Among the oldest, and traditionally the most common form of ransomware, crypto ransomware works by finding valuable files on a system and applying encryption to them so they become unusable. Hackers then demand a ransomware payment, after which they will (in theory) provide businesses with the decryption key needed to unlock them.

Such ransomware may infect all files on a device or seek out certain file types. Some variants can even look beyond the devices themselves to infect shared or networked drives or even cloud storage, potentially spreading the issues to all parts of a business. They do, however, typically leave the device usable.

This type of attack is becoming less common as businesses become more aware of the threat of ransomware and take more preventative measures. Having comprehensive, off-site backups, for instance, can be an effective way of mitigating the damage caused by this type of ransomware. However, hackers who do continue to use these tools have started countering these efforts by adding timed delays to their malware in order to infect backups as well.