Threat Descriptions

Ransomware

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Ransom, Ransomware, Heur.Ransom.[variant], Trojan.RansomKD.[variant], Trojan.Ransom.[family].Gen, Trojan.Ransom.[family].[variant], Gen:Heur.Ransom.[family], Gen:Variant.Ransom.[variant], DeepScan:Generic.Ransom.[family].[variant]

Summary

Ransomware is a type of harmful program that hijack control of the user's computer, device or data, then demands payment to restore normal access to the ransomed content or system.

Removal

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically remove the file.

Further action

If the ransomware uses encryption to take files or an entire system hostage, it is very difficult to decrypt the affected files or system without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Manual removal

For a few specific ransomware families, manual removal is possible.

CAUTION Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Harmful programs that hijack control of a computer or device and demand payment to return control to the rightful user are known as ransomware.

There are two main types of ransomware commonly seen today:

  • Crypto-ransomware will encrypt files on a computer, essentially 'scrambling' the file contents so that the user can't access it without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key
  • "Police-themed" ransomware will try to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband. The ransom demand is described as "payment of a fine", or similar

How users encounter ransomware

The most common method used by attackers to bring potential victims into contact with ransomware is to send it to them as a file attached to a legitimate-looking email. The file will usually be disguised to look like a desirable file or program. This method depends on tricking the user into opening and running the disguised attachment.

Another common method is to include the ransomware in the payload of an exploit kit. Users are exposed to exploit kits when they visit a compromised website, or are redirected onto a malicious site, where the exploit kit can probe the user's computer for any exploitable flaws or vulnerabilities. If one is found, the exploit kit can download and install the ransomware on the user's machine.

Ransomware is also spread by botnets that silently install and run it on vulnerable systems. The ransomware will then take control of files on the machine, or in some cases, take control of the entire system.

Consequences

If the ransomware successfully takes the device or data hostage, users will usually have a very limited number of recovery options. Ransomware will normally use strong encryption that is extremely difficult to break, making recovery impossible unless a) a clean, recent backup is available, or b) the decryption key is obtained.

In a very few select cases where researchers were able to find a flaw in the ransomware to circumvent it, the user may be able to recover the affected device or data:

  • Threat Description: Trojan:W32/Reveton
  • No More Ransom! Project: an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims retrieve their encrypted data without having to pay the criminals responsible for the threat.

These instances are however very rare. For most other ransomware cases, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Precautionary measures should also be taken to protect your content and device from being vulnerable to ransomware again in the future. For more information, see:

More Information

For examples of crypto-ransomware and police-themed ransomware, see:

Crypto-ransomware

Police-themed ransomware

For more technical details of ransomware, see: