Ransomware is a type of malicious software that blocks access to a victim’s files or systems, commonly by encrypting data, and then demands a ransom for a decryption key or restoration. In many cases, attackers request payment in cryptocurrency because it can move quickly across borders and is harder to reverse than card or bank payments.
How ransomware works
Most ransomware infections start with a delivery method such as a phishing email attachment, a fake software update, stolen credentials, or exploitation of an unpatched server. Once executed, the malware searches for valuable data, encrypts files, and replaces filenames or adds extensions to indicate they are locked. The attacker then displays instructions for paying the ransom, usually with a deadline and a cryptocurrency address.
Some groups also use “double extortion,” where they steal data before encrypting it and threaten to publish sensitive information if the victim refuses to pay. Even when victims pay, there is no guarantee the attacker will provide a working decryption tool, and decryption may be slow or incomplete.
Why cryptocurrency is used and what it means on-chain
Ransomware operators often request Bitcoin or other digital assets because payments can be sent without a traditional intermediary approving the transaction. Attackers may attempt to obfuscate fund flows using multiple wallets, mixers, or chain hopping between assets and networks. This creates a cat and mouse dynamic where blockchain analytics firms and law enforcement trace transactions, flag addresses, and sometimes recover funds, while criminals look for new ways to reduce traceability.
Ransomware matters in the crypto ecosystem because it is a major driver of illicit transaction activity, shapes regulation and compliance expectations for exchanges, and highlights why cybersecurity, key management, and operational resilience are critical for anyone interacting with digital assets.