ransom-note

Forensic Artifacts

Definition

A ransom note is the **message an attacker leaves for a victim after deploying ransomware**. It tells the victim what happened to their files or systems, how to pay the ransom, and what will supposedly happen if they don’t comply.

The note is often placed in every affected folder (as a text file like `README.txt`) or displayed as a pop-up when the system boots. Some ransomware also changes the desktop wallpaper to the ransom note for extra visibility.

A typical ransom note includes:

* **Notification of encryption** – “Your files have been encrypted.”
* **Payment demand** – Usually in cryptocurrency (Bitcoin, Monero).
* **Instructions** – How to buy cryptocurrency, where to send it, how to contact the attacker.
* **Threats** – Loss of data, public data leaks (in **double extortion** cases), or higher ransom if the victim delays payment.
* **Proof of decryption** – Sometimes the attacker offers to decrypt one file for free to “prove” they can restore data.

Example (simplified):

```
All your files have been encrypted.
Send 2 BTC to the address below to receive your decryption tool.
If payment is not made within 5 days, your files will be permanently lost.
```

In an investigation, ransom notes are important clues:

* **Attribution** – Wording, formatting, and contact methods often match specific ransomware families or groups.
* **Indicators of compromise (IOCs)** – Email addresses, URLs, or cryptocurrency wallets in the note can be used to track other victims or campaigns.
* **Timeline evidence** – File timestamps for when notes were dropped can reveal when encryption occurred.

Real-world examples:

* **WannaCry (2017)** – Displayed a red-and-white pop-up with a countdown clock.
* **LockBit** – Uses a templated text file with contact instructions and a link to its leak site.
* **REvil (Sodinokibi)** – Provided victims with a Tor link to a chat portal for negotiation.

ransom-note

Definition

Explore More Terms