What is crypto ransomware? How cryptocurrency aids attackers

How crypto ransomware attacks work

Crypto ransomware attacks typically occur in these steps:

• Step 1: The attacker deploys malware where the intended victims can access it. Sometimes attackers send the malware to their targets. An example of this might be phishing emails with malware in file attachments. It can also be done via infected flash drives left in public places. In other cases, attackers host the malware on a website and direct victims to that website through phishing, malicious advertisements or other schemes.
• Step 2: The malware infects victims' computers. Victims often must do something specific to trigger the infection, such as double-clicking on a malware file to cause it to execute. Other times, no action is required; for example, when an attacker sends malware to a vulnerable computer over a network and remotely activates it.
• Step 3: The malware uses cryptography to encrypt documents and other files on the infected computers. Malware can quickly spread itself to other computers on a network. As files are encrypted, users lose access to their contents.
• Step 4: The infected computers display a message from the attacker. The message commonly announces the attack and demands cryptocurrency payment in exchange for restoring access to the stolen files.

There are several other forms of ransomware attacks, all of which follow similar steps. The notable variations in ransomware types happen in Step 3. While crypto ransomware uses cryptography to encrypt files, other forms of ransomware use different methods or combinations of methods.

Examples of other tactics include the following:

• Locker ransomware. This locks the computer, preventing anyone from using it. Criminals demand a ransom in exchange for unlocking the computer.
• Doxware or extortionware. With doxware and extortionware, malicious actors steal data from a computer and transfer copies of sensitive files to an external location. The victims can still use the infected computer and access their files, but the attacker threatens to leak or sell the stolen data if a ransom is not paid.
• Double extortion ransomware. When cybercriminals deploy a double extortion ransomware attack, they combine crypto ransomware and extortionware. They steal data from a computer and encrypt that data on the computer. An attacker might do this to demand a higher ransom and to increase the likelihood that the victim will pay.

Nearly all ransomware, regardless of type, demands payment in the form of cryptocurrency. Cryptocurrency provides immediate transfers of large sums of money from victims to attackers. And, compared to other payment methods, cryptocurrency is less regulated or unregulated, depending on location. It also helps to conceal the identity of the attackers. Government agencies will sometimes try to recoup ransom payments, and they sometimes succeed. Many victims paying ransoms don't notify authorities -- or they do so after it's too late to reclaim the funds.

Best practices to prevent crypto ransomware attacks

Many of the best practices recommended for general cybersecurity efforts are also effective at preventing crypto ransomware attacks -- or reducing the effect of those attacks that do succeed. Security fundamentals for countering crypto ransomware include the following:

• Cybersecurity training. Conduct frequent ransomware awareness training for all users on how to avoid infection. Train users to recognize phishing attempts. Urge them not to install or execute unapproved software. Periodically train -- and frequently remind -- users about what they should do if a crypto ransomware infection occurs.
• Vulnerability management. Keep computer operating systems and applications properly patched and upgraded, and configure systems with security in mind. Effective vulnerability management makes it harder for crypto ransomware to infect computers.
• Malware detection. Use a combination of cybersecurity services and software capable of detecting and blocking crypto ransomware and other malware. Examples include anti-phishing technology on email servers and antivirus software on computers.
• Cybersecurity monitoring. Monitor networks and computers to identify abnormal activity patterns. The encryption of a large number of files, for example, could indicate a crypto ransomware infection.
• Backups. Plan and implement mechanisms for backing up files, protecting those backups and restoring them as needed. Having backups of your files -- and storing them offline where crypto ransomware can't reach and infect them, too -- is incredibly important for rapid recovery after a crypto ransomware infection. Backups should be tested regularly to ensure that they capture needed files and that restoration processes work correctly.

Finally, before you make a ransom payment, carefully consider whether that is the right decision. Remember that the attackers demanding ransoms are criminals. They might follow through on their promises to decrypt files and restore access, but they might not. Payment is what makes ransomware profitable for attackers. When denied payment, they lose motivation to continue their crimes.

Crypto ransomware examples

When successful, crypto ransomware attacks can cause major damage.

The 2023 ESXiArgs ransomware campaign, for example, encrypted configuration files on thousands of VMware ESXi servers, making them and all of the virtual machines they supported unusable until the configuration files were restored.

The Maui ransomware campaign used phishing emails to target healthcare organizations and other entities. In 2024, the U.S. Department of Justice announced an indictment against the leader of the ransomware gang thought to be behind the Maui campaign, which the government alleged annually cost hospitals billions of dollars.