E-Threats Tips and Tricks

Money or Data? The Ultimate Guide to Understanding Ransomware – Part I

Not long ago, a man committed suicide after an automatically generated notice from a computer virus threatened him with jail unless he paid a ransom thousands of dollars. The year was 2014. As incredible as the story seems, it marked the first known time a computer virus actually killed somebody. The next generations stole cash from users around the globe, and Cryptolocker raised the stakes – holding data of hundreds of thousands of users hostage. Despite successive short-lived take downs, the malware has made a comeback as CTB (Curve-Tor-Bitcoin) Locker.

This challenging breed of malware is continuously improving, reaching new levels of complexity as smartphones and tablets are increasingly used to store crucial personal and enterprise-level documents.

Bitdefender, the anti-malware solutions provider, zooms in on the subject to show how this type of virus works and to tell users how to prevent being locked out and extorted.

What is ransomware?

Ransomware is a type of malware that infects and locks a system until the user pays a fee to regain access to the data. Paired with server-side polymorphism and industry-grade delivery infrastructures, the malware can enter a system through a malicious downloaded file, a vulnerability in a network service or even a text message. Stay tuned to read an extensive article on how ransomware infects users’ machines.


Why is it different from traditional malware?

  • It doesn’t steal victim’s information, it encrypts it
  • It demands a ransom, usually in Bitcoins.
  • It’s relatively easy to produce—there are a number of well-documented crypto-libraries

Types of ransomware

Device lockers

This type of ransomware locks the device screen and displays a full screen image that blocks access to the device. The message demands payment, yet personal files are not encrypted.


File-encrypting ransomware

Some of the most notorious families of file-encryption ransomware include Cryptowall, Critroni and TorLocker.

File-encryptors like Cryptolocker encrypt personal files and folders such as documents, spreadsheets, pictures and videos. After infiltrating the machine, the malware contacts the command-and-control center to generate an encryption key to cypher each of the computer files using complex encryption algorithms. This will make the computer’s data unusable.

The malware then displays a message, often claiming to be from law enforcement agencies, to scare victims with threats of punishment and imprisonment unless they decrypt the data by paying (either through Bitcoin or a pre-paid cash voucher) before the stated deadline. Cyber criminals employ users’ computer IP information to show victims a localized version of the screen-blocking message. The same message sometimes threatens to delete the private key if the deadline is not met.


Some cyber-criminal groups are taking the business to a whole new level by anonymizing communication via TOR. TorLocker is a commercial ransomware toolkit sold on underground forums as an affiliate program. Renewable built-in keys allow TorLocker to encrypt files even if the victim’s PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation.


“Things are getting worse, and we’re seeing more of these infections,” says Bogdan Botezatu, Senior E-threat Analyst at Bitdefender. “Once you fall victim to ransomware, there is absolutely no way to get your data back without paying. But, if you pay, you are only encouraging this business and funding their research and development. Sometimes, the criminals will take the payment and not release your data, leaving you without your money or your information.”

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.


Click here to post a comment
  • On July 13,2013 my brother’s computer got hit by some of this ransom ware. It made his computer go to some illegal kid porn sites then said that he had been caught and that if he did not pay in 3 days that he would go to jail. My brother got so scared that he had a massive heart attack for a heart defect that we did not know he had. He was 36 years old.

    My sweet little brother was the kindest person in the world. He would never hurt a sole and would give the shirt off his back to help someone in need, even when he was in need. He was to start work at a new job just in just a few days and was so excited.

    When he died we did not know what happened at first. My husband went to get on my brothers computer to see about getting some of his photos to be used at the funeral and discovered that every wire to the computer was disconnected. We thought this was strange because he is always on. Then my husband found the count down on it. There was no way past this for a person with little computer software nohow.

    Thankfully my husband works for a computer company and figured how to bypass the opening ransom page. We were able to save my brother’s pictures and several home videos.

    Every time I see articles of ransom ware I think about ho my brother lost his life due to this. These people do not care of the lives they destroy. They do not care about how it is against the law. They are thieves and only care about how much money they can scam out of unsuspecting people. I wish that the all the governments would band together and work on putting these scamers in jail.

  • Nice article!

    I understand what the phenomena is now but there’s very little on the “how to stay safe” side – besides the obvious do not succumb to the warning. Have you looked at what channels the software uses to infiltrate the handsets? If so that would be a starting point in reducing risk through change of habit. What is the major target group of handsets for this sort of activity.

    Don’t get me wrong. The article is informative and interesting but it only leaves me well informed and poorly armed against this sort of activity.

    • Hi Serban,

      This is only the first article in a series of three articles meant to shed some light on the topic. Please stay tunned to get all the prevention tips you’re interested in. Follow us on Facebook for more info. Thanks!

      Later edit: We’ll also share all our materials on our social media channels – Facebook, LinkedIn, Twitter and Google. :)

    • Hello,

      Thank you for your feedback! Please stay tunned for the following two articles which will also discuss safety measures against ransomware. If you want to know exactly when these will be online, you can follow Bitdefender on Facebook, LinkedIn, Twitter and Google Plus. :)

  • Sure, but where is the “How to protect from…” part? It is ‘great’ news that downloads disguised by phishing, perhaps even by mistake, could lead you to a “there is absolutely no way to get your data back” situation. I have just reviewed for one of my managers, a few hours ago, a phishing email requiring payment for some reason, and the poor man did not know what to make of it. And yes, it had the obvious attachment. It could easily have been downloaded for better understanding. If it was ransomware, it would be disastrous – not that other malware is good news. What if it was downloaded, after all? When you publish an article on such subject, perhaps it is a good idea to include the ways to stay safe, if any.

  • The best defense and protection against Ransomware is to keep important data and such backed up on an external hard drive, online storage site and flash drives/discs. Also, don’t keep your financial info/data on your internet connected device. Use a stand alone device not connected to the internet. Download your info and then transfer it to the standalone computer/device. Although an additional expense, if you are hit with malware/ransomware attack; pull the plug on your computer, wipe the hard drive, reload your OS. Then change all of your pass codes/words. The advice from a hacker is not to use wireless devices for your personal financial transactions. Use a hard wired system and when finished, disconnect it from the internet.

  • Too bad this article is not true. There are often many ways to recover the data without paying any money. Most recently, there’s this – http://blogs.cisco.com/security/talos/teslacrypt and there are many others depending on the encryption technique used. I’d really like to see more IT people become journalists (such as myself) vs journalists trying to interpret IT articles to prevent this kind of mis-information from being propagated. The answer to this is very simple – make BACK UPs of your data. As a technician for more than 2 and half decades, I’ve grown hoarse repeating myself. But, no, lets just scare people – that sells better.

    • Hi Robert,

      Indeed, there are situations where less complex cryptographic implementations allow third parties to create tools that decrypt certain strains of ransomware. But those are exceptions, rather than the norm. Bitdefender tries to inform users on prevention since this is the first and easiest line of defense against threats.

      Thanks for your input!

  • If i get infected with this virus/malware, how can i clean my pc? Can you break the encription? Is any solution from Bitdefender to solve the problem? thanks.

    • Hi Robi,

      The best way to protect against the effects of ransomware is to not get infected in the first place. :) Unfortunately, because of the technology limitations imposed by asymmetric cryptography, users can’t retrieve the decryption key without paying the ransom. So, prevention is key. To do so, it is highly advisable to use an anti-malware solution with anti-exploit, anti-malware and anti-spam modules like Bitdefender Internet Security. Keep it constantly updated and able to perform active scanning.

  • I am a technician for a leading vendor in the prevention space, without the purchase of an external solution the absolute best prevention technique is to have your user account as a Standard User and turn on User Account Control. By logging in with a Standard User you will be prevent any malware/virus from deeply embedding itself in the OS which makes clearing it out permanently nearly impossible. This is recommended by virtually every independent IT Security Researcher along with patching your computer and it’s applications – even Microsoft recommends it. Granted this won’t stop things running in your user account, but combined with AV, good malware protection and AppLocker it can go a very long way to preventing infections.