The criminals responsible for ransomware usually distribute them using trojans or exploit kits. When it is run on a computer or device, the ransomware will first try and 'lock' or encrypt the device or its contents. Next, the ransom demand is displayed, usually in a text file or a webpage. Some ransomware also change the desktop background to display the demand.
If the affected device or data is confidential, business-critical or irreplaceable, the impact of a ransomware infection can be very disruptive. Ransomware exploit the user's shock, embarrassment and fear to pressure them into paying the ransom demanded.
Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design.
From 2012 onwards, we started seeing ransomware using the names, visual images and language of various law enforcement agencies to make their ransom demands look like official writs, usually regarding some alleged offense that the user supposedly committed.
The details of the ransom demand vary depending on the user's geographical location. The most notable examples have come from Western European countries, notably France, Germany, Finland and Italy, but other countries have also reported instances of such ransomware.
While the actuals text of the demands vary, they generally follow the same pattern:
Security researchers and law enforcement authorities strongly recommend that affected user do not pay the ransom demand. There is no guarantee that payment will restore the affected device or data.
The recommended course of action is that the user report the incident to the proper local authorities, disinfect the affected device and restore the affected data from clean backups.
In some of the cases reported to legitimate authorities however, losing control of the affected device or data has been so disruptive that the users have chosen to pay the ransom demand. This has been especially true of businesses and individuals who have no clean backups to recover from, or who have critical business machines affected by the ransomware.
Of course, it is likely that many affected users do not report an infection or ransom payment to the authorities at all.
If the worst happens and ransomware does infect your device, there are a couple of steps you can take to contain the damage:
In most cases, F-Secure's security products will will automatically detect and remove a ransomware file.
For certain ransomware families, manual removal is also possible, though it is only recommended for a technically skilled user.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
For users who do not have an F-Secure security product installed, in most cases our Online Scanner removal tool is able to detect and automatically remove the ransomware.
Trojan:W32/Reveton and Trojan:W32/Urausy variants may be manually removed from the machine, using the following instructions:
You can send a sample of the ransomware file to our Labs for analysis.
To do so, please reboot your computer into Safe Mode (see instructions in the Manual Removal section above) and look for the suspect file. Most commonly, ransomware is saved to one of the following locations:
Once found, send us the suspect file via Submit A Sample (SAS).