Home > Threat descriptions >

Ransomware

Classification

Category: Malware

Type: Trojan

Aliases: Ransom, Ransomware, Heur.Ransom.[variant], Trojan.RansomKD.[variant], Trojan.Ransom.[family].Gen, Trojan.Ransom.[family].[variant], Gen:Heur.Ransom.[family], Gen:Variant.Ransom.[variant], DeepScan:Generic.Ransom.[family].[variant]

Summary


Ransomware is a type of harmful program that hijack control of the user's computer, device or data, then demands payment to restore normal access to the ransomed content or system.

F-Secure detects ransomware using a variety of signature and generic detections.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the file or application, or ask you for a desired action.

Further action

If the ransomware uses encryption to take files or an entire system hostage, it is very difficult to decrypt the affected files or system without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Manual removal

For a few specific ransomware families, manual removal is possible.

CAUTION Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Harmful programs that hijack control of a computer or device and demand payment to return control to the rightful user are known as ransomware.

There are two main types of ransomware commonly seen today:

  • Crypto-ransomware will encrypt files on a computer, essentially 'scrambling' the file contents so that the user can't access it without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key
  • "Police-themed" ransomware will try to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband. The ransom demand is described as "payment of a fine", or similar
How users encounter ransomware

The most common method used by attackers to bring potential victims into contact with ransomware is to send it to them as a file attached to a legitimate-looking email. The file will usually be disguised to look like a desirable file or program. This method depends on tricking the user into opening and running the disguised attachment.

Another common method is to include the ransomware in the payload of an exploit kit. Users are exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.

Ransomware is also spread by botnets that silently install and run it on vulnerable systems. The ransomware will then take control of files on the machine, or in some cases, take control of the entire system.

Consequences

If the ransomware successfully takes the device or data hostage, users will usually have a very limited number of recovery options. Ransomware will normally use strong encryption that is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.

In a very few select cases where researchers were able to find a flaw in the ransomware to circumvent it, the user may be able to recover the affected device or data:

  • Threat Description: Trojan:W32/Reveton
  • No More Ransom! Project: an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims retrieve their encrypted data without having to pay the criminals responsible for the threat.

These instances are however very rare. For most other ransomware cases, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Precautionary measures should also be taken to protect your content and device from being vulnerable to ransomware again in the future. For more information, see:

More Information

For examples of crypto-ransomware and police-themed ransomware, see:

Crypto-ransomware

Police-themed ransomware

For more technical details of ransomware, see: