ransomware
What It Is
A malware category whose primary impact is the encryption, exfiltration, or destruction of files for the purpose of extortion. Traditional ransomware encrypts data in-place, appends a unique extension, and leaves a ransom note with payment instructions. Pure encryptors / wipers without a demand mechanism (e.g., destructive ransomware, wipers disguised as ransomware) still fall under this umbrella when the encryption logic is the dominant payload.
Key Traits
| Trait | Typical Observation |
|---|---|
| Encryption algorithm | AES-256, RSA-2048/4096, ChaCha20, Salsa20 — sometimes custom |
| Key management | Hard-coded (weak), embedded per-victim (stronger), or C2-retrieved |
| Ransom note | .txt, .html, .hta, desktop wallpaper — contains wallet, email, or TOR link |
| Extension mutation | Appends victim-specific or campaign-specific suffix |
| Lateral movement | Often leverages SMB, RDP, PSExec to spread |
| Data exfiltration | "double-extortion" variants also steal data before encryption |
| Wipers vs. true ransomware | Some families encrypt without retaining the key — functionally a wiper |
Related: chacha8, coinminer (sometimes bundled or dropped together).