A user, Ann, is reporting to the company IT support group that her workstation screen is blank other than a
window with a message requesting payment or else her hard drive will be formatted. Which of the following
types of malware is on Ann’s workstation?
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a
ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of
ransomware encrypt files on the system’s hard drive), while some may simply lock the system and display
messages intended to coax the user into paying.
Ransomware typically propagates as a trojan like a conventional computer worm, entering a system through,
for example, a downloaded file or a vulnerability in a network service. The program will then run a payload: such
as one that will begin to encrypt personal files on the hard drive. More sophisticated ransomware may hybridencrypt the victim’s plaintext with a random symmetric key and a fixed public key. The malware author is the
only party that knows the needed private decryption key. Some ransomware payloads do not use encryption. In
these cases, the payload is simply an application designed to restrict interaction with the system, typically bysetting the Windows Shell to itself, or even modifying the master boot record and/or partition table (which
prevents the operating system from booting at all until it is repaired)
Ransomware payloads utilize elements of scareware to extort money from the system’s user. The payload may,
for example, display notices purportedly issued by companies or law enforcement agencies which falsely claim
that the system had been used for illegal activities, or contains illegal content such as pornography and pirated
software or media. Some ransomware payloads imitate Windows’ product activation notices, falsely claiming
that their computer’s Windows installation is counterfeit or requires re-activation. These tactics coax the user
into paying the malware’s author to remove the ransomware, either by supplying a program which can decrypt
the files, or by sending an unlock code that undoes the changes the payload has made.