Cryptovirology: What it is, why it powers ransomware, and how to defend against it

Cryptovirology

What it is

Cryptovirology is the study (and misuse) of cryptography for attacks. Instead of protecting data, it uses strong encryption and crypto tricks to power malware—most famously ransomware that locks files with keys victims can’t guess or brute-force.

Why it matters

Modern ransomware isn’t “just a virus.” It’s math-backed extortion: files are encrypted with solid algorithms, keys are kept off-device, and victims face a pay-or-lose dilemma. The same ideas also enable stealthy data theft and untraceable command channels.

How it works 

  • Public-key traps: malware encrypts your files with an attacker’s public key; only their private key can unlock them.

  • Key hygiene: keys never live on the victim’s machine, blocking easy recovery.

  • Hybrid crypto: fast symmetric ciphers encrypt data; a public key protects those session keys.

  • Double extortion: crypto locks files while stolen data is used as leverage.

Real-world impact

  • Strong crypto makes decryption impractical without the attacker’s key.

  • Cleanups focus on containment, restore, and hardening, not cracking the cipher.

  • Even backups can be threatened if they aren’t offline or immutable.

Defend smart

  • Backups that can’t be altered (offline/immutable) + practiced restore drills.

  • MFA everywhere, least privilege, and segmented networks to limit blast radius.

  • Patch fast on internet-facing apps; tighten email and web filtering.

  • EDR with behavior rules (mass encryption, shadow copy deletion, unusual key use).

  • Train teams to spot phishing and fake updates; rehearse incident response.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Medusa Ransomware (MedusaLocker)

        What it is MedusaLocker is ransomware that encrypts your files and demands a cryptocurrency payment to unlock them. It often arrives through email lures or exposed services, then spreads across the network. Technical details and IOCs are in our ...

      • Cerber Ransomware

        What it is Cerber is ransomware run like a business (“RaaS”). The operators rent the malware to affiliates, who break in, encrypt files, and demand payment—then share the profits with Cerber’s creators. How it spreads Phishing emails with ...

      • BabLock Ransomware

        What it is (in plain words): BabLock is ransomware that breaks into Windows and Linux systems, scrambles (encrypts) your files, and demands payment to unlock them. It typically goes after small and mid-size businesses where one infected PC can ...

      • Clop Ransomware

        What it is Clop is big-game ransomware: attackers break into a network, encrypt files, and demand payment to unlock them—often with data theft first to pressure victims (double extortion). It mostly targets Windows environments and larger ...

      • CryptoLocker Ransomware

        What it is CryptoLocker is ransomware that breaks into a Windows PC, hunts for documents (on the computer and connected drives), encrypts them with strong keys, and then demands a payment to unlock your files. You’ll see a ransom note saying your ...