Ransomware is a type of harmful program that hijack control of the user's computer, device or data, then demands payment to restore normal access to the ransomed content or system.
If the ransomware uses encryption to take files or an entire system hostage, it is very difficult to decrypt the affected files or system without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
For a few specific ransomware families, manual removal is possible.
CAUTION Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Harmful programs that hijack control of a computer or device and demand payment to return control to the rightful user are known as ransomware.
There are two main types of ransomware commonly seen today:
The most common method used by attackers to bring potential victims into contact with ransomware is to send it to them as a file attached to a legitimate-looking email. The file will usually be disguised to look like a desirable file or program. This method depends on tricking the user into opening and running the disguised attachment.
Another common method is to include the ransomware in the payload of an exploit kit. Users are exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.
Ransomware is also spread by botnets that silently install and run it on vulnerable systems. The ransomware will then take control of files on the machine, or in some cases, take control of the entire system.
If the ransomware successfully takes the device or data hostage, users will usually have a very limited number of recovery options. Ransomware will normally use strong encryption that is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.
In a very few select cases where researchers were able to find a flaw in the ransomware to circumvent it, the user may be able to recover the affected device or data:
These instances are however very rare. For most other ransomware cases, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
Precautionary measures should also be taken to protect your content and device from being vulnerable to ransomware again in the future. For more information, see:
For examples of crypto-ransomware and police-themed ransomware, see:
For more technical details of ransomware, see: