RansomeWare is a type of MalWare that restricts access to some part of a system, and then demands a ransom to have that access restored. RansomWare worms are becoming increasingly popular as more and more of them successfully rake in large sums of extorted money. To attackers, they are an ideal tool for stealing money as it is hard to track currencies like BitCoin and Ukash that the attackers will demand in their ransoms.
Many RansomWares fall under the category of "CryptoViral attacks". CryptoViral attacks use a public key to encrypt victims' hard drives. Since the process of encrypting large hard drives can be extremely slow, encryption RansomWares put a lot of emphasis on avoiding detection until the process is complete. Once all the data is encrypted, the virus (or the attackers themselves) demand a ransom to have the data decrypted.
The concept was originally tried out in 1989 by Dr. Joseph Popp who wrote the PC CYBORG (AIDS) trojan horse. In 1996, the term CryptoVirology was coined in this large paper on the subject. As time went on, RansomWares started using stronger encryption methods, and more sophisticated propagation methods. Of late, Encryption RansomWares have been becoming more and more prominent due to the creation of BitCoin as well as increasingly more powerful encryption algorithms.
The idea behind RansomeWare was originally based on extortion through encryption, but eventually attackers realised that encryption is only really necessary against computer-competent defenders. Many RansomWares in the past 5 years have been more geared towards tricking the users into paying, rather than fully forcing them to. Most of the time, these RansomWares will "lock" the computer trivially with a screen that disables commands like task-manager (ctrl + alt + del). Some are just web-apps that use ClickJacking to make it difficult to close the web-browser, and others simply restrict access to the system by covering the screen in pornographic images. A large amount are also known for changing the registry so that the computer is "locked" into a screen demanding payment to have it unlocked.
Sticking to the concept of targeting less capable computer users, RansomeWares became more simple than ever.
CryptoLocker is very popular CryptoViral trojan that encrypts most types of files on any drives in the network. It operates quietly at first, making small registry changes that force it to run, and communicating with it's botnet command server to recieve a public-key. It then begins looking to delete back-ups and shadow files to ensure the victim cannot recover any encrypted data. Once it is ready it begins encrypting any files that match a long list of file-extensions using 2048-bit RSA public-key encryption. Once all of the files have been encrypted, a screen pops up demanding a payment of $300 USD worth of BitCoins to have the files decrypted.
CryptoLocker was propagated using the Gameover ZeuS botnet which was a massive international botnet that facilitated huge amounts of extortion and theft. The Gameover Zeus was crucial to the operation of CryptoLocker as it used the botnet to safely communicate with a command server that would issue it a public key. Without a public key, the virus cannot encrypt the files (unless the goal is to encrypt them permanently).
Reveton appeared in 2012 as a simple but effective non-encrypting RansomWare that restricts access by launching a screen with no conventional way to be closed. The "lock" screen is always a sort-of convincing spoof of some government agency demanding a fine for illegal downloading or child pornography. The screen often tries to seem more intimidating by making it look like the victim is being tracked; It might display the victim's IP address, a guess of the victim's name, and even a video taken on the computer's web-cam. Like many viruses, it quickly has evolved into many different versions that would all throw in a little spin onto the usual scare scam; Reveton is known to leave behind some key-logging, trojans, and system tweaks that make updating security more difficult.
While it is not very difficult to deal with Malwares that operate like Reveton, many people end up paying because they don't know any better. On top of that, there are many tools such as the BlackHole exploit kit that can be purchased to spread those Malwares through web-page injections and email spoofing. The combination of being easy to spread and relatively lucrative makes these RansomWares extremely common.
While it isn't easy to track the money paid, some victims had their payments tracked to certain BitCoin addresses where millions of dollars were being transferred. It's estimated that the first CryptoLocker earned around $27 million USD , and a single day of a Malware similar to Reveton operating on a large botnet gathers around $50,000 USD. Symantec's studies estimate that RansomWare manages to extort a conservative $5 million USD per year. The fact that RansomWares are so lucrative encourages even more attacks and clones, which is why large efforts are often coordinated to take down large botnets.
RansomWare attackers have been very hard to track down, and only a few have ever actually been caught. Usually, the botnet gets taken down, but the attackers remain anonymous. Because of this, many criminal organizations maintain and fortify large botnets that enable them to use RansomWare freely, without much danger of being caught.