From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Good articleRansomware has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it.
March 13, 2012Good article nomineeListed


Those ransomware criminals must be EXECUTED to DEATHS… — Preceding unsigned comment added by (talk) 15:34, 6 June 2019 (UTC)

Public key cryptography =[edit]

This article seems to place an undue emphasis on public key cryptography: there is no particular need for anything so advanced to be used to create ransomware that will be effective in current real-world environments: or indeed for ransomware to work as advertised at all, if the goal is only short-term extortion.

Having said which, since prepackaged asymmetric crypto is so easily available in current environments, it's an obvious way to do it. The main technical challenges for the ransomware criminal are not performing the technical task of encryption and decryption, but maintaining the credibility of their threat of permanent data loss and promise of timely and reliable data recovery, and getting away with the payment without being caught, both of which require communication. -- Karada 12:02, 23 July 2007 (UTC)

Actually, the public key is used to encrypt the data being held for ransom, not the communcations, or at least not only for the communications, and the purpose seems more to avoid sending decryption keys in the program since one could then disassemble the program and obtain the keys. (talk) 04:40, 28 May 2008 (UTC)

Rogue software[edit]

Now I suppose I was being a bit foolish by editing the page without looking at the history... But I do feel that rogue software is very relevant.

Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.

Rogue software is malware... It pretty much holds a computer hostage (and the intention is to do so). And in demanding the purchase of an "antivirus", it is essentially demanding a ransom. So I put a section in about rogue software and it was reverted. I won't start an edit war, but I would like to discuss it... I believe that it is very relevant. Oh by the way, my edit was the one on the left of this one. I was not using this name as I recently updated Firefox and lost all my cookies. Elecbullet (talk) 00:45, 3 May 2009 (UTC)

I don't think it's a good idea to conflate the two.
Ransom is a strong word. To hold something to ransom is to capture it and demand, unequivocally, a fee for its return. Most rogue software, on the other hand, simply nags the user repeatedly to buy something but leaves the computer mostly useable, even if they disable parts of the system in order to foil uninstallation. Personally believing that one is a form of the other is also not enough: some reasonable references need to be provided to show wide use of the meaning as well.
Nailbiter (talk) 06:44, 2 May 2009 (UTC)
"nags the user repeatedly" is quite an understatement... I've had rogue security software, it made my Internet unusable. And there are some varieties of rogue software that do leave the computer essentially useless, for example by flooding you with popups... Here is a Fox report which has an example but I doubt you can cite it (sort of new here). Elecbullet (talk) 00:45, 3 May 2009 (UTC)
Please sign with your username, not "hello, hello". It makes it easier to see who wrote what.
The FOX News clip you cited isn't helpful: I understand what you mean and know what rogue security software is, but you need to specifically show that it is widely referred to as ransomware. Likewise, any key definitions you put into articles should be have reasonable citations to back them up.
You might also want to give textual citations instead.
Nailbiter (talk) 09:40, 2 May 2009 (UTC
Argh, I'm beginning to see your point... I can't find anything referring to rogue software as ransomware. Never mind then. Elecbullet (talk) 00:45, 3 May 2009 (UTC)
Ransomware like Virus Protector certainly does make the computer unusable until you pay them. It replaces the Windows Shell with it's own module which comnpletely disabls the desktop and start menu, and will only run itself. Even rebooting into safe mode will not help as it replaces explorer.exe with its own module. Programs like these are widely referred to as ransomware. Little Professor (talk) 21:29, 30 March 2010 (UTC)u

I understand the term "rogue software" as software which does not do the purpose it looks to be doing. Examples are e.g. Windows tools called something like "DiskSuperDefragmenter", which then do pseudo- work on the system (mainly displaying nice graphics for obsolete tasks) and running keyboard logger at the same time. I do not think this term can apply to ransomware like Petya that works completely different. More info: Buddhaball 13:08, 22 July 2017 (UTC)

Fake ransom[edit]

Should programs requesting a fake ransom go here? For example, Rogue:W32/DotTorrent.A scans the system for torrents and tries to trick the user to pay "licence fees" for illegally downloaded files. Kenzero works in a similar way, but it even lists porn movies downloaded by the user on a web page. --Tgr (talk) 07:33, 18 April 2010 (UTC)

Ransom as infection method[edit]

I remember hearing about an old DOS virus where the requested ransom was help in spreading the infection: the virus locked the computer (threatening that it will erase everything if the machine is restarted), and the user had to insert a floppy disk which the visrus infected, use it to infect another computer (which was registered on the floppy disk by the virus) and reinsert the disk, all within some time limit. Does anyone know about such a virus? (It might just be an urban legend, of course.) --Tgr (talk) 07:41, 18 April 2010 (UTC)

Earlier use[edit]

The earliest use mentioned is a virus from 1989. In 1987, I wrote a simple program that does the same thing as the strings Unix utility and ran it on random programs. One of them included a long message stating that it detected it's a pirated copy and it's encrypting your entire disk, turning off the computer with the process will make it unrecoverable, and that to recover the data you have to pay $999 to its authors. Sadly, I don't remember the name of the program in question. KiloByte (talk) 22:05, 29 September 2010 (UTC)

Short Paragraph on Fixing a Ransomware situation[edit]

Somebody might want to include a paragraph in this article on basic defenses against Ransomware. Its so crippling, that it freezes the entire operating system. Theres no way to go into control panels to delete Ransomware files, although malware of a less-crippling nature can be deleted by going into system control panels to manually delete malware files. But Ransomware will likely require the user to re-boot, and then to restore the system to factory settings, which is what I had to do. Ransomware is the perfect incentive to back-up files to an external storage device. Of course, people need to act with some common sense with regard to the Ransomware that uses the FBI logo, or the logo of some other law enforcement agency. If FBI is aware of a child porn user, they will physically go to the person's home, confiscate the computer, and make an arrest. The FBI doesn't remotely go into the person's computer, and then request money. Marc S. Dania fl (talk) 12:59, 6 August 2013 (UTC)

We cannot do that, how-to content is not allowed on Wikipedia. ViperSnake151  Talk  18:27, 23 October 2013 (UTC)

CryptoDefense and CryptoWall[edit]

In the "Copycats" section, there's a clear mistake and several omissions regarding CryptoWall, as it is simply CryptoDefense's update under a different name. As far as I know, CryptoDefense spread first in the early days of March 2014, weeks afterwards one argentine hacker (namely Jose Vildoza) found a loophole whereby the malware left a copy of its keys pair in Windows Key Vault, where RSA Key Containers are stored by Window's Data Protetion API (CryptoAPI) by default. Although such key containers have both public and private key, the latter is securely encrypted by DPAPI. Jose Vildoza from Argentina and Fabian Wosar from Germany developed a tool that extracts the private key from the protected key container and proceeds to decrypt the victim's files without payment. These guys were quietly helping victims recover their files by Email but unfortunately, on March 31, Symantec published an article on its blog describing the loophole, which didn't take long to prompt the malware's authors to patch it. A few weeks later, "CryptoWall" emerged, which is just like CryptoDefense, though it has a better looking GUI on its "Decryption Service" webpage and the loophole IS patched. There are many sources for muy statement, like THIS one from PCWorld. ( — Preceding unsigned comment added by (talk) 08:28, 16 October 2014 (UTC)

Warning, new (?) ransomware late December 2015[edit]

This comment violates guidelines for Talk pages, I would maintain that WP:IAR holds here, advice that might save some people's data. If it's thought that this section really shouldn't be on this page, just delete it. I've just seen (hence WP:Original research, not suitable for article) an encryption attack via a ZIP email attachment with a Javascript .js payload; I personally haven't come across a .js payload before. I let it infect a virtual machine, which it did very rapidly. Possibly it ran without needing to download malware over an Internet connection. I don't know if it genuinely encrypted and sent the key to a control center; it did replace many files with gibberish, appending ".vvv" to the filename. Plus lots of messages about my needing to connect to my personal (malware) page, presumably to be told how to pay, and to reassure me (truthfully or not) that they had the unique key for my files. Later: after doing an online virus check, I think the file is probably a downloader, not a direct-encrypting .js script as suggested above. HTH, Pol098 (talk) 16:08, 23 December 2015 (UTC)

Erroneous Ransomware history image[edit]

File:Ransomeware history.png
A history of ransomware from Symantec[1] (talk · contribs) keeps removing this saying "The timeline is incorrect. It starts with the flawed AIDS Trojan attack in 1989 followed by the secure ransomware attack introduced by Young-Yung in IEEE S&P 1996)"

It should be updated with the latest info if it's available, not removed as it's pretty good otherwise. Deku-shrub (talk) 23:22, 20 April 2016 (UTC)

The latest info is available. It has been in this wikipedia article for years. Symantec for whatever reason completely left out the first two pivotal events in the history of ransomware. Feel free to fix the broken timeline and repost. — Preceding unsigned comment added by (talk) 23:45, 20 April 2016 (UTC)
Come on, an incomplete time line is better than no time line Deku-shrub (talk) 12:16, 21 April 2016 (UTC)

Wrong. There is a time-line. It was already in the text of the article. Adding to the article an incorrect time-line, that even worse, claims to be a "Complete history" makes no sense and misleads the general public. I am 110% in support of freedom of speech. But what you have been doing is re-uploading an incorrect time-line to this article. A graphic is a really nice idea so why don't you fix it?


  1. ^ "Internet Security Threat Report" (PDF). Retrieved 16 April 2016.

Links to source codes?[edit]

It would be helpful to have a couple links to some example ransomeware code for documentation and research purposes.

FockeWulf FW 190 (talk) 21:50, 31 October 2016 (UTC)

Yes, wouldn't it? — Preceding unsigned comment added by (talk) 09:15, 22 November 2016 (UTC)

Assuming good faith, it is probably best to leave that type of research to engineers in closed environments. For curious minds, here's analysis from developer perspective on one example of how ransomaware works: Buddhaball 13:42, 22 July 2017 (UTC) — Preceding unsigned comment added by Partaj1 (talkcontribs)

Protected edit request on 15 May 2017[edit]

Wanna Cry needs update.More than 200,000 users affected in 104 countries. RathanKalluri 04:12, 15 May 2017 (UTC)

Not done: The page's protection level has changed since this request was placed. You should now be able to edit the page yourself. If you still seem to be unable to, please reopen the request with further details. (non-admin closure)MRD2014 📞 contribs 01:24, 18 May 2017 (UTC)

Discussion of protection level[edit]

What level of protection do people think this page should have? It's currently fully protected which I think is too high, I think it should be lowered e.g. to semi-protected or pending changes. What do other people think please? Tom B (talk) 10:14, 15 May 2017 (UTC)

@Lectonar: I don't see any evidence of edit warring in this article's revision history. Did you change its protection level for some other reason? Jarble (talk) 00:24, 16 May 2017 (UTC)
See my talkpage and 2 topics down....Lectonar (talk) 08:00, 16 May 2017 (U

Nowadays, such concept as "too much security" in my opinion doesn't exist. Buddhaball 13:47, 22 July 2017 (UTC)


Should the page image at WannaCry ransomware attack be used as the image? NightlyG (talk) 11:32, 15 May 2017 (UTC)

In my opinion no, because some people confused Wannacry- attack with Cryptolocker that is isolated trojan from year 2014. It appeared as first hit on popular search machine when looking up ransomware. (This is not the case anymore). Therefore creating association of ransomware being specific type of malicious program can lead to generalization and misunderstandings. Buddhaball 13:53, 22 July 2017 (UTC) — Preceding unsigned comment added by Partaj1 (talkcontribs)

First Line of the Article[edit]

Someone editing from an IP address seems to be very keen to push references to cryptovirology into this article, particularly into the lead section, and restores them whenever someone else takes them out. While cryptovirology is important and relevant to this article, and needs to be mentioned in the section related to technical details, it is not central to the concept of ransomware. This is why we have a separate cryptovirology article. -- The Anome (talk) 16:13, 15 May 2017 (UTC)

The scientific community has called cryptoviral extortion by the title "cryptoviral extortion" since the year 1996. Colleges and universities the world over have been teaching the cryptoviral extortion attack from cryptovirology for years. Cryptovirology is taught at MIT, The Technion, UCLA, Rutgers, UCONN, NYU, Dartmouth, Ruhr University, University of Missouri, Rolla, University of Waterloo, University of Calgary, etc. The term "Ransomware" was introduced around 2005 by the media as a relabeling of cryptoviral extortion. So, The Anome is 100% wrong in saying "it is not central to the concept of ransomware". The Anome has removed the correct description of cryptoviral extortion and replaced it with an incorrect description that omits crucial details of the attack and, even worse, introduces errors in the description of the operation. For example, The Anome inserted this erroneous description: "decrypt the symmetric key". The symmetric key is not decrypted. The asymmetric encryption of the symmetric key is decrypted. This therefore conveys to the public an incorrect description of the attack. It also falsely attributes a broken description to the 1996 IEEE S&P paper that presents the correct (secure) attack, since the citation remains. The public needs and deserves an accurate description of this attack. The Anome: if you think you can describe cryptoviral extortion in a more concise fashion, by all means, give it a shot. But don't omit crucial details and say wrong things. — Preceding unsigned comment added by (talk) 23:23, 15 May 2017 (UTC)
Hi (it would be nice to address you by a name). I think these articles are best split so that Ransomware contains a broad overview of how the malware works before covering notable real world malware and the impact it has caused, while Cryptovirology covers the underlying cryptographic concepts in more detail. For one reason or another 'ransomware' is the term that has entered general usage as opposed to 'cryptoviral extortion attack' and while this may be a matter of regret for the individuals who coined cryptoviral extortion in the 90s, Wikipedia must follow general usage. What this means in practice is that Ransomware will make references to Cryptovirology where appropriate but not at the expense of clear, concise explanations or good writing, e.g. "Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it" versus "Ransomware is a type of malicious software designed to block access to a computer system or data until a ransom is paid". I note that the article has a subsection on non-encrypting ransomware. – Steel 14:36, 16 May 2017 (UTC)
Steel, while your input might seem logical, it is not accurate. Cryptoviral extortion/cryptoviruses are terms used in colleges and universities all over the world to teach the secure data kidnapping attack. They also appear in numerous peer-reviewed academic publications and books that teach the original attack and also build upon it (e.g., the Harvard University paper by Stuart E. Schechter and Michael D. Smith titled "How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks," Financial Cryptography 2003). That is general usage. It seems that your definition of 'general usage' is that which appears in tabloids. I for one, think that the public deserves accurate information that leads to authoritative and informative sources. Why do you feel that the terms used by educational institutions and the scientific community do not constitute general usage? — Preceding unsigned comment added by (talk) 22:32, 16 May 2017 (UTC)
Loaded question. 'Ransomware' is used literally everywhere, including reputable publications, tech vendors themselves, governments and academia. The fact that an older term also exists in academia doesn't detract from ransomware being used overwhelmingly more widely. – Steel 19:18, 17 May 2017 (UTC)

Having more Google hits on the word 'ransomware' as opposed to cryptoviral extortion/cryptoviruses does not change the fact that all the malware discussed on this page falls within the field of cryptovirology. To expand on this: In regards to your statement: "I note that the article has a subsection on non-encrypting ransomware." It is not clear how that fits into the discussion. Cryptovirology introduced the concept of an adversarial protocol in which the attacker deploys malware and uses it to extort payment from the victim over-the-wire in the form of crypto-currency. The leakware cryptovirology attack is about transporting the victim's data outside the victim's machine/organization and threatening to publish it, not encrypting it in place as a form of kidnapping. This was presented at West Point in IEEE IAW 2003. As it stands this article mimics very much the skin-deep content of tabloid articles on ransomware and significantly ignores the informative scientific literature on the subject. But it has been improving over time. Why don't we turn this discussion around and try to reach consensus on some text. Based on your rational arguments, I now agree with you that "cryptoviral extortion" may be too narrow for the first sentence. So, I believe the following is perhaps closer to what we are after: "Ransomware is a type of malicious software from cryptovirology that blocks access to data or threatens to publish it until a ransom is paid." — Preceding unsigned comment added by (talk) 23:31, 17 May 2017 (UTC)

The whole lead needs work, but this is probably the best opening sentence so far out of all the recent candidates. – Steel 10:26, 20 May 2017 (UTC)
Hi, I'm in agreement with Steel and The Anome - there's no call for adding 'cryptovirology' into this first sentence. Not only is it logically wrong, (not all ransomware is crypto-based), but the sentence you just created, "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid." is also poor English. There's been no move to remove cryptovirology references from later in the article - so please stop this campaign. Snori (talk) 04:00, 7 June 2017 (UTC)

Steel, The Anome, and Snori, the first line that you three are insisting on is wrong. This is it: "Ransomware is a type of malicious software that blocks access to the victim's data and threatens to publish or delete it until a ransom is paid". In the case of the attack that threatens to publish the victim's data, the victim is not denied access to his/her own data. Have you read the cryptovirology paper that was presented at West Point in IAW 2003 and the related text in Malicious Cryptography? Snori, you stated: "Not only is it logically wrong, (not all ransomware is crypto-based)". You are the one who has it backwards. You are making the assumption that all cryptovirology attacks use crypto offensively. This is not the case. The non-zero sum games attack (that the populace has relabeled as Doxware over a decade later) does not use crypto offensively (in the sense of cryptoviral extortion); the threat is publication of the victim's data. The malware exfils the victim's data and threatens to publish it from afar. The core aspect of the cryptovirology attack has no crypto at all. Ransomware attacks overwhelmingly more widely are cryptovirology attacks and therefore cryptovirology, the field that the attacks are in, belongs in the first line of this page. — Preceding unsigned comment added by (talk) 16:05, 9 July 2017 (UTC)

On phone so short comment only. I am not massively interested in the exact phrasing block or publish part of the sentence but I have again removed 'from crypotovirology' for all of the same reasons, amongst others: there are lots of opportunities to mention cryptovirology in the article but it does not need to be in the first 8-9 words where it affects the accessibility of the article. – Steel 10:57, 10 July 2017 (UTC)

Steel, this is not about what you are interested in. This is about giving society accurate information on ransomware. I asked you if you read the IAW 2003 cryptovirology paper and the related text in Malicious Cryptography. You decided not to answer. This suggests that you have not read scientific literature that is critical to understanding the depth and breadth of ransomware. This is further supported by your erroneous belief that ransomware that threatens to publish the victim's data blocks access to the victim's data (this was in your incorrect version of the line we are talking about). Had you read the original cryptovirology works you would have understood this and not conveyed this false information to society in the article. Having "from cryptovirology" does not detract from the accessibility of the article. In fact, I have shown that it will help people from making the same mistake as you. So, in summary, we have established that: (1) you feel the article should reflect your interests rather than what is helpful to society, and (2) you are not a subject matter expert in ransomware and are not qualified to address cryptovirology because you have not studied it sufficiently. — Preceding unsigned comment added by (talk) 02:05, 12 July 2017 (UTC)

WannaCry: Erroneous attribution[edit]

The WannaCry section erroneously suggests that The Shadow Brokers are responsible for the attack. They were not, and nowhere in the cited article is it mentioned either. They were merely the publishers of the ETERNALBLUE attack that WannaCry used. -- (talk) 07:43, 26 May 2017 (UTC)

I've fixed this. It's not explained very well in the source so not surprising that someone read it incorrectly. – Steel 17:05, 26 May 2017 (UTC)

Kompromat ransomare[edit]

I am missing a section on ransomware that plants false incriminating evidence on computers. See e.g. this or

Or is there a separate article about this? Zezen (talk) 09:42, 22 December 2018 (UTC)

"Ransomware" of course - cannot fix it on mobile UI. Zezen (talk) 09:44, 22 December 2018 (UTC)

Why popular?[edit]

Reading in Simple English, why ransomware became popular in Russia?
-- (talk) 17:36, 19 May 2020 (UTC)

Some proposed updates[edit]

Possible to add the following research data to the "Operation" section of the page?

Under the penultimate paragraph (about the different types of payloads and the various ways ransomware restricts systems):

"In May 2020, vendor Sophos released data showing that in almost three quarters of ransomware attacks (73 percent), cyber criminals succeeded in encrypting data[1]."

Following the final paragraph in that section (about ransomware payments), we could also include these:

"In May 2020, vendor Sophos reported that the global average cost to remediate a ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity and ransom paid) is $761,106. Ninety-five percent of organizations that paid the ransom had their data restored[2].Hanahdj (talk) 20:53, 14 September 2020 (UTC)

Ransomware cyberterrorists committed murder[edit]

--2001:569:7D81:3000:B0E4:B656:EA4:A655 (talk) 12:20, 16 November 2020 (UTC)