What Is Ransomware?

■ In a typical attack, hackers send their victims an email that includes a link to what appears to be for an innocuous web address or email attachment. In this case, attackers appear to have sent their victims encrypted .zip file attachments intended to make it more difficult to detect their nefarious purpose.

■ Victims who click on that attachment soon find their computers infected. The program encrypts files, folders, and drives on the computer — and potentially the entire networks to which they are connected. “Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key,” according to the F.B.I.

■ The messages that victims receive include directions for paying the attackers a ransom. Payment is typically demanded, as it was in the most recent string of attacks, in bitcoin.

■ A hospital in Los Angeles was similarly attacked in February of last year, paying a bitcoin ransom equivalent to about $17,000 to hackers who used malware to hold its computer system hostage.

How Was the Attack Curbed?

■ The attackers, who have yet to be identified, had included a “kill switch” in their attack, a way of disabling the malware in case they wanted to shut down their activities. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a specific website, such as one created by the attackers.

■ When the 22-year-old British researcher whose Twitter handle is @MalwareTechBlog saw during the attack that the kill switch’s domain name had not been registered, he bought it himself. By making the site go live, the researcher inadvertently shut down the attack before it could fully spread to the United States, experts said. (He confirmed his involvement and wrote a blog post about it but insisted on anonymity because he did not want the public scrutiny.)

■ “The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name.”