Ransomware is a type of harmful program that hijack control of the user's computer, device or data, then demands payment to restore normal access to the ransomed content or system.
F-Secure detects ransomware using a variety of signature and generic detections.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the file or application, or ask you for a desired action.
If the ransomware uses encryption to take files or an entire system hostage, it is very difficult to decrypt the affected files or system without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
For a few specific ransomware families, manual removal is possible.
CAUTION Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Harmful programs that hijack control of a computer or device and demand payment to return control to the rightful user are known as ransomware.
There are two main types of ransomware commonly seen today:
The most common method used by attackers to bring potential victims into contact with ransomware is to send it to them as a file attached to a legitimate-looking email. The file will usually be disguised to look like a desirable file or program. This method depends on tricking the user into opening and running the disguised attachment.
Another common method is to include the ransomware in the payload of an exploit kit. Users are exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.
Ransomware is also spread by botnets that silently install and run it on vulnerable systems. The ransomware will then take control of files on the machine, or in some cases, take control of the entire system.
If the ransomware successfully takes the device or data hostage, users will usually have a very limited number of recovery options. Ransomware will normally use strong encryption that is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.
In a very few select cases where researchers were able to find a flaw in the ransomware to circumvent it, the user may be able to recover the affected device or data:
These instances are however very rare. For most other ransomware cases, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
Precautionary measures should also be taken to protect your content and device from being vulnerable to ransomware again in the future. For more information, see:
For examples of crypto-ransomware and police-themed ransomware, see:
For more technical details of ransomware, see: