1. What is mobile ransomware?
A) A type of malware that locks a phone’s screen or encrypts data and demands payment
B) A virus that slows down mobile performance
C) A phishing scam targeting mobile users
D) A software update that corrupts phone data
Answer: A type of malware that locks a phone’s screen or encrypts data and demands payment
Explanation: Mobile ransomware is a type of malware that locks the device or encrypts files and demands ransom to restore access. It usually spreads through malicious apps, phishing links, or exploit kits.
2. Which encryption technique is commonly used by mobile ransomware?
A) AES (Advanced Encryption Standard)
B) SHA-256
C) MD5
D) Base64
Answer: AES (Advanced Encryption Standard)
Explanation: Most ransomware uses AES (Advanced Encryption Standard) to encrypt files on mobile devices, making it difficult for victims to recover data without the decryption key.
3. How does mobile ransomware commonly spread?
A) Through official app stores
B) Via malicious apps, phishing links, and SMS messages
C) By downloading from trusted cybersecurity websites
D) Through antivirus software updates
Answer: Via malicious apps, phishing links, and SMS messages
Explanation: Mobile ransomware often spreads through malicious apps from third-party stores, phishing links, fake updates, and SMS-based scams (SMiShing).
4. What is the primary goal of mobile ransomware?
A) To gain persistent access to the device for spying
B) To lock the device or encrypt files and demand ransom
C) To steal login credentials
D) To crash the mobile operating system
Answer: To lock the device or encrypt files and demand ransom
Explanation: The primary goal of mobile ransomware is to lock the device or encrypt files and demand a ransom payment in exchange for restoring access.
5. Which mobile operating system is most commonly targeted by ransomware?
A) iOS
B) Android
C) Windows Mobile
D) Symbian
Answer: Android
Explanation: Android is the primary target for ransomware due to its open-source nature, third-party app support, and weaker security restrictions compared to iOS.
6. What is the name of the ransomware that locks the screen and displays a fake law enforcement warning?
A) CryptoLocker
B) Police Ransomware
C) WannaCry
D) Pegasus
Answer: Police Ransomware
Explanation: Police Ransomware (or FBI Ransomware) falsely claims to be from law enforcement agencies and demands a fine for alleged illegal activities.
7. How can users prevent mobile ransomware attacks?
A) Only install apps from official stores like Google Play and Apple App Store
B) Click on links from unknown SMS messages
C) Enable app installation from “Unknown Sources”
D) Disable automatic security updates
Answer: Only install apps from official stores like Google Play and Apple App Store
Explanation: Installing apps only from official stores significantly reduces the risk of ransomware since Google Play Protect and Apple App Store screen apps for malware.
8. What is a common technique used by mobile ransomware to extort money?
A) Sending phishing emails
B) Threatening to leak personal data
C) Displaying fake tech support warnings
D) Locking the SIM card
Answer: Threatening to leak personal data
Explanation: Many ransomware variants threaten to leak sensitive data or claim to have illegal content on the device to pressure victims into paying.
9. What is “Double Extortion” in ransomware attacks?
A) Encrypting files and threatening to publish stolen data
B) Asking for ransom twice before decrypting files
C) Infecting both mobile and desktop devices simultaneously
D) Spreading ransomware via Bluetooth
Answer: Encrypting files and threatening to publish stolen data
Explanation: In a double extortion attack, ransomware encrypts files AND exfiltrates sensitive data, threatening to release the data publicly if the ransom isn’t paid.
10. What role does social engineering play in mobile ransomware attacks?
A) Attackers trick users into downloading ransomware via fake links or apps
B) Attackers use AI to decrypt ransomware
C) Attackers physically hack into mobile devices
D) Attackers exploit CPU vulnerabilities
Answer: Attackers trick users into downloading ransomware via fake links or apps
Explanation: Social engineering is a key tactic used to trick users into downloading malicious apps or clicking on links that install ransomware.
11. What is a typical ransom demand in mobile ransomware attacks?
A) Free removal in exchange for completing a survey
B) Payment in cryptocurrency like Bitcoin
C) Direct bank transfers
D) Gift cards from app stores
Answer: Payment in cryptocurrency like Bitcoin
Explanation: Most ransomware demands cryptocurrency payments (Bitcoin, Monero, etc.) to avoid detection and ensure anonymity.
12. What should a user NOT do if infected by mobile ransomware?
A) Try to remove the ransomware manually
B) Pay the ransom immediately
C) Restore from a backup
D) Use an antivirus tool
Answer: Pay the ransom immediately
Explanation: Paying the ransom is not recommended because it encourages attackers and does not guarantee file recovery.
13. Which of the following is NOT a sign of mobile ransomware infection?
A) Unresponsive or locked screen
B) Increased battery usage
C) A pop-up demanding ransom
D) Inability to access files
Answer: Increased battery usage
Explanation: While high battery usage can be a sign of malware, it is not a direct symptom of ransomware, unlike screen locks, ransom messages, and file encryption.
14. Which security feature can help protect against ransomware on Android?
A) Factory Reset Protection (FRP)
B) Google Play Protect
C) Screen timeout settings
D) Bluetooth encryption
Answer: Google Play Protect
Explanation: Google Play Protect scans apps for malware and prevents malicious installations, reducing ransomware risks.
15. What is the first step to take when a mobile device is infected with ransomware?
A) Immediately pay the ransom
B) Disable network connections and boot into Safe Mode
C) Delete all apps from the device
D) Restart the phone multiple times
Answer: Disable network connections and boot into Safe Mode
Explanation: Booting into Safe Mode prevents ransomware from running at startup, allowing users to remove the malicious app manually.
16. What is a common method used by mobile ransomware to prevent removal?
A) Encrypting all installed apps
B) Gaining device administrator privileges
C) Blocking factory reset options
D) Turning off the screen
Answer: Gaining device administrator privileges
Explanation: Many mobile ransomware variants request administrator rights to prevent users from uninstalling them.
17. What is Locker Ransomware?
A) Ransomware that encrypts device files
B) Ransomware that locks the screen but does not encrypt files
C) Ransomware that steals bank credentials
D) Ransomware that deletes system files
Answer: Ransomware that locks the screen but does not encrypt files
Explanation: Locker ransomware prevents users from accessing their device by locking the screen but does not encrypt files.
18. Which of the following is an example of a famous mobile ransomware variant?
A) SLocker
B) Petya
C) Ryuk
D) TrickBot
Answer: SLocker
Explanation: SLocker was one of the first Android ransomware families that locked screens and demanded ransom.
19. What is the purpose of a decryptor in ransomware attacks?
A) To encrypt data for ransom
B) To remove the ransomware
C) To decrypt files after ransom payment
D) To stop ransomware from spreading
Answer: To decrypt files after ransom payment
Explanation: Attackers provide a decryptor tool only after ransom payment, allowing victims to unlock their encrypted files.
20. Which file types are typically targeted by mobile ransomware?
A) Only system files
B) Personal files such as photos, documents, and videos
C) Only temporary files
D) App configuration files
Answer: Personal files such as photos, documents, and videos
Explanation: Mobile ransomware often encrypts personal files to pressure victims into paying the ransom.
21. How does mobile ransomware usually demand ransom payments?
A) Bank transfers
B) Cryptocurrencies such as Bitcoin
C) Online shopping vouchers
D) Direct calls from attackers
Answer: Cryptocurrencies such as Bitcoin
Explanation: Most ransomware demands cryptocurrency payments for anonymity and to avoid tracking.
22. What does ransomware do after encryption is complete?
A) Deletes all encrypted files
B) Displays a ransom note demanding payment
C) Hides all installed apps
D) Wipes the device storage
Answer: Displays a ransom note demanding payment
Explanation: Once files are encrypted, ransomware displays a ransom note with payment instructions.
23. What is a common distribution method for mobile ransomware?
A) Malicious APK downloads
B) Sending files over Bluetooth
C) Encrypted Wi-Fi traffic
D) Remote access through SSH
Answer: Malicious APK downloads
Explanation: Attackers trick users into downloading malicious APK files that install ransomware on their devices.
24. What should users do to protect backups from ransomware attacks?
A) Store backups only on the same device
B) Use both cloud and offline backups
C) Keep only a single backup copy
D) Encrypt the backup with ransomware
Answer: Use both cloud and offline backups
Explanation: Having multiple backups in cloud and offline storage ensures data can be recovered without paying ransom.
25. What happens if a user factory resets their phone after a ransomware attack?
A) The ransomware is permanently removed
B) The ransomware encrypts the phone again
C) The device remains locked
D) The attacker refunds the ransom
Answer: The ransomware is permanently removed
Explanation: A factory reset erases all files, including ransomware, but data loss occurs unless backups exist.
26. What is a preventive measure against mobile ransomware?
A) Regularly installing security updates
B) Downloading apps from unverified sources
C) Avoiding antivirus software
D) Sharing ransom notes on social media
Answer: Regularly installing security updates
Explanation: Security updates patch vulnerabilities that ransomware exploits, reducing attack risks.
27. What does SMS-based ransomware commonly use to spread?
A) Fake text messages with malicious links
B) Mobile tower signal interference
C) Encrypted phone calls
D) VPN connections
Answer: Fake text messages with malicious links
Explanation: SMS-based ransomware (SMiShing) tricks users into clicking malicious links in fake messages.
28. How can users identify a fake ransomware pop-up?
A) By checking spelling errors and generic messages
B) By paying the ransom immediately
C) By scanning the QR code in the ransom note
D) By calling the phone support number
Answer: By checking spelling errors and generic messages
Explanation: Many fake ransomware pop-ups have poor grammar, generic threats, and fake law enforcement warnings.
29. Why is Android more vulnerable to ransomware than iOS?
A) Android allows installation from third-party sources
B) Android has no security features
C) iOS devices are too old for ransomware
D) Ransomware only affects Android processors
Answer: Android allows installation from third-party sources
Explanation: Android allows third-party app installations, making it easier for malicious apps to bypass security.
30. How do cybercriminals ensure victims cannot recover encrypted files?
A) By permanently deleting backups
B) By using strong encryption without decryption keys
C) By infecting all system files
D) By making files invisible
Answer: By using strong encryption without decryption keys
Explanation: Advanced encryption algorithms make it impossible to decrypt files without the attackers’ decryption key.
31. Which setting can prevent ransomware installation?
A) Disabling “Unknown Sources” in settings
B) Turning off location services
C) Using dark mode
D) Reducing screen brightness
Answer: Disabling “Unknown Sources” in settings
Explanation: Disabling “Unknown Sources” prevents users from installing unverified apps that could contain ransomware.
32. Why do cybercriminals use ransomware-as-a-service (RaaS)?
A) To rent out ransomware tools to other criminals
B) To provide free cybersecurity training
C) To help victims recover data
D) To stop ransomware attacks
Answer: To rent out ransomware tools to other criminals
Explanation: Ransomware-as-a-Service (RaaS) allows attackers to sell or rent ransomware to others for a share of profits.
33. What type of security software can detect and block ransomware?
A) Antivirus software with real-time protection
B) Video editing software
C) Gaming software
D) Screen recording tools
Answer: Antivirus software with real-time protection
Explanation: Real-time antivirus protection can detect and block ransomware before it infects a device.
34. What is the best way to respond to a ransomware attack?
A) Report the attack and restore from a backup
B) Pay the ransom immediately
C) Negotiate with the hacker
D) Try guessing the decryption key
Answer: Report the attack and restore from a backup
Explanation: Reporting the attack and restoring from a backup is the best approach instead of paying the ransom.
35. What is the role of a Command and Control (C2) server in mobile ransomware?
A) It helps security researchers analyze ransomware
B) It delivers encryption keys and controls infected devices
C) It automatically removes ransomware infections
D) It encrypts data stored in the cloud
Answer: It delivers encryption keys and controls infected devices
Explanation: A Command and Control (C2) server is used by attackers to send commands, distribute encryption keys, and control ransomware-infected devices remotely.
36. How does mobile ransomware typically evade detection by security software?
A) It runs in a hidden process and mimics system files
B) It automatically disables Wi-Fi
C) It creates duplicate icons for apps
D) It slows down the processor
Answer: It runs in a hidden process and mimics system files
Explanation: Some ransomware hides as a system file or runs in the background to avoid detection by security software.
37. What is the most effective way to recover files after a mobile ransomware attack?
A) Pay the ransom as soon as possible
B) Use data recovery tools after removing the malware
C) Restore from a secure backup
D) Reinstall apps from an unverified source
Answer: Restore from a secure backup
Explanation: The best way to recover files is by restoring from an offline or cloud backup rather than paying the ransom.
38. What type of ransomware prevents users from accessing specific applications on mobile devices?
A) Screen-locking ransomware
B) Crypto ransomware
C) Application-blocking ransomware
D) Trojan ransomware
Answer: Application-blocking ransomware
Explanation: Application-blocking ransomware specifically targets and prevents access to certain apps instead of encrypting files.
39. What is the main difference between crypto ransomware and locker ransomware?
A) Crypto ransomware encrypts files, while locker ransomware locks the device screen
B) Locker ransomware is easier to remove than crypto ransomware
C) Crypto ransomware can be removed by restarting the device
D) Locker ransomware does not demand payment
Answer: Crypto ransomware encrypts files, while locker ransomware locks the device screen
Explanation: Crypto ransomware encrypts personal files, whereas locker ransomware locks the screen and prevents device access.
40. How does mobile ransomware sometimes bypass Google Play Store security checks?
A) By disguising itself as a game or utility app
B) By disabling the Play Store app
C) By using advanced AI to change code
D) By modifying Google Play’s permissions
Answer: By disguising itself as a game or utility app
Explanation: Some ransomware apps bypass Google Play’s security by disguising themselves as legitimate apps (e.g., games, utilities, or security tools).
41. What is the primary way ransomware attackers communicate with victims?
A) Through social media
B) Through pop-up ransom notes or lock screens
C) Through voice calls
D) By sending a CAPTCHA verification
Answer: Through pop-up ransom notes or lock screens
Explanation: Ransomware displays a ransom note on the screen with payment instructions to communicate with the victim.
42. Why is jailbreaking or rooting a mobile device risky in terms of ransomware?
A) It prevents software updates
B) It allows ransomware to gain deeper access to system files
C) It slows down the phone’s performance
D) It increases the phone’s battery life
Answer: It allows ransomware to gain deeper access to system files
Explanation: Rooting or jailbreaking a device removes security protections, allowing ransomware to gain full control over system files.
43. What is the “No More Ransom” project?
A) A security project that provides free ransomware decryption tools
B) A ransomware variant targeting mobile banking apps
C) A payment platform for ransomware victims
D) A secret method for paying ransom anonymously
Answer: A security project that provides free ransomware decryption tools
Explanation: No More Ransom is an initiative by Europol and cybersecurity companies to help victims decrypt files without paying ransom.
44. What is a “kill switch” in mobile ransomware?
A) A feature that forces the victim to pay within 24 hours
B) A hidden function that allows the attacker to disable the ransomware
C) A built-in mechanism that permanently deletes files if ransom isn’t paid
D) A feature that increases ransom demand over time
Answer: A built-in mechanism that permanently deletes files if ransom isn’t paid
Explanation: Some ransomware has a kill switch that deletes encrypted files if the victim does not pay within a certain timeframe.
45. How do cybercriminals disguise ransomware links in phishing attacks?
A) By shortening URLs and making them look like legitimate links
B) By sending direct payment requests
C) By encrypting links using SSL
D) By only targeting government employees
Answer: By shortening URLs and making them look like legitimate links
Explanation: Attackers often use URL shorteners or spoofed domains to make malicious links appear legitimate.
46. What is a common characteristic of fake ransomware threats?
A) They claim the victim has committed a crime and demand a fine
B) They encrypt files using a government-issued encryption key
C) They are only found in corporate networks
D) They allow victims to test decrypting one file for free
Answer: They claim the victim has committed a crime and demand a fine
Explanation: Fake ransomware often pretends to be law enforcement and demands a “fine” for illegal activities.
47. Why do attackers use multiple cryptocurrency wallets in ransomware operations?
A) To increase transaction fees
B) To make tracking payments harder for law enforcement
C) To convert Bitcoin into real money faster
D) To allow victims to pay using different currencies
Answer: To make tracking payments harder for law enforcement
Explanation: Attackers use multiple cryptocurrency wallets to hide transactions and make it difficult for law enforcement to trace payments.
48. What is the main weakness of ransomware attacks that security researchers exploit?
A) Poor implementation of encryption algorithms
B) Attackers always leave a backdoor in the ransomware
C) Victims can guess the encryption key easily
D) Ransomware only works on certain types of devices
Answer: Poor implementation of encryption algorithms
Explanation: Some ransomware has flaws in its encryption, allowing security researchers to develop decryption tools.
49. What should users do if they receive a ransomware payment demand but their files are not encrypted?
A) Immediately pay the ransom
B) Ignore the message and scan for malware
C) Reinstall the operating system
D) Send a counter-offer to the attacker
Answer: Ignore the message and scan for malware
Explanation: Some ransomware scams users without actually encrypting files. Scanning for malware can confirm if an infection is real.
50. Why do some ransomware variants increase the ransom amount over time?
A) To pressure victims into paying quickly
B) To allow victims more time to think about their options
C) To give victims a discount for early payment
D) To make ransomware more affordable for businesses
Answer: To pressure victims into paying quickly
Explanation: Some ransomware gradually increases the ransom amount to create urgency and pressure victims into paying before the deadline.
51. How do some mobile ransomware variants prevent victims from restarting their devices?
A) By disabling the power button functionality
B) By modifying the device’s wallpaper
C) By replacing the device’s boot animation
D) By reducing screen brightness
Answer: By disabling the power button functionality
Explanation: Some ransomware modifies system permissions to disable the power button, making it difficult for victims to restart or boot into safe mode.
52. What is a typical ransom amount demanded by mobile ransomware?
A) $1-$10
B) $50-$500
C) $10,000-$50,000
D) Free, as attackers decrypt files as a warning
Answer: $50-$500
Explanation: Mobile ransomware typically demands $50-$500 in cryptocurrency, though the amount can vary depending on the attack.
53. Which cybersecurity framework provides guidelines to protect against ransomware?
A) MITRE ATT&CK
B) Agile Development Framework
C) Waterfall Model
D) Blockchain Security Model
Answer: MITRE ATT&CK
Explanation: MITRE ATT&CK provides a comprehensive framework detailing ransomware tactics, techniques, and mitigations.
54. What is the main purpose of using a VPN against ransomware threats?
A) To encrypt internet traffic and prevent data interception
B) To completely block all ransomware attacks
C) To increase the phone’s speed
D) To automatically remove all ransomware infections
Answer: To encrypt internet traffic and prevent data interception
Explanation: A VPN (Virtual Private Network) encrypts network traffic, reducing the risk of man-in-the-middle attacks and malware distribution through compromised networks.
55. What does “Ransomware as a Service” (RaaS) enable for cybercriminals?
A) It allows them to rent ransomware tools without technical skills
B) It provides victims with free decryption tools
C) It helps cybersecurity researchers track ransomware
D) It is a government program for recovering lost data
Answer: It allows them to rent ransomware tools without technical skills
Explanation: Ransomware as a Service (RaaS) enables criminals with little technical knowledge to rent ransomware kits from developers in exchange for a share of the ransom profits.
56. What is one indicator that a mobile device might be infected with ransomware?
A) Increased battery life
B) Frequent pop-ups demanding payment
C) A sudden improvement in device speed
D) Reduced file size of images and videos
Answer: Frequent pop-ups demanding payment
Explanation: A major sign of ransomware is pop-ups demanding ransom payments, often preventing access to the device or files.
57. What happens if a user does not pay the ransom within the time limit set by mobile ransomware?
A) The ransom amount may increase
B) The attacker provides a free decryption key
C) The ransomware automatically removes itself
D) The phone self-destructs
Answer: The ransom amount may increase
Explanation: Some ransomware increases the ransom amount over time to pressure victims into paying before a deadline.
58. What is an effective strategy for securing a mobile device against ransomware?
A) Keeping software and apps updated regularly
B) Never updating the operating system
C) Installing multiple unverified security apps
D) Avoiding all Wi-Fi connections
Answer: Keeping software and apps updated regularly
Explanation: Regular updates patch vulnerabilities that ransomware exploits to gain access to devices.
59. What is the difference between scareware and ransomware?
A) Scareware tricks users with fake threats, while ransomware locks or encrypts files
B) Scareware is used by law enforcement, while ransomware is illegal
C) Scareware is more dangerous than ransomware
D) Scareware and ransomware are the same
Answer: Scareware tricks users with fake threats, while ransomware locks or encrypts files
Explanation: Scareware tricks users into believing their device is infected and demands money, while ransomware actually encrypts or locks the device.
60. Which security feature in Android helps detect and prevent malware, including ransomware?
A) Google Play Protect
B) Screen Timeout
C) Bluetooth Encryption
D) Fingerprint Scanner
Answer: Google Play Protect
Explanation: Google Play Protect scans apps and prevents malware, including ransomware, from being installed.
61. What role does artificial intelligence (AI) play in modern ransomware attacks?
A) AI helps ransomware adapt and evade security defenses
B) AI automatically decrypts files for free
C) AI replaces attackers in negotiating ransom payments
D) AI prevents all ransomware attacks
Answer: AI helps ransomware adapt and evade security defenses
Explanation: AI-powered ransomware can modify its behavior to evade detection by security software.
62. How do attackers ensure ransomware continues to function even after a reboot?
A) By modifying system boot files
B) By changing the device wallpaper
C) By sending a ransom note via email
D) By adjusting screen brightness settings
Answer: By modifying system boot files
Explanation: Some ransomware modifies system boot files to ensure it launches even after a device restart.
63. Why do some ransomware attackers offer “discounts” for quick payments?
A) To encourage fast ransom payments before the victim finds an alternative solution
B) To help victims recover files for free
C) To build trust with victims
D) To avoid law enforcement investigations
Answer: To encourage fast ransom payments before the victim finds an alternative solution
Explanation: Attackers offer limited-time discounts to pressure victims into paying quickly before they seek alternative recovery options.
64. What is the main disadvantage of paying the ransom?
A) It may not guarantee data recovery, and it funds further cybercrime
B) It automatically restores all lost files
C) It prevents future ransomware attacks
D) It reduces ransomware threats for other users
Answer: It may not guarantee data recovery, and it funds further cybercrime
Explanation: Paying the ransom does not guarantee file recovery and encourages attackers to continue ransomware campaigns.
65. What is “fileless ransomware”?
A) A type of ransomware that operates without writing files to the disk
B) Ransomware that only targets cloud storage
C) Ransomware that automatically decrypts itself
D) A non-malicious form of ransomware
Answer: A type of ransomware that operates without writing files to the disk
Explanation: Fileless ransomware runs in memory (RAM) instead of writing files, making it harder to detect and remove.
66. Why do attackers sometimes offer “customer support” in ransomware campaigns?
A) To assist victims in paying the ransom
B) To help victims remove the ransomware for free
C) To negotiate lower ransom amounts
D) To prevent security researchers from tracking them
Answer: To assist victims in paying the ransom
Explanation: Some ransomware groups provide customer support chat systems to help victims pay the ransom and decrypt their files.
67. What is the best way to avoid mobile ransomware infections?
A) Avoid downloading apps from untrusted sources
B) Disable two-factor authentication
C) Use public Wi-Fi for all transactions
D) Avoid using antivirus software
Answer: Avoid downloading apps from untrusted sources
Explanation: The best way to prevent ransomware is to download apps only from trusted sources like Google Play Store.
68. How does “geo-targeting” work in mobile ransomware attacks?
A) Attackers design ransomware to target specific countries or regions
B) Attackers disable security software based on location
C) Attackers send ransom notes in different languages
D) Attackers prevent infections in their own country
Answer: Attackers design ransomware to target specific countries or regions
Explanation: Some ransomware is configured to target users in specific countries based on location data.
69. What type of scam involves fake ransomware without actual encryption?
A) Ransomware bluffing
B) Scareware
C) Trojan malware
D) Adware
Answer: Scareware
Explanation: Scareware tricks users into believing they are infected, demanding a fake ransom without encrypting any files.
70. What should users do immediately after a ransomware infection?
A) Disconnect from the internet and scan for malware
B) Pay the ransom quickly
C) Restart the phone and hope the ransomware disappears
D) Disable all security software
Answer: Disconnect from the internet and scan for malware
Explanation: Disconnecting from the internet prevents ransomware from communicating with attacker-controlled servers.
71. What is one major reason why mobile ransomware attackers prefer cryptocurrency payments?
A) Cryptocurrencies provide anonymity and are harder to trace
B) Cryptocurrency transactions are faster than credit card payments
C) Cryptocurrencies automatically decrypt files after payment
D) Law enforcement agencies accept cryptocurrency payments for ransom
Answer: Cryptocurrencies provide anonymity and are harder to trace
Explanation: Cybercriminals prefer cryptocurrency payments because they offer anonymity and make it difficult for law enforcement to trace transactions.
72. Which component of mobile ransomware is responsible for displaying the ransom note?
A) The encryption module
B) The payload
C) The antivirus scanner
D) The rootkit
Answer: The payload
Explanation: The payload is responsible for displaying ransom messages, locking the screen, and encrypting files.
73. What is the primary function of the “dropper” in mobile ransomware?
A) To execute the ransomware payload
B) To provide free decryption tools
C) To prevent malware removal
D) To increase device performance
Answer: To execute the ransomware payload
Explanation: A dropper is a small malicious program that downloads and executes the ransomware payload on the infected device.
74. What tactic do some ransomware groups use to pressure victims into paying the ransom?
A) Publicly leaking stolen sensitive data
B) Providing free customer service
C) Offering a free trial decryption
D) Sending legal documents via email
Answer: Publicly leaking stolen sensitive data
Explanation: Some ransomware gangs use “double extortion”, where they threaten to leak stolen sensitive data if the ransom isn’t paid.
75. How does a ransomware infection typically begin on a mobile device?
A) The user clicks on a malicious link or installs an infected app
B) The user manually enables encryption
C) The device overheats due to excessive app usage
D) The device is locked due to an expired software license
Answer: The user clicks on a malicious link or installs an infected app
Explanation: Mobile ransomware typically infects a device when a user clicks on a malicious link, downloads an infected app, or opens a phishing attachment.
76. What is a sandbox environment used for in cybersecurity?
A) To safely analyze ransomware behavior without infecting the actual device
B) To store ransomware payments securely
C) To automatically remove ransomware from a device
D) To enable fast decryption of encrypted files
Answer: To safely analyze ransomware behavior without infecting the actual device
Explanation: A sandbox is an isolated virtual environment used by security researchers to analyze malware without risking real-world infections.
77. Why do some ransomware variants disable the Android recovery mode?
A) To prevent victims from factory resetting their devices
B) To improve phone battery life
C) To ensure that antivirus apps remain active
D) To install security patches
Answer: To prevent victims from factory resetting their devices
Explanation: Some ransomware variants disable recovery mode to prevent users from performing a factory reset, making removal more difficult.
78. What is the role of a “command-and-control” (C2) server in a ransomware attack?
A) To send encryption keys and receive victim payments
B) To provide decryption tools to victims
C) To update Android security patches
D) To repair infected devices remotely
Answer: To send encryption keys and receive victim payments
Explanation: A C2 server is used by attackers to remotely control ransomware, send encryption keys, and receive ransom payments.
79. Why do some ransomware variants remain dormant before activating?
A) To avoid early detection by security software
B) To give users time to back up their data
C) To improve device speed before encrypting files
D) To ensure files are stored in the cloud
Answer: To avoid early detection by security software
Explanation: Some ransomware delays activation to bypass security scans and ensure deep system infection before launching encryption.
80. What should users do if they receive an email threatening ransomware infection?
A) Avoid clicking on links and report the email as phishing
B) Download the attachment to check for threats
C) Reply to the sender and negotiate a ransom amount
D) Disable Wi-Fi and mobile data immediately
Answer: Avoid clicking on links and report the email as phishing
Explanation: Phishing emails often contain malicious links or attachments that install ransomware. The best action is to delete the email and report it.
81. What is the “kill chain” in ransomware attacks?
A) The sequence of steps attackers use to execute a ransomware attack
B) The process of decrypting files after ransom payment
C) The law enforcement response to ransomware
D) A method used to prevent ransomware infections
Answer: The sequence of steps attackers use to execute a ransomware attack
Explanation: The kill chain is the step-by-step process attackers follow, including infection, execution, encryption, and ransom demand.
82. What is one way security researchers develop ransomware decryption tools?
A) By finding flaws in the ransomware’s encryption algorithm
B) By paying the ransom and analyzing the decryption key
C) By contacting ransomware developers directly
D) By using generic antivirus software
Answer: By finding flaws in the ransomware’s encryption algorithm
Explanation: Some ransomware has weak encryption or implementation errors, allowing researchers to develop decryption tools.
83. Why do attackers sometimes use social media to spread ransomware?
A) To trick users into clicking malicious links in posts or messages
B) To directly demand ransom payments
C) To sell ransomware protection services
D) To warn users about new ransomware attacks
Answer: To trick users into clicking malicious links in posts or messages
Explanation: Attackers use social media phishing to distribute malicious links disguised as legitimate content.
84. What is one reason why enterprises are targeted more often than individual users by ransomware?
A) Businesses are more likely to pay a higher ransom
B) Personal devices are harder to infect
C) Individuals have stronger security than companies
D) Businesses have no security policies
Answer: Businesses are more likely to pay a higher ransom
Explanation: Enterprises often have valuable data and are more likely to pay large ransoms to avoid business disruption.
85. What is the function of a “ransomware vaccine”?
A) It prevents ransomware from executing on a device
B) It automatically decrypts encrypted files
C) It provides financial compensation to victims
D) It disables the internet connection when ransomware is detected
Answer: It prevents ransomware from executing on a device
Explanation: A ransomware vaccine is a security tool that tricks ransomware into thinking the device is already infected, preventing execution.
86. Why do ransomware attacks often target healthcare and financial institutions?
A) These sectors store sensitive data and cannot afford downtime
B) Hospitals and banks have weak encryption
C) Patients and customers often pay the ransom
D) These institutions have built-in ransomware software
Answer: These sectors store sensitive data and cannot afford downtime
Explanation: Healthcare and financial institutions store critical data, making them prime targets for ransomware attacks.
87. What happens if a victim refuses to pay the ransom?
A) Attackers may delete or leak the encrypted data
B) The ransomware automatically removes itself
C) The ransom price gets reduced
D) The attacker offers an alternative payment method
Answer: Attackers may delete or leak the encrypted data
Explanation: Some ransomware deletes files or leaks sensitive data if the victim refuses to pay.
88. How do ransomware gangs recruit affiliates for Ransomware-as-a-Service (RaaS)?
A) Through dark web forums and encrypted messaging services
B) By posting job advertisements on LinkedIn
C) By offering free trials in security conferences
D) By contacting law enforcement agencies
Answer: Through dark web forums and encrypted messaging services
Explanation: RaaS operators recruit affiliates via dark web marketplaces and encrypted chat services.
89. Why do attackers often use multiple ransom payment addresses?
A) To make tracking transactions more difficult for authorities
B) To allow multiple victims to pay simultaneously
C) To speed up transaction confirmations
D) To prevent victims from sending payments
Answer: To make tracking transactions more difficult for authorities
Explanation: Attackers use multiple cryptocurrency wallets to avoid tracking and confiscation by law enforcement.
90. What is the best long-term defense against mobile ransomware?
A) Regular backups, software updates, and security awareness
B) Paying the ransom quickly
C) Ignoring all security warnings
D) Installing random free security apps
Answer: Regular backups, software updates, and security awareness
Explanation: The best defense is a combination of backups, updates, and awareness training to prevent infections.
91. What type of phishing attack is commonly used to spread mobile ransomware via SMS messages?
A) Spear phishing
B) Smishing
C) Whaling
D) Vishing
Answer: Smishing
Explanation: Smishing (SMS phishing) is a social engineering attack where attackers send fraudulent text messages containing malicious links to distribute ransomware.
92. What is one way ransomware attackers avoid being tracked?
A) Using The Onion Router (Tor) for communication
B) Sending ransom notes via postal mail
C) Releasing decryption keys in public forums
D) Using government email servers
Answer: Using The Onion Router (Tor) for communication
Explanation: Many ransomware groups use Tor (The Onion Router) to communicate anonymously, making it harder for law enforcement to trace their activities.
93. What is the purpose of “self-deleting” ransomware?
A) To remove itself after encryption to avoid detection
B) To automatically decrypt files after a set time
C) To disable other malware on the system
D) To provide a free security patch to users
Answer: To remove itself after encryption to avoid detection
Explanation: Some ransomware self-deletes after encrypting files to avoid being analyzed by security experts.
94. Why do ransomware gangs sometimes provide decryption keys for free?
A) To rebuild their reputation for future attacks
B) To help law enforcement agencies
C) To allow victims to test the decryption process before paying
D) To protect their own devices from infection
Answer: To allow victims to test the decryption process before paying
Explanation: Some ransomware variants offer to decrypt one file for free to prove that paying the ransom will work.
95. How can enabling two-factor authentication (2FA) help prevent mobile ransomware attacks?
A) It adds an extra layer of security for logging into critical accounts
B) It automatically detects and removes ransomware
C) It disables all third-party app installations
D) It encrypts all data stored on the phone
Answer: It adds an extra layer of security for logging into critical accounts
Explanation: 2FA makes it harder for attackers to gain access to sensitive accounts that could be used to spread ransomware.
96. Which type of ransomware attack is most dangerous for mobile banking users?
A) Locker ransomware
B) Banking trojan ransomware
C) Adware ransomware
D) Rootkit-based ransomware
Answer: Banking trojan ransomware
Explanation: Banking trojan ransomware steals financial information while locking access to banking apps to demand a ransom.
97. How do cybercriminals use “malvertising” to spread ransomware?
A) By embedding malicious code in online ads that trigger ransomware downloads
B) By forcing users to pay ransom before clicking an ad
C) By infecting antivirus programs with ransomware
D) By creating fake job listings for IT professionals
Answer: By embedding malicious code in online ads that trigger ransomware downloads
Explanation: Malvertising (malicious advertising) uses infected online ads to deliver ransomware through drive-by downloads.
98. What is the safest way to store backups to prevent ransomware from encrypting them?
A) Keep backups on an external drive that is disconnected when not in use
B) Store backups on the same device as the original files
C) Keep only one backup version
D) Store backups on an unsecured public server
Answer: Keep backups on an external drive that is disconnected when not in use
Explanation: Air-gapped backups (stored offline) prevent ransomware from encrypting them, ensuring safe recovery.
99. Why do some ransomware variants disable device alarms and notifications?
A) To prevent users from receiving security warnings
B) To conserve battery life
C) To make the device run faster
D) To ensure security software updates work properly
Answer: To prevent users from receiving security warnings
Explanation: Some ransomware disables alarms and security notifications to prevent users from reacting quickly to an infection.
100. What happens when ransomware attackers sell “leaked” victim data on the dark web?
A) Other cybercriminals can purchase and misuse the stolen information
B) The victim gets automatic compensation
C) The victim receives a free decryption key
D) The attacker permanently deletes the data after selling it
Answer: Other cybercriminals can purchase and misuse the stolen information
Explanation: In double extortion attacks, cybercriminals sell stolen data on the dark web, leading to identity theft and fraud.
101. What is “triple extortion” in ransomware attacks?
A) Encrypting data, leaking stolen data, and launching DDoS attacks
B) Increasing the ransom amount three times
C) Infecting three devices at once
D) Demanding ransom payments from three different victims
Answer: Encrypting data, leaking stolen data, and launching DDoS attacks
Explanation: Triple extortion involves encrypting data, threatening to leak stolen data, and launching Distributed Denial-of-Service (DDoS) attacks to pressure victims.
102. What is a major disadvantage of using outdated mobile operating systems?
A) They are more vulnerable to ransomware attacks
B) They improve battery life
C) They increase the speed of the device
D) They prevent malicious app installations
Answer: They are more vulnerable to ransomware attacks
Explanation: Outdated OS versions lack security patches, making them vulnerable to ransomware exploits.
103. What is a honeypot in cybersecurity?
A) A decoy system used to attract and analyze ransomware attacks
B) A secure database for storing encrypted files
C) A mobile app that removes ransomware
D) A payment system used for paying ransoms anonymously
Answer: A decoy system used to attract and analyze ransomware attacks
Explanation: Honeypots are decoy systems designed to attract, detect, and analyze cyber threats, including ransomware.
104. Why do some ransomware gangs operate from specific countries?
A) To avoid local law enforcement crackdowns
B) To provide cybersecurity services
C) To protect victims from attacks
D) To ensure international legal protection
Answer: To avoid local law enforcement crackdowns
Explanation: Some ransomware groups operate in countries with weak cybersecurity laws or where law enforcement does not prosecute cybercrime.
105. Why is ransomware increasingly targeting cloud storage?
A) Because more businesses store critical data in the cloud
B) Because cloud providers offer free decryption tools
C) Because cloud storage speeds up encryption
D) Because cloud services automatically delete infected files
Answer: Because more businesses store critical data in the cloud
Explanation: Attackers target cloud storage as businesses rely on it for critical data, making them more likely to pay ransom.
106. What does “live attack ransomware” refer to?
A) Ransomware deployed manually by attackers in real-time
B) Ransomware that only encrypts live streaming content
C) A security tool that removes ransomware instantly
D) Ransomware that self-destructs after encryption
Answer: Ransomware deployed manually by attackers in real-time
Explanation: Live attack ransomware is manually installed and controlled by cybercriminals in real time, often via remote access tools.
107. What is “time-based ransomware”?
A) Ransomware that deletes files if payment isn’t made within a deadline
B) Ransomware that only works at night
C) Ransomware that delays encryption for weeks
D) Ransomware that automatically deactivates itself
Answer: Ransomware that deletes files if payment isn’t made within a deadline
Explanation: Some ransomware variants include timers that delete files if the ransom is not paid within a set period.
108. Why is education an important defense against ransomware?
A) Users can recognize and avoid phishing attacks
B) It makes ransomware infections impossible
C) It helps identify encrypted files
D) It increases the performance of mobile devices
Answer: Users can recognize and avoid phishing attacks
Explanation: User education helps people identify phishing, malicious links, and fake apps, reducing ransomware risks.
109. Why do ransomware developers sometimes release decryption keys for free?
A) They are shutting down operations or under legal pressure
B) They want positive reviews
C) They feel guilty for their actions
D) They want to encourage future payments
Answer: They are shutting down operations or under legal pressure
Explanation: Some ransomware groups release decryption keys when they shut down or face law enforcement action.
110. What should an organization’s cybersecurity plan include to defend against ransomware?
A) Regular backups, employee training, and endpoint protection
B) Paying ransom quickly to avoid damage
C) Avoiding security software updates
D) Sharing passwords among employees
Answer: Regular backups, employee training, and endpoint protection
Explanation: A strong cybersecurity plan includes regular backups, security training, and endpoint protection tools.
111. What does “ransomware immunity” refer to?
A) A system configuration that prevents ransomware execution
B) A vaccine that physically protects devices from malware
C) A government-provided insurance against ransomware
D) A setting that increases the encryption strength of ransomware
Answer: A system configuration that prevents ransomware execution
Explanation: Ransomware immunity refers to system hardening techniques, security settings, or software configurations that prevent ransomware from executing on a device.
112. What is an effective way to block ransomware from reaching a mobile device?
A) Enabling automatic updates and using security software
B) Turning off the device when not in use
C) Downloading random security patches from the internet
D) Using only outdated mobile apps
Answer: Enabling automatic updates and using security software
Explanation: Regular updates and security software help block exploits and malware, reducing the chances of ransomware infections.
113. What is a “decoy ransomware attack”?
A) A fake attack designed to distract while real malware installs
B) A security test to check for vulnerabilities
C) A ransomware variant that disappears after showing a warning
D) A government-initiated cybersecurity drill
Answer: A fake attack designed to distract while real malware installs
Explanation: Decoy ransomware is used to divert attention, allowing more dangerous malware to install in the background.
114. What happens if a mobile ransomware attack is part of a “blended attack”?
A) It is combined with other malware like spyware or keyloggers
B) The ransom demand is automatically reduced
C) The ransomware removes itself before encrypting files
D) The device becomes immune to future attacks
Answer: It is combined with other malware like spyware or keyloggers
Explanation: Blended attacks combine ransomware with other malware, such as spyware, rootkits, or banking trojans, for greater impact.
115. Why do some ransomware attackers demand gift cards instead of cryptocurrency?
A) Gift cards are harder to trace and easier to launder
B) Cryptocurrency is banned in most countries
C) Gift cards provide stronger encryption
D) Gift cards automatically decrypt infected files
Answer: Gift cards are harder to trace and easier to launder
Explanation: Some attackers demand gift cards because they are difficult to trace and can be easily converted to cash.
116. What is the best way to test if a ransomware decryption tool is legitimate?
A) Check its source and verify reviews from security experts
B) Run it on an infected system without verification
C) Pay for a premium version without testing
D) Use it on multiple devices at once
Answer: Check its source and verify reviews from security experts
Explanation: Some fake decryption tools are actually malware. It’s important to verify them from security websites and trusted sources.
117. What is “shadow copy deletion” in ransomware attacks?
A) The process of deleting backup copies of files before encryption
B) A feature that hides encrypted files from the user
C) A security feature that prevents ransomware from spreading
D) A forensic method to recover deleted files
Answer: The process of deleting backup copies of files before encryption
Explanation: Some ransomware deletes system backups (shadow copies) to prevent victims from recovering encrypted files.
118. How does “fileless ransomware” differ from traditional ransomware?
A) It operates without leaving traces on disk
B) It uses fake ransom demands
C) It only targets cloud-based systems
D) It allows victims to recover files for free
Answer: It operates without leaving traces on disk
Explanation: Fileless ransomware executes directly in memory (RAM) instead of storing files, making it harder to detect.
119. What is one reason why mobile ransomware attacks often target older Android devices?
A) They lack security updates and patches
B) They are more expensive to repair
C) They have built-in ransomware software
D) They automatically download ransomware updates
Answer: They lack security updates and patches
Explanation: Older Android devices may not receive security updates, making them more vulnerable to ransomware attacks.
120. What does “geofencing” mean in a mobile ransomware attack?
A) Ransomware only activates in specific geographic regions
B) The victim is required to pay ransom using GPS-tracked currency
C) The ransomware spreads via physical contact
D) The attack is limited to government agencies
Answer: Ransomware only activates in specific geographic regions
Explanation: Geofencing means that ransomware only executes in certain locations, often based on IP addresses or device settings.
121. What is the purpose of the “kill switch” in some ransomware strains?
A) To deactivate the ransomware if specific conditions are met
B) To delete all encrypted files permanently
C) To increase the ransom amount over time
D) To send ransom reminders to the victim
Answer: To deactivate the ransomware if specific conditions are met
Explanation: Some ransomware has a “kill switch” that deactivates the attack under certain legal, geographical, or operational conditions.
122. What is “fast encryption” in ransomware?
A) A technique that allows ransomware to encrypt files quickly before detection
B) A security patch that prevents encryption
C) A method that makes decryption easier
D) A mobile feature that speeds up file recovery
Answer: A technique that allows ransomware to encrypt files quickly before detection
Explanation: Some ransomware variants use “fast encryption” to encrypt files within seconds before security software can intervene.
123. How does ransomware evade detection by mobile security apps?
A) By disguising itself as a legitimate application
B) By encrypting its own code
C) By blocking security updates
D) All of the above
Answer: All of the above
Explanation: Ransomware evades detection using multiple tactics, including disguising as legitimate apps, encrypting code, and blocking security updates.
124. Why do attackers sometimes use “trial ransomware”?
A) To test their malware in real-world environments
B) To offer victims a free security checkup
C) To allow users to download ransomware on demand
D) To provide free data backups
Answer: To test their malware in real-world environments
Explanation: Trial ransomware helps attackers test their malware before launching large-scale attacks.
125. What does “ransomware propagation” refer to?
A) The way ransomware spreads across devices and networks
B) The process of paying ransom in installments
C) The timeline for file recovery
D) A legal method for stopping ransomware
Answer: The way ransomware spreads across devices and networks
Explanation: Propagation refers to how ransomware spreads, often through malicious links, infected apps, or network vulnerabilities.
126. Why do some ransomware variants fake law enforcement messages?
A) To scare victims into paying the ransom
B) To make attacks easier to detect
C) To prevent other hackers from using the same ransomware
D) To offer victims cybersecurity training
Answer: To scare victims into paying the ransom
Explanation: Fake law enforcement messages make victims believe they have committed a crime, increasing the chance of quick ransom payment.
127. What is an “onion site” in the context of ransomware?
A) A website hosted on the Tor network for anonymous communication
B) A website used for storing stolen data
C) A site that automatically removes ransomware
D) A ransomware payment gateway
Answer: A website hosted on the Tor network for anonymous communication
Explanation: Onion sites are hosted on the Tor network, allowing ransomware attackers to communicate anonymously.
128. How do mobile ransomware attackers use social engineering?
A) By tricking users into installing malicious apps or clicking fake links
B) By disabling security settings remotely
C) By automatically transferring cryptocurrency from victim accounts
D) By using artificial intelligence to detect ransomware
Answer: By tricking users into installing malicious apps or clicking fake links
Explanation: Attackers use social engineering tactics to manipulate users into installing malware or opening malicious links.
129. What is a “whitelist approach” in ransomware defense?
A) Allowing only approved applications to run on the device
B) Blocking all internet traffic
C) Paying the ransom only in cryptocurrency
D) Using outdated software to confuse attackers
Answer: Allowing only approved applications to run on the device
Explanation: Whitelisting restricts devices to run only trusted applications, reducing the risk of ransomware infections.
130. What is the most common ransom payment deadline given by attackers?
A) 24 to 72 hours
B) 1 to 2 weeks
C) 30 days
D) 3 months
Answer: 24 to 72 hours
Explanation: Most ransomware demands payment within 24-72 hours to pressure victims into paying quickly.
131. What is “sleeper ransomware”?
A) Ransomware that remains inactive for a period before executing
B) A security patch that removes ransomware automatically
C) Ransomware that only affects sleeping devices
D) A type of ransomware that targets battery performance
Answer: Ransomware that remains inactive for a period before executing
Explanation: Sleeper ransomware remains dormant for days or weeks before activating, making it harder to detect.
132. What is a “ransomware note”?
A) A message displayed by ransomware demanding payment
B) A government alert about ransomware threats
C) A notification from security software about an attack
D) A public service announcement on mobile security
Answer: A message displayed by ransomware demanding payment
Explanation: A ransomware note is a message displayed on the infected device with ransom payment instructions.
133. How do ransomware gangs use “bulletproof hosting”?
A) To host malware and ransom payment sites anonymously
B) To protect victims from ransomware infections
C) To encrypt data before launching an attack
D) To store secure backups of victim data
Answer: To host malware and ransom payment sites anonymously
Explanation: Bulletproof hosting services allow attackers to host ransomware and payment portals without being easily tracked.
134. Why do some mobile ransomware variants disable task manager features?
A) To prevent victims from stopping the ransomware process
B) To improve system performance
C) To reduce battery consumption
D) To display advertisements
Answer: To prevent victims from stopping the ransomware process
Explanation: Some ransomware disables task manager access, preventing victims from closing malicious processes.
135. What is the primary goal of “ransomware negotiation services”?
A) To help victims negotiate lower ransom payments
B) To decrypt files without paying ransom
C) To analyze ransomware behavior
D) To alert law enforcement agencies
Answer: To help victims negotiate lower ransom payments
Explanation: Ransomware negotiation services assist victims in reducing ransom demands and communicating with attackers.
136. How does “network-aware” ransomware work?
A) It detects and spreads across connected devices in a network
B) It only encrypts cloud-based data
C) It prevents internet access on infected devices
D) It automatically updates antivirus software
Answer: It detects and spreads across connected devices in a network
Explanation: Network-aware ransomware spreads to other connected devices, increasing damage.
137. What is the purpose of “command obfuscation” in ransomware?
A) To hide malicious activities from security software
B) To automatically execute system updates
C) To alert users about an infection
D) To request law enforcement approval before executing
Answer: To hide malicious activities from security software
Explanation: Command obfuscation makes malicious commands difficult to detect by security tools.
138. Why do ransomware gangs offer “loyalty discounts” to repeat victims?
A) To encourage faster payments
B) To avoid legal consequences
C) To prevent victims from switching security providers
D) To improve public perception
Answer: To encourage faster payments
Explanation: Some ransomware groups offer discounts to repeat victims, making them more likely to pay.
139. What is a “ransomware affiliate”?
A) A cybercriminal who distributes ransomware for a share of the profits
B) A company that sells ransomware protection services
C) A legal consultant for ransomware victims
D) A government entity tracking ransomware attacks
Answer: A cybercriminal who distributes ransomware for a share of the profits
Explanation: Ransomware affiliates distribute ransomware in Ransomware-as-a-Service (RaaS) models, receiving a percentage of ransom payments.
140. What is the best method to prevent “zero-day” ransomware attacks?
A) Applying security patches and updates regularly
B) Paying ransom as soon as possible
C) Disconnecting from the internet permanently
D) Using older operating systems
Answer: Applying security patches and updates regularly
Explanation: Zero-day attacks exploit unknown vulnerabilities, so frequent updates reduce risks.
141. Why do some ransomware attacks target mobile payment apps?
A) To steal financial data and demand additional ransom
B) To test encryption algorithms
C) To improve user security awareness
D) To increase phone performance
Answer: To steal financial data and demand additional ransom
Explanation: Some ransomware targets mobile payment apps to steal financial data or demand additional ransom.
142. What is “scorched-earth” ransomware?
A) Ransomware that deletes files even if the ransom is paid
B) Ransomware that spreads through Wi-Fi networks
C) Ransomware that encrypts phone call logs
D) Ransomware that only affects government agencies
Answer: Ransomware that deletes files even if the ransom is paid
Explanation: Scorched-earth ransomware destroys files regardless of ransom payment.
143. Why do some ransomware operators disable mobile security apps?
A) To prevent detection and removal of ransomware
B) To improve device functionality
C) To make ransom demands more visible
D) To protect victims from other cyber threats
Answer: To prevent detection and removal of ransomware
Explanation: Some ransomware disables security apps to avoid detection and removal.
144. What is an “initial access broker” in ransomware campaigns?
A) A hacker who sells access to compromised devices
B) A security researcher tracking ransomware threats
C) A financial consultant helping victims recover funds
D) A tool used to automatically decrypt files
Answer: A hacker who sells access to compromised devices
Explanation: Initial access brokers gain access to systems and sell it to ransomware operators.
145. How do attackers use “AI-enhanced ransomware”?
A) To automatically adjust attack strategies and evade detection
B) To protect users from ransomware infections
C) To create backup copies of encrypted files
D) To provide instant decryption for paid victims
Answer: To automatically adjust attack strategies and evade detection
Explanation: AI-enhanced ransomware uses machine learning to evade security defenses.
146. What is the primary risk of using pirated software in relation to ransomware?
A) Pirated software may contain hidden ransomware infections
B) It automatically deletes encrypted files
C) It improves ransomware detection rates
D) It provides free security updates
Answer: Pirated software may contain hidden ransomware infections
Explanation: Attackers often embed ransomware in pirated software to infect users.
147. Why do some ransomware attacks occur during major holidays?
A) Security teams are less active, making it easier to exploit vulnerabilities
B) More people are available to respond to attacks
C) Companies update security policies during holidays
D) Victims are less likely to pay ransom on holidays
Answer: Security teams are less active, making it easier to exploit vulnerabilities
Explanation: Attackers strike during holidays when IT teams are less active, delaying response times.
148. What is a “sleeper cell ransomware attack”?
A) An attack that remains hidden for months before execution
B) A ransomware attack that only targets sleeping devices
C) A ransomware variant that targets messaging apps
D) A government-funded cybersecurity operation
Answer: An attack that remains hidden for months before execution
Explanation: Sleeper cell ransomware stays dormant for months, making detection difficult.
149. What is the best way to handle a ransomware infection on a mobile device?
A) Restore from an offline backup and remove the malware
B) Immediately pay the ransom
C) Continue using the device as usual
D) Disable all security features
Answer: Restore from an offline backup and remove the malware
Explanation: The safest method is to restore from a backup and remove the ransomware.
150. What is one common tactic used in “socially-engineered ransomware”?
A) Trick users into downloading ransomware through fake warnings
B) Encrypt files without showing a ransom note
C) Offer free cybersecurity training
D) Provide technical support to remove malware
Answer: Trick users into downloading ransomware through fake warnings
Explanation: Socially-engineered ransomware convinces victims to install malware through fake security alerts or warnings.
151. What is “polymorphic ransomware”?
A) Ransomware that continuously changes its code to evade detection
B) Ransomware that self-destructs after encryption
C) Ransomware that only infects specific mobile brands
D) Ransomware that can be removed by restarting the phone
Answer: Ransomware that continuously changes its code to evade detection
Explanation: Polymorphic ransomware alters its code with each infection, making it harder for antivirus software to detect.
152. Why do some ransomware attackers create fake security updates?
A) To trick users into downloading ransomware disguised as a system update
B) To patch security vulnerabilities in mobile devices
C) To offer an alternative to paying the ransom
D) To allow users to remove ransomware for free
Answer: To trick users into downloading ransomware disguised as a system update
Explanation: Some ransomware mimics security updates to trick users into installing malicious software.
153. What is a “time-bomb ransomware attack”?
A) Ransomware that activates on a pre-determined date
B) Ransomware that disables the device’s clock
C) Ransomware that only affects time-sensitive applications
D) Ransomware that slows down phone performance over time
Answer: Ransomware that activates on a pre-determined date
Explanation: Time-bomb ransomware is pre-programmed to activate after a specific date or event, avoiding early detection.
154. What is the role of a “dropper” in mobile ransomware attacks?
A) To secretly install ransomware onto a device
B) To decrypt ransomware-infected files
C) To send ransom messages to multiple victims
D) To increase device security
Answer: To secretly install ransomware onto a device
Explanation: A dropper is a small malicious program used to download and install ransomware without detection.
155. Why do attackers use “fake customer support” tactics in ransomware operations?
A) To pressure victims into paying the ransom by pretending to assist them
B) To provide genuine technical help
C) To spread ransomware among more users
D) To offer discounts on ransom payments
Answer: To pressure victims into paying the ransom by pretending to assist them
Explanation: Some ransomware groups offer fake customer support to manipulate victims into paying the ransom.
156. What happens if ransomware uses a “self-propagating” mechanism?
A) It spreads to other devices without user interaction
B) It automatically decrypts files after a set time
C) It reduces ransom demands over time
D) It prevents the user from turning off the phone
Answer: It spreads to other devices without user interaction
Explanation: Self-propagating ransomware spreads without requiring user action, often through network connections or messaging apps.
157. How can cybercriminals use QR codes in mobile ransomware attacks?
A) By embedding malicious links in QR codes that lead to ransomware downloads
B) By using QR codes to unlock encrypted devices
C) By encrypting QR codes instead of files
D) By replacing the default camera app with a fake ransomware scanner
Answer: By embedding malicious links in QR codes that lead to ransomware downloads
Explanation: Attackers embed ransomware URLs in QR codes, tricking users into scanning them to install malware.
158. Why do some ransomware attackers prefer Monero (XMR) over Bitcoin for ransom payments?
A) Monero transactions are more private and harder to trace
B) Monero transactions are faster than Bitcoin
C) Monero payments can be reversed
D) Monero is the official currency for ransomware payments
Answer: Monero transactions are more private and harder to trace
Explanation: Monero (XMR) is a privacy-focused cryptocurrency, making it harder to trace transactions compared to Bitcoin.
159. What is “targeted ransomware”?
A) Ransomware designed for specific victims, such as businesses or high-profile individuals
B) Ransomware that only affects gaming apps
C) Ransomware that disappears after 24 hours
D) Ransomware that targets only iOS devices
Answer: Ransomware designed for specific victims, such as businesses or high-profile individuals
Explanation: Targeted ransomware is manually deployed against specific organizations or individuals for higher ransom demands.
160. How do attackers use “geo-blocking” in ransomware campaigns?
A) To prevent infections in certain countries
B) To block victims from accessing ransom payment sites
C) To only infect devices that use VPNs
D) To restrict ransomware execution to offline devices
Answer: To prevent infections in certain countries
Explanation: Some ransomware variants avoid targeting certain regions where attackers might face legal action.
161. What is “RansomCloud” in cybersecurity?
A) A ransomware attack that targets cloud storage services
B) A security tool that prevents ransomware
C) A cloud-based ransom payment system
D) A secure cloud storage alternative
Answer: A ransomware attack that targets cloud storage services
Explanation: RansomCloud refers to ransomware that encrypts cloud storage, affecting files stored in services like Google Drive and Dropbox.
162. What is the primary purpose of using “multi-stage ransomware”?
A) To execute the attack in different phases and evade detection
B) To encrypt files twice for added security
C) To protect victims from data loss
D) To test security software
Answer: To execute the attack in different phases and evade detection
Explanation: Multi-stage ransomware executes in multiple steps, allowing it to evade security software before launching full encryption.
163. Why do some ransomware attacks avoid targeting mobile devices in certain regions?
A) The attackers are based in those regions and fear local prosecution
B) Ransomware is ineffective on certain operating systems
C) Mobile security is stronger in those regions
D) Attackers only target high-income countries
Answer: The attackers are based in those regions and fear local prosecution
Explanation: Many ransomware groups avoid targeting their own countries to avoid prosecution under local laws.
164. What is the main function of a “ransomware keylogger”?
A) To steal user credentials while encrypting files
B) To slow down the encryption process
C) To unlock encrypted files without payment
D) To provide an alternative method for ransom payment
Answer: To steal user credentials while encrypting files
Explanation: Some ransomware includes a keylogger to steal passwords and sensitive data in addition to encrypting files.
165. How does “social media ransomware” spread?
A) Through malicious links shared on social media platforms
B) By encrypting user posts
C) By requiring a social media login to decrypt files
D) By blocking access to messaging apps
Answer: Through malicious links shared on social media platforms
Explanation: Attackers use social media phishing links to trick users into downloading ransomware.
166. What is a “ransomware wiper”?
A) Ransomware that deletes files instead of encrypting them
B) Ransomware that only affects mobile apps
C) A security tool for wiping ransomware-infected files
D) A method of negotiating ransom payments
Answer: Ransomware that deletes files instead of encrypting them
Explanation: Ransomware wipers delete files permanently, often disguising themselves as ransomware to mislead victims.
167. Why do attackers sometimes demand ransom in smaller payments over time?
A) To avoid triggering fraud detection systems
B) To increase the total ransom amount
C) To allow victims to pay more easily
D) To ensure law enforcement is not involved
Answer: To avoid triggering fraud detection systems
Explanation: Smaller ransom payments are less likely to trigger bank fraud detection systems, making it easier for attackers to collect money.
168. What is “silent ransomware”?
A) Ransomware that encrypts files without displaying a ransom note immediately
B) Ransomware that does not require an internet connection
C) Ransomware that spreads through silent phone calls
D) Ransomware that only affects government agencies
Answer: Ransomware that encrypts files without displaying a ransom note immediately
Explanation: Silent ransomware encrypts files without alerting the victim immediately, making it harder to detect.
169. What security feature helps prevent ransomware from encrypting sensitive files?
A) Application whitelisting
B) Disabling Bluetooth
C) Increasing screen brightness
D) Using only one password for all accounts
Answer: Application whitelisting
Explanation: Application whitelisting allows only trusted programs to run, preventing ransomware from executing.
170. What is the biggest risk of paying a ransom to attackers?
A) There is no guarantee the files will be decrypted
B) The ransom payment increases device speed
C) The attackers delete their own malware
D) The ransomware automatically removes itself
Answer: There is no guarantee the files will be decrypted
Explanation: Paying the ransom does not guarantee file recovery, and it encourages further attacks.
171. What is the main objective of a “double extortion” ransomware attack?
A) Encrypt files and threaten to leak stolen data if ransom is not paid
B) Encrypt the same data twice for extra security
C) Offer victims a discount if they pay quickly
D) Prevent devices from connecting to the internet
Answer: Encrypt files and threaten to leak stolen data if ransom is not paid
Explanation: Double extortion ransomware not only encrypts data but also steals it and threatens to leak it if the ransom is not paid.
172. How do attackers use “drive-by downloads” in ransomware infections?
A) By automatically installing ransomware when a user visits a compromised website
B) By spreading ransomware through Bluetooth connections
C) By forcing victims to enter a CAPTCHA before encryption
D) By only infecting devices that use VPNs
Answer: By automatically installing ransomware when a user visits a compromised website
Explanation: Drive-by downloads occur when a user visits an infected website, and ransomware downloads automatically without user interaction.
173. What is a “hybrid ransomware attack”?
A) An attack that combines ransomware with other types of malware
B) Ransomware that affects both mobile and desktop devices
C) A ransomware variant that only targets hybrid cloud environments
D) A ransomware attack that does not demand a ransom
Answer: An attack that combines ransomware with other types of malware
Explanation: Hybrid ransomware is an attack that combines ransomware with trojans, spyware, or worms for greater impact.
174. Why do some ransomware attacks target cryptocurrency wallets on mobile devices?
A) To steal stored cryptocurrency and demand additional ransom
B) To help victims pay the ransom easily
C) To protect victims from financial losses
D) To prevent law enforcement from tracking payments
Answer: To steal stored cryptocurrency and demand additional ransom
Explanation: Some ransomware attacks specifically target cryptocurrency wallets to steal funds and demand additional ransom.
175. What is a “low-interaction ransomware honeypot”?
A) A decoy system that mimics a real device to detect ransomware activity
B) A ransomware strain that interacts with users before encryption
C) A security tool that encrypts files as a precaution
D) A mobile app that removes ransomware automatically
Answer: A decoy system that mimics a real device to detect ransomware activity
Explanation: Honeypots are decoy environments used to detect and study ransomware behavior without risking real data.
176. How do attackers use “malicious browser extensions” in ransomware attacks?
A) By tricking users into installing ransomware through fake extensions
B) By automatically disabling the device’s browser
C) By offering free antivirus software in exchange for data
D) By slowing down device performance before encryption
Answer: By tricking users into installing ransomware through fake extensions
Explanation: Some ransomware disguises itself as a browser extension, tricking users into installing malware unknowingly.
177. What is “mobile ransomware evasion”?
A) Techniques used by ransomware to bypass security measures
B) A method to remove ransomware without paying
C) A security tool that blocks ransomware before execution
D) A way to recover files without decrypting them
Answer: Techniques used by ransomware to bypass security measures
Explanation: Mobile ransomware evasion refers to stealth techniques used to avoid detection by security tools.
178. Why do some ransomware gangs provide “evidence of file deletion”?
A) To pressure victims into paying by proving they deleted some files
B) To assure victims they will decrypt the files after payment
C) To negotiate a lower ransom
D) To show law enforcement they are ethical hackers
Answer: To pressure victims into paying by proving they deleted some files
Explanation: Some ransomware groups delete a small portion of files as proof that they can permanently erase everything if ransom is not paid.
179. What is “customized ransomware”?
A) Ransomware that is modified to target specific organizations or individuals
B) A ransomware variant that allows victims to choose the encryption method
C) Ransomware that automatically decrypts files over time
D) A form of ransomware that only affects gaming applications
Answer: Ransomware that is modified to target specific organizations or individuals
Explanation: Customized ransomware is tailored to attack specific victims, often used in targeted attacks against high-value targets.
180. What is the primary reason ransomware attackers disable mobile device security settings?
A) To prevent the victim from easily removing the malware
B) To improve device performance
C) To allow law enforcement to investigate the attack
D) To provide better encryption for victim files
Answer: To prevent the victim from easily removing the malware
Explanation: Attackers disable security settings to prevent users from stopping the ransomware or removing it.
181. How do “ransomware fake warnings” trick users into installing malware?
A) By displaying fake alerts that claim the device is infected and offering a malicious “fix”
B) By promising rewards for scanning the device
C) By showing ads that encourage users to pay a security fee
D) By encrypting files before displaying a ransom note
Answer: By displaying fake alerts that claim the device is infected and offering a malicious “fix”
Explanation: Some ransomware displays fake security alerts, tricking users into downloading malicious software.
182. What does “ransomware-as-a-service (RaaS)” allow cybercriminals to do?
A) Purchase or rent ransomware tools from developers
B) Automatically decrypt ransomware-infected devices
C) Legally remove ransomware infections
D) Offer cybersecurity services to victims
Answer: Purchase or rent ransomware tools from developers
Explanation: RaaS (Ransomware-as-a-Service) allows cybercriminals with little technical skill to use pre-made ransomware kits.
183. Why do some ransomware attacks occur in multiple stages?
A) To evade security defenses and maximize impact
B) To make the attack more predictable
C) To prevent the victim from paying the ransom
D) To ensure the files are backed up before encryption
Answer: To evade security defenses and maximize impact
Explanation: Multi-stage attacks allow ransomware to bypass security defenses before executing full encryption.
184. What is a “ransomware bounty program”?
A) A program where cybersecurity researchers find and report ransomware vulnerabilities
B) A payment system for ransomware victims
C) A ransomware attack that rewards victims for fast payment
D) A method of automatically decrypting files
Answer: A program where cybersecurity researchers find and report ransomware vulnerabilities
Explanation: Bounty programs reward researchers who find vulnerabilities in ransomware or its distribution methods.
185. Why do some ransomware groups offer discounts for early payments?
A) To pressure victims into paying quickly before seeking alternatives
B) To help victims recover files affordably
C) To test if the encryption works correctly
D) To show goodwill toward victims
Answer: To pressure victims into paying quickly before seeking alternatives
Explanation: Attackers offer discounts for quick payments to pressure victims into paying before exploring recovery options.
186. What does “ransomware lateral movement” refer to?
A) The spread of ransomware across multiple devices in a network
B) The process of encrypting files in multiple stages
C) The ability to reverse the encryption process
D) A government strategy to prevent ransomware attacks
Answer: The spread of ransomware across multiple devices in a network
Explanation: Lateral movement allows ransomware to spread within a network, encrypting multiple devices.
187. Why do ransomware operators sometimes release stolen data for free?
A) To punish victims who refuse to pay
B) To assist cybersecurity researchers
C) To encourage victims to negotiate
D) To comply with law enforcement requests
Answer: To punish victims who refuse to pay
Explanation: Some ransomware groups release stolen data publicly if victims refuse to pay the ransom.
188. What is “fileless ransomware propagation”?
A) The spread of ransomware without writing files to disk
B) A method of removing ransomware without paying
C) A technique where ransomware only encrypts backup files
D) A security feature that blocks ransomware infections
Answer: The spread of ransomware without writing files to disk
Explanation: Fileless ransomware propagation allows ransomware to spread through system memory (RAM), making it harder to detect.
189. How do cybercriminals use “exploit kits” in ransomware attacks?
A) To scan for vulnerabilities and automatically install ransomware
B) To help victims decrypt their files
C) To protect attackers from being traced
D) To offer an alternative to paying ransom
Answer: To scan for vulnerabilities and automatically install ransomware
Explanation: Exploit kits are malicious software packages that detect vulnerabilities in devices and install ransomware automatically.
190. What is a “ransomware payload”?
A) The part of ransomware that encrypts files and locks the system
B) A payment confirmation receipt from attackers
C) A backup copy of the victim’s files stored in the cloud
D) A ransom amount determined by the victim
Answer: The part of ransomware that encrypts files and locks the system
Explanation: The payload is the core component of ransomware responsible for executing the attack, encrypting files, and displaying ransom notes.
191. Why do some ransomware attacks target IoT (Internet of Things) devices?
A) IoT devices often lack strong security protections
B) IoT devices store valuable financial information
C) IoT devices automatically back up data
D) IoT devices are immune to ransomware
Answer: IoT devices often lack strong security protections
Explanation: Many IoT devices lack strong security controls, making them easier targets for ransomware attacks.
192. What is the main risk of using “free” ransomware decryption tools found on unknown websites?
A) They may be malware disguised as decryption tools
B) They decrypt files immediately without a key
C) They increase the speed of the infected device
D) They offer permanent protection against ransomware
Answer: They may be malware disguised as decryption tools
Explanation: Some fake decryption tools are actually malware, designed to further infect victims’ devices.
193. Why do attackers use “social engineering” in ransomware distribution?
A) To manipulate users into downloading ransomware through deceptive tactics
B) To ensure victims can recover files easily
C) To help users understand cybersecurity risks
D) To allow companies to improve security policies
Answer: To manipulate users into downloading ransomware through deceptive tactics
Explanation: Social engineering tactics trick victims into downloading malware by impersonating trusted entities.
194. How do ransomware attackers use “fear tactics” to increase payment rates?
A) By threatening to leak sensitive data or permanently delete files
B) By offering victims a free trial decryption
C) By providing educational resources on cybersecurity
D) By asking for voluntary donations instead of ransom payments
Answer: By threatening to leak sensitive data or permanently delete files
Explanation: Attackers use fear tactics such as threatening to publish stolen data or permanently delete files to pressure victims into paying.
195. What is “ransomware worm capability”?
A) The ability of ransomware to spread automatically across devices
B) A tool that removes ransomware infections
C) A security patch that prevents ransomware attacks
D) A method for negotiating ransom payments
Answer: The ability of ransomware to spread automatically across devices
Explanation: Ransomware worms spread without user interaction, often moving between connected devices and networks.
196. What is a “lock-screen ransomware attack”?
A) An attack that prevents users from accessing their device by locking the screen
B) A ransomware variant that only encrypts images
C) A type of ransomware that requires biometric authentication
D) A ransomware attack that disables all system files
Answer: An attack that prevents users from accessing their device by locking the screen
Explanation: Lock-screen ransomware blocks access to a device’s screen, often displaying a fake warning message or ransom note.
197. Why do attackers sometimes create ransomware “copycat versions”?
A) To mimic successful ransomware campaigns and deceive victims
B) To provide alternative solutions for cybersecurity researchers
C) To allow victims to decrypt files for free
D) To offer discounts to returning victims
Answer: To mimic successful ransomware campaigns and deceive victims
Explanation: Some cybercriminals create fake versions of famous ransomware, tricking victims into paying fake ransom demands.
198. How does “homograph phishing” contribute to mobile ransomware infections?
A) By using domain names that look similar to legitimate websites to trick users into downloading ransomware
B) By encrypting only file names without locking actual content
C) By sending ransom demands in different languages
D) By requiring victims to enter passwords before encryption
Answer: By using domain names that look similar to legitimate websites to trick users into downloading ransomware
Explanation: Homograph phishing uses similar-looking domain names (e.g., g00gle.com instead of google.com) to trick users into downloading ransomware.
199. What is “deepfake ransomware”?
A) Ransomware that uses AI-generated fake videos or audio to deceive victims
B) A variant that encrypts video files first
C) Ransomware that is automatically removed after payment
D) A method to recover encrypted files
Answer: Ransomware that uses AI-generated fake videos or audio to deceive victims
Explanation: Deepfake ransomware uses AI-generated voices or videos to impersonate executives, law enforcement, or financial institutions to trick victims.
200. Why do ransomware gangs sometimes provide “proof of decryption”?
A) To convince victims that paying the ransom will actually restore their files
B) To help victims understand how encryption works
C) To avoid detection by security agencies
D) To offer a legal agreement between the attacker and victim
Answer: To convince victims that paying the ransom will actually restore their files
Explanation: Some ransomware groups decrypt a small number of files for free to prove that they have a working decryption key and encourage victims to pay.