Young and Yung first presented the concept of file-encrypting ransomware or cryptoviral extortion in 1996 at Columbia University at the IEEE Security and Privacy conference. Ransomware is based on the three-step protocol of cryptoviral extortion that happens between attacker and victim.
In step one, the attacker generates a key pair and stores the public key secretly in the malware. The attacker then either releases the malware generally into the world or targets the victim specifically with that ransomware. Step one is in the direction of an attacker to the victim.
In step two, the attacker needs the victim’s system to respond to carry out the cryptoviral extortion attack and waits for the response. The ransomware encrypts the victim’s data by generating a random symmetric key and encrypts that key using its public key.
This hybrid encryption process generates the symmetric ciphertext of the victim’s data and a small asymmetric ciphertext. To prevent recovery, it zeroes the original plaintext data and the symmetric key.
The victim receives the ransom demand message that includes asymmetric ciphertext and payment instructions.
Finally, in step three, the attacker either does or does not receive the demand payment. They may or may not return the symmetric key to the victim or use their key to decipher the asymmetric ciphertext. In other words, the victim may pay the ransom or not, and either way still never recover.
Unfortunately, symmetric keys cannot help other victims because they are randomly generated. The attacker’s private key is never exposed to victims.
Delivery of Ransomware Payload
Typically, attackers enter a system and deliver ransomware payloads using a trojan of some kind, such as a malicious email attachment, an embedded phishing link, or a network service vulnerability. Once the trojan pierces the system, the program runs a payload.
The ransomware payload either locks the system somehow or claims to, for example, display a fake warning about pirated media or illegal activities. Simpler payloads restrict or block the system unless or until the victim pays. They might do this by modifying the partition table and/or master boot record to stop the OS from booting until the attacker repairs it, or by setting the Windows Shell to itself. More sophisticated payloads actually encrypt files using strong encryption.
Since payment is usually an attacker’s goal, it is essential for them to find a convenient digital payment system that is difficult for law enforcement agencies to trace. Possibilities include digital currencies like Bitcoin, premium-rate text messages, pre-paid voucher services such as paysafecard, and wire transfers — although cryptocurrencies have quickly become the payment option of choice.