Skip to content Skip to navigation Skip to footer

Definitions of Jargon: Ransomware

Definitions of Jargon (DOJ): Ransomware

While jargon is sometimes created by only a few thought leaders, it soon becomes an element of everyday life. In cybersecurity, concise jargon makes it easier for those “in the know” to talk about threats and the technology used to fight them. This is especially true when it comes to ransomware, where knowing the jargon not only provides insight into the world of ransomware criminals but also makes it easier to evade their attacks. Here are some of the jargon you should be familiar with while on the ransomware battlefield.

The Fortinet Directory of Jargon (DOJ): for Ransomware



Archiveus  Trojan                                                                                                                 The Archiveus Trojan was released back in 2006, and it focused on Windows users. It was also the first ransomware to use RSA encryption, a specific way to codify data, to join separate files into one, encrypted file.



This ransomware earned its fame by encrypting websites and then asking for 20 bitcoin in exchange. When it was launched in 2019, this was the equivalent of $75,000. B0r0nt0k focused on infecting Linux servers.

Bad Rabbit

Bad rabbit came on the scene in October 2017, demanding users pay up with bitcoin before releasing their files. It was known for using corporate networks to penetrate target systems.

Big-game hunting (BGH)

BGH refers to the process of going after high-value assets or data using a ransomware attack. A key element of the strategy involves victimizing companies that cannot sustain extended downtime.


Cobalt Strike

Cobalt Strike began as a penetration testing tool, then ransomware hackers started using it to launch attacks. It works by deploying an agent that the attacker then uses to gain access to the victim’s system.


Conti is one of the most well-known ransomware groups in the world. It originated in Russia and came to light for the first time in 2020. According to the Cybersecurity and Infrastructure Security Agency (CISA), Conti has been used in more than 400 attacks, both domestically and abroad.

Crypto ransomware

Crypto ransomware encrypts files on a hard disk. Although not every ransomware does this, most do. The attacker claims that if the ransom is paid, they will provide a decryption key.


CryptoLocker works by using a Trojan to target machines running Microsoft Windows. It has been credited with sparking the current ransomware boom. The criminal behind CryptoLocker made $27 million from an estimated 234,000 victims worldwide between late 2013 and mid-2014.

Cyber insurance

Many companies use cyber insurance to help pay for the expenses associated with a ransomware attack, including the ransom itself and the costs of getting their data back.




In January 2022, a new variety of ransomware called DeadBolt appeared and started attacking network-attached storage (NAS) devices on the internet. It sends a ransom message requesting payment of 0.03 bitcoin in exchange for the decryption key.

Dharma Brrr ransomware

The Dharma ransomware family of attacks targets Remote Desktop Services (RDS) through direct internet connections. Attackers will look for Remote Desktop Protocol (RDP)-enabled computers on the internet, typically on TCP port 3389, and then attempt to guess the computer's password using a brute-force attack.

Double extortion

This involves an attacker demanding additional payment or threatening to reveal information—often personally identifiable information (PII) like social security numbers or credit card numbers—in addition to a fee for decrypting encrypted data.



GandCrab is the first ransomware to use the .bit top-level domain and demand payment in the cryptocurrency DASH. This provides attackers with an additional layer of security because DASH conceals user identities.


The GoldenEye ransomware combines two different attack methods. First, two types of viruses are downloaded: Petya and Mischa. Next, these programs encrypt data and demand payment for the decryption key.


Jigsaw or BitcoinBlackmailer

Jigsaw only targets Windows-based computers. Its name is derived from an image attackers used from the Jigsaw movie series.



The ransomware gang known as Lapsus$ gained prominence after attacking Brazil's Ministry of Health at the end of 2021. Then it assaulted the largest media conglomerate in Portugal on January 1, 2022 and targeted Samsung in March 2022.

Living Off the Land

The phrase "Living Off the Land" or LotL refers to the use of a victim's existing software as a base for other attacks, such as ransomware. Since the attacker uses what appears to be well-known, dependable software rather than unfamiliar applications, the attack is less likely to be discovered by antivirus programs.

Locker ransomware

Locker ransomware attacks computers and encrypts both the data on them and the user's files. In the beginning, Locker frequently asked for gift cards for payment. It now focuses on attacking mobile devices.


Locky uses social engineering to access victims' computers. After it first appeared in 2016, it quickly expanded to North America, Europe, and Asia. A hospital in Los Angeles was an early victim, with the attackers asking for a $17,000 ransom.


Mado ransomware

Mado ransomware is an encryption-based threat that modifies your registry to disable key functions. Mado then adds entries to Windows to block websites. To fix the damaged or corrupted data, you need a specialized PC repair tool.


Malware, or malicious software, is any software that infects computers and damages them in some way—or makes them vulnerable to attack.



In 2016 and 2017, the world met two variants of the same ransomware, Petya and NotPetya, both suspected to be from Russia. They both encrypt files, and during the time of their release, they made encryption-based attacks more popular.



Petya, like NotPetya, is believed to have hailed from Russia. It was used in several high-profile attacks in 2017, such as those targeting Ukraine, Germany, and other countries.



REvil is a ransomware-as-a-service (RaaS) business model, in which some attacks are carried out by REvil hackers while others are levied by affiliates who share in the profits.


RaaS is a ransomware version of the Software-as-a-Service (SaaS) model. Similar to SaaS, RaaS is a subscription-based system that offers ransomware tools in return for a percentage of the profits.

Ransomware payments

Ransomware payments refer to the money victims are asked to give to attackers in exchange for regaining control of their systems or data.

Ransomware settlements

Ransomware settlements is another term for "ransomware payments." They involve the target paying money to an attacker so they can get their systems or data back.


The ransomware Ryuk is used for targeted attacks, in which threat actors make sure crucial files are encrypted before requesting a high ransom. Ryuk attackers usually request a few hundred thousand dollars from their victims.



Scareware is a cyberattack method that involves using scare tactics to trick users into installing or buying malicious software. For example, a hacker may convince a user that they have sensitive or embarrassing information and use that to extort money from them.


Shade/Troldesh is usually spread through attached .zip files. It occasionally hosts downloads on a content management system (CMS) of a hacked website.


Tabletop exercise

A tabletop exercise replicates a full ransomware attack to test an organization's response to it. Its main objective is to identify flaws that can be fixed or removed.

Time-to-ransom (TTR)

TTR refers to the interval between the first compromise and the ransomware's execution. Depending on the attackers' objectives, this can happen right away or take quite a while—even months.

Triple extortion

Triple extortion is a tactic used by ransomware criminals to coerce not just initially affected organizations to pay up, but also customers and clients who may end up being affected by the data compromise. Hackers use triple extortion to rake in additional funds.



WannaCry ransomware was released in May 2017 and it spread swiftly, infecting as many as 230,000 machines in 150 different countries. The ransomware is thought to have been developed by North Korea. It asked for $300 in bitcoin, but there was no encryption key provided, so the approximately 1,000 victims who paid could not restore their files.


Ransomware Prevention, Simplified

Ransomware prevention doesn't have to be complex. See how to tackle this growing threat with Fortinet's leading solutions