Harmful programs that hijack control of a computer or device and demand payment to return control to the rightful user are known as ransomware.
There are two main types of ransomware commonly seen today:
- Crypto-ransomware will encrypt files on a computer, essentially 'scrambling' the file contents so that the user can't access it without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key
- "Police-themed" ransomware will try to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband. The ransom demand is described as "payment of a fine", or similar
How users encounter ransomware
The most common method used by attackers to bring potential victims into contact with ransomware is to send it to them as a file attached to a legitimate-looking email. The file will usually be disguised to look like a desirable file or program. This method depends on tricking the user into opening and running the disguised attachment.
Another common method is to include the ransomware in the payload of an exploit kit. Users are exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.
Ransomware is also spread by botnets that silently install and run it on vulnerable systems. The ransomware will then take control of files on the machine, or in some cases, take control of the entire system.
If the ransomware successfully takes the device or data hostage, users will usually have a very limited number of recovery options. Ransomware will normally use strong encryption that is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.
In a very few select cases where researchers were able to find a flaw in the ransomware to circumvent it, the user may be able to recover the affected device or data:
- Threat Description: Trojan:W32/Reveton
- No More Ransom! Project: an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims retrieve their encrypted data without having to pay the criminals responsible for the threat.
These instances are however very rare. For most other ransomware cases, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
Precautionary measures should also be taken to protect your content and device from being vulnerable to ransomware again in the future. For more information, see:
For examples of crypto-ransomware and police-themed ransomware, see:
For more technical details of ransomware, see: