Home > Threat descriptions >



Category: Malware

Type: Trojan

Aliases: ransomware, ransom


Ransomware is a type of harmful program that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.

F-Secure detects ransomware using a variety of signature and generic detections.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the file or application, or ask you for a desired action.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Manual removal

For a few specific ransomware families, manual removal is possible.

CAUTION Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Users may encounter ransomware in a number of ways. The most common method used by attackers to spread ransomware is via email as an attached file (either disguised to look like a desirable application or in a ZIP or packed file with a misleading name). This method depends on tricking the user into opening the attachment and running the malicious file.

Another common way attackers distribute ransomware is to include it in the payload of an exploit kit. Users can be exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.

Alternatively, ransomware can be spread by a botnet that silently installs and runs it on vulnerable systems. Once run, it will take control of files on the machine, or in some cases, take control of the entire system.

Holding data or computer for ransom

Some ransomware will encrypt files on a computer, essentially 'scrambling' the contents of the file so that the user can't access it normally without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key. This type of ransomware is known as crypto-ransomware. Examples of these include:

Some ransomware will attempt to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband; the demand for payment is described in these cases as "payment of a fine", or similar. These are known as "police-themed" ransomware. Examples of these include:


Based on the type of ransomware involved, the user may be able to take further actions. In most cases however, the encryption used to hold the content or computer hostage is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup. Precautionary measures should also be taken to protect your content and machine from being vulnerable to ransomware. For more information, see:


For more technical details of ransomware, see: