What to look for

  • Installation

After a victim’s computer is infected, the crypto-ransomware installs itself, and sets keys in the Windows Registry to start automatically every time your computer boots up.

  • Contacting Headquarters

Before crypto-ransomware can attack you, it contacts a server operated by the criminal gang that owns it.

  • Handshake and Keys

The ransomware client and server identify each other through a carefully arranged “handshake,” and the server generates two cryptographic keys. One key is kept on your computer, the second key is stored securely on the criminals’ server.

  • Encryption

With the cryptographic keys established, the ransomware on your computer starts encrypting every file it finds with any of dozens of common file extensions, from Microsoft Office documents to .JPG images and more.

  • Extortion

The ransomware displays a screen giving you a time limit to pay up before the criminals destroy the key to decrypt your files. The typical price, $300 to $500, must be paid in untraceable bitcoins or other electronic payments.