AIDS Trojan virus failed but also how well it might have worked if it had extorted electronic money.

Ransomware made its return in the mid-2000s. The first notable cryptovirus was GPCode, which began spreading throughout Russia in 2004 as a malicious Word document file that victims believed to be a job application. Those who downloaded the virus, which made victims’ files unopenable, were told to send payments to one of two digital currency services in order to regain access to their files. The Archiveus Trojan virus that followed in 2006 was the first ransomware strand to use an RSA encryption algorithm, which encoded every document in the victims’ Windows “My Documents” folder and demanded that victims purchase items from an online pharmacy in exchange for the 30-digit password. The impact of the Archiveus Trojan virus was lessened when the unlocking password was discovered and published by cybersecurity researchers.

Modern developments

In the early to mid-2010s the number of ransomware viruses in circulation began to skyrocket. In the third quarter of 2011 there were approximately 60,000 viruses in circulation, and in the third quarter of 2012 there were more than 200,000. By the first quarter of 2015 there were nearly 725,000 ransomware viruses in circulation. Moreover, these newer ransomware viruses continued to improve on the old ones. The 2013 virus CryptoLocker, for example, took advantage of a botnet (a set of networked devices) to distribute its payload (see also information system: Information systems security and control). The virus also used 2048-bit RSA encryption—which, theoretically, can be broken only by a quantum computer—to lock victims’ files. CryptoLocker demanded payment in Bitcoin, which is much more difficult to track than traditional (fiat) currencies. The resulting profits were high: when the FBI took down the botnet distributing CryptoLocker in 2014, it was discovered that the criminals had made about $3 million in nine months.

One of the most significant developments in ransomware was the introduction of ransomware as a service (RaaS) in the early 2010s, wherein ransomware is sold to people who want to perpetrate an attack but lack the skills to create viruses themselves. RaaS providers can be quite sophisticated, including documentation, updates, and 24/7 technical support for the buyer, all of which may be paid for through a one-time purchase, a monthly fee, or a profit-sharing scheme. RaaS has effectively raised the ceiling on the number of ransomware attacks that can be committed, since the number of people capable of such attacks was previously quite low.

Get a Britannica Premium subscription and gain access to exclusive content. Subscribe Now

Since 2017 the scale of ransomware schemes has also increased. Large corporations are often targeted by criminal groups for ransomware attacks in hopes of extorting larger payments than most individuals could afford. For example, in June 2021 a criminal group calling itself Pinchy Spider infected the computers of the meatpacking corporation JBS and was paid $11 million in Bitcoin for its efforts. Another group, Carbon Spider, struck Colonial Pipeline in July of that same year, extorting at least $5 million. The economic impact of these plots and others has been so substantial that ransomware has become an important subject of discussion at intergovernmental summits, such as the International Counter Ransomware Initiative Summits hosted by the United States in 2021 and 2022.

Adam Volle