Journal in Computer Virology

, Volume 6, Issue 1, pp 77–90 | Cite as

Comparative analysis of various ransomware virii

  • Alexandre Gazet
Eicar 2008 extended version


The word ransomware and the associated phenomenon appeared something like 3 years ago, around the year 2005. It shed light on a specific class of malwares which demand a payment in exchange for a stolen functionality. Most widespread ransomwares make an intensive use of file encryption as an extortion mean. Basically, they encrypt various files on victim’s hard drives before asking for a ransom to get the files decrypted. Security related media and some antivirus vendors quickly brandished this “new” type of virii as a major threat for computer world. This article tries to investigate the foundation of these threats beyond the phenomenon. In order to get a better understanding of ransomwares, the study relies on a comparative analysis of various ransomware virii. Based on reverse-engineering while not focused on analysis methodology, a technical review is done at different levels: quality of code, malwares’ functionalities and analysis of cryptographic primitives if any. Our analysis leads us to many interesting approaches and conclusions concerning this phenomenon, and in particular the strength and weakness of used extortion means. We also take advantage of our technical review to stand back and to analyse both the business model associated to these ransomwares and the communication that has been made around them.


Elliptic Curve Pseudorandom Generator Symmetric Encryption Cryptographic Primitive Infection Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Young, A., Yung, M.: Cryptovirology: extortion based security threats and countermeasures. In: IEEE Symposium on Security and Privacy, pp. 129–141. IEEE Computer Society Press, Oakland (1996)Google Scholar
  2. 2.
    Josse, S.: White-box attack context cryptovirology. In: Broucek, V., Filiol, E. (eds.) 17th EICAR Annual Conference, Laval, France, An extended version will be published in the EICAR 2008 Special Issue. J. Comput. Virol. 15–45 (2008)Google Scholar

Copyright information

© Springer-Verlag France 2008

Authors and Affiliations

  1. 1.Sogeti, ESECParisFrance

Personalised recommendations