Threat description




Ransomware is a type of malicious application that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.


Automatic action

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

Manual removal

For a few specific ransomware families, manual removal is possible.

Caution: Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Technical Details

Users may encounter ransomware in a number of ways. The most common method used by attackers to spread ransomware is via e-mail as an attached file (either disguised to look like a desirable application or in a ZIP or packed file with a misleading name). This method depends on tricking the user into opening the attachment and running the malicious file.

Another common way attackers distribute ransomware is to include it in the payload of an exploit kit. Users can be exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.

Alternatively, ransomware can be spread by a botnet that silently installs and runs it on vulnerable systems. Once run, it will take control of files on the machine, or in some cases, take control of the entire system.

Holding data or computer for ransom

Some ransomware will encrypt files on a computer, essentially 'scrambling' the contents of the file so that the user can't access it normally without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key. This type of ransomware is known as crypto-ransomware. Examples of these include:

Some ransomware will attempt to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband; the demand for payment is described in these cases as "payment of a fine", or similar. These are known as "police-themed" ransomware. Examples of these include:


Depending on the type of ransomware involved, the user may be able to take further actions. In most cases however, the encryption used to hold the content or computer hostage is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup. Precautionary measures should also be taken to protect your content and machine from being vulnerable to ransomware. For more information, see:


For more technical details of ransomware, see:

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Scan & Clean Your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info