A quick guide to crypto-ransomware - what it is, how it works, what happens when your computer is infected and what you can do to protect your computer.

What is crypto-ransomware?

Ransomware is a type of malicious program that uses deceptive and alarming messages to extort money from a victim. The messages are usually accompanied by harmful actions on the user's computer or mobile device - for example, by 'locking' it to prevent normal use - so that the user feels pressured into paying the money demanded.

Crypto-ransomware is a type of ransomware that encrypts files stored on the user's computer or mobile device. Simply put, encryption 'scrambles' the contents of a file, so that it is unreadable by either the user or the device itself. To restore it for normal use, a decryption key is needed to 'unscramble' the file.

When crypto-ransomware encrypts a user's files, it is essentially taking those files hostage; a ransom demand is then displayed offering the user the decryption key needed to restore the files, if a specified sum is paid. In some cases, the user only has a limited time period to make the payment.

Encountering crypto-ransomware

Users may encounter crypto-ransomware in a variety of ways. The most common are:

  • In maliciously crafted files that contain the crypto-ransomware itself, or download it from a remote website
  • As part of the payload of other malware, such as trojan-downloaders or exploit kits

Delivery by email

Email messages are often used to deliver crypto-ransomware. The emails may appropriate the names and/or branding of various legitimate companies to appear above-board. The text of the email messages may be either generic spam content or specially crafted to the recipient's interests (also known as phishing emails).

F-Secure Weblog: An example of spam used to spread the CTB-Locker crypto-ransomware.

Some email messages will include a file attached to it. The files attached to the emails can be any of the following formats:

  • Microsoft Word document (file name ends with .doc or .docx)
  • Microsoft XSL document  (.xsl or .xslx ending)
  • XML document (.xml or .xslx ending)
  • Zipped folder containing a JavaScript file (.zip containing a file with a name ending in .js)

Some files being distributed as email attachments may also use multiple file extensions - for example, <INVOICE#132435>.PDF.js. This is a common tactic used to trick users into believing that the file is meant to run on a different program.

Other email messages will contain a link to a file hosted on a cloud storage service. Though the email claims the file is a document (usually a resume), it is actually an executable program.

Receiving the email itself does not trigger a potential infection. To do so, the user must either open the attached file, or download the linked file and then open it.

If the user opens the attached file, malicious code contained in it will try to run. If the file is in JavaScript, it will try to download and install the actual ransomware program from a remote website or server. If the file is a Word or XSL document, the code is embedded in the file as a macro, or a series of commands that will be executed in sequence if launched by the user. For the code to successfully infect the user's machine, at least one of two scenarios must occur:

  • In Microsoft Word, macros are enabled (by default, this is disabled)
  • The user is tricked into enabling macros in Microsoft Word

If for any reason macros are enabled in Microsoft Word, the malicious code will run immediately. If macros are not enabled in Microsoft Word, the file will display a notification prompt asking the user to enable them. If the user clicks 'Enable Content' on the prompt, macros are enabled and the malicious code will run immediately.

Screenshot of a specially-crafted Word document luring the user into enabling macros>

Delivery by exploit kit

More rarely, crypto-ransomware is delivered by exploit kits, which are toolkits that are planted by attackers on websites. These kits then probe the devices of each website visitor for any flaws or vulnerabilities that can be exploited. There are numerous exploit kits currently delivering ransomware in the wild, such as Angler, Neutrino and Nuclear.

If a vulnerability is found and exploited, the exploit kit can immediately download crypto-ransomware onto the affected device. Once there, the ransomware runs immediately.


Once it is run, the ransomware will hunt for and encrypt files on the user's system.

Some crypto-ransomware, such as older variants of TeslaCrypt, will only encrypt specific types of files. Others are less discriminating and will encrypt many types of files (for example, Cryptolocker). There is also one known ransomware family, Petya, that encrypts the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.

After the encryption is done, the ransomware will display a message containing the ransom demand. The amount will vary depending on the specific ransomware, and the payment is often only in Bitcoins, or a similar digital cryptocurrency. Specific instructions are also provided.

F-Secure Weblog: the ransom notice displayed by CTB-Locker crypto-ransomware.


Ransomware works on the assumption that the user will be pressured enough at losing access to the files to be willing to pay the sum demanded. If the files are on a computer that belongs to an organization - such as a hospital, a finance firm or a government department - more than one person may be impacted by the ransomware's action.

Depending on the data contained in the encrypted files, the number of machines affected, and the ease of restoring the files from clean backups, the effect of a ransomware infection can range from mild to severe.

Respond & recover

If the worst happens and crypto-ransomware does infect your device, there are a couple of steps you can take to contain the damage:

  • IMMEDIATELY disconnect the affected device or devices from the local network and/or the Internet. Doing so prevents the infection from spreading to other connected devices.
  • Scan all connected devices and /or cloud storage for similar flaws and additional threats. Not only should other connected devices and storage media be checked for infection by the same threat, but also for any other threats that may have been installed on the side.
  • If possible, identify the specific ransomware responsible. Knowing the specific family involved makes it easier to search online for information about remedial options. The ID-Ransomware project site may be able to help you identify the ransomware involved.

Once you are certain the infection is contained, you can then try to remove the infection, recover the device and the data saved on it.

Recovering files that have been encrypted by crypto-ransomware is technically extremely difficult; in most cases, it is simpler to wipe the device clean and reinstall the operating system, then recover the affected data from a clean backup. You can take the following steps for recovery:

  • If possible, format and reinstall the device. Usually, this is the most expedient way to remove a ransomware infection. In a small handful of cases, there are removal tools available for specific ransomware families (see Family-specific removal tools below) which you may consider as an alternative.
  • Restore data from clean backups. If available and clean, the encrypted data can be recovered by restoring from backup files. In cases where no decryption is possible, this is the method recommended by law enforcement authorities and security experts to avoid paying the operators responsible for crypto-ransomware.  
  • Reevaluate the security of any software installed. To prevent a recurrence, ensure any software installed (including the operating system) is up-to-date with the latest security patches.
  • Report the incident to the appropriate local law enforcement authority. Each country handles incidents of electronic crime differently, but in general most national law enforcement agencies urge affected individuals or companies to report incidents and avoid paying any ransom demanded.

Family-specific removal tools

For certain crypto-ransomware families, security researchers have been able to obtain the decryption keys from the attackers' servers, and use them to create special removal tools that can recover the contents of files that were encrypted with the keys.

Do note however that these tools generally require some level of technical knowledge to use. They are also only effective for these specific ransomware families, or even just for threats that were distributed in specific campaigns.

For more information about these tools, visit the No More Ransom! project site. This initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims of ransomware retrieve their encrypted data without having to pay the criminals responsible for the threat.



As an individual computer user, you can take a number of simple precautions to avoid becoming a victim of crypto-ransomware:

  • Backup all necessary files regularly, and store them in a location not connected to the computer or network. This means that even if your computer is affected, you always have unaffected backups available.
  • Apply all critical and important security patches for all installed operating systems and applications. This prevents scenarios where the attack vector is not simply email file attachments, but vulnerability exploit attacks.
  • Enable all your antivirus solution's security features and keep it up-to-date with the latest signature databases.
  • Avoid opening emails sent by an unknown sender, especially if it contains an attachment or a link.
  • Enable "Show hidden Files, Folders and Drives" and disable "Hide extension of known file types". This helps you spot files that have multiple file extensions.
  • In Microsoft Office, make sure that the settings for 'Macro Settings' are set to 'Disable macros with notification'. This will block macros from running automatically when the document file is opened.
  • In Office 2016, you can modify the settings to block macros from running at all in documents that come from the Internet. This new feature was added in response to the resurgence of macro malware. More information and instructions are available at: