Cyber Security Center

About ransomware

Ransomware

Ransomware belongs to a family of malware that takes files for hostage. Unlike other malware, ransomware is very aggressive and does not try to mask its presence. It aims to lock important files so that the victim would be inclined to pay the ransom to get the files back. This malware usually spreads via spam emails (when users open infected files in spam emails) and exploit kits (when malware enters via vulnerabilities in the system).

Screenshot (24)

Ransomware is generally categorized as:

  • Lock Screen ransomware/Scareware. This type of ransomware does not encrypt files but instead locks the screen. Generally, the screen is locked, and a message claiming users have committed some kind of crime (usually related to child pornography or illegally obtained copyrighted content) is displayed. With lock screen ransomware, files are not actually encrypted. This type of malware is also easily removed with anti-malware software.
  • File-encrypting ransomware. This type of ransomware does encrypt files with strong encryption algorithms. Victims are instructed to pay a certain amount of money (usually in cryptocurrency) to receive a decryptor.
  • Mobile ransomware. This type of malware affects mobile devices, primarily those running Android. In many cases, mobile ransomware does not encrypt files but instead locks the screen.

Preventing ransomware

  • Backup. Backup is one of the most effective means of fighting ransomware. Not only should files be backed up, but important ones should be backed up in two different places.
  • Anti-virus software. Having security software installed is essential in preventing ransomware, as it would detect malicious files and stop an attack.
  • Software updates. In order to prevent ransomware from taking advantage of vulnerabilities in the system, updates should be installed regularly. That means that when an update becomes available, it should be installed.
  • Good browsing habits. Having good browsing habits can go a long way towards preventing ransomware infections. That includes not opening email attachments/links in unfamiliar emails, not browsing highly questionable websites, and not clicking on weird ads.

What to do in case of infection?

  • Remove the ransomware. When ransomware infects a computer, the first course of action should be to remove the ransomware. If it is not deleted, it will encrypt any new files. Anti-malware software is necessary to remove ransomware.
  • Identify the ransomware. In some cases, it is not immediately clear which ransomware has entered the system. If it encrypts files, look at the file extension added to the affected files. Use a search engine to look into the extension and find out the name of the ransomware.
  • Find more information on the ransomware. Once the ransomware has been identified, it will be easier to find more information on the threat, including whether it is decryptable. If the ransomware is decryptable, a tool should not be difficult to find. No More Ransom is a good source for decryption tools. If a decryption tool for a specific ransomware is not currently available, it may be released in the future.
  • Do not pay the ransom. While paying the ransom seems like the obvious solution to encrypted files, it is not. First of all, paying the ransom does not guarantee file decryption as there is nothing preventing cybercrooks from not sending a decryption tool after they get the money. Furthermore, paying the ransom encourages criminals to continue their illegal activity.