What is Ransomware?

Ransomware is a type of malware that encrypts the data on an attacked computer and then asks for the ransom. This virus type attacks both companies and individuals. In the majority of cases, crooks say about an increased ransom if you don’t pay it in time. File decryption without the key is almost impossible.

How does ransomware work?

Once the virus is installed on a computer, it ciphers the files of certain formats. MS Office files, pictures, videos, plain text files, Photoshop documents, 3DS Max projects – ransomware aims them all. The cipher it uses may be different – AES-256, RSA-1024/2048/4096 or their combinations, but anyway they are almost impossible to decrypt by brute force.

Although the software is called “ransomware,” the owner does pay the sum of money that’s asked for. The money is demanded for the files recovery, which can be conducted only with the decryption tool offered by ransomware maintainers. This virus is highly successful because the demand for such type of malicious software increases each day.

Ransomware attacks stats 2016-2021

Number of ransomware attacks through the last 5 years, year-by-year

Ransomware has become a major threat to any computer system. If you run an infected computer, your files will be completely inaccessible, including your personal photos, videos and contacts. By paying the sum of money, the hackers will decrypt your files, including the data stored on the removable drives. Nonetheless, there are a lot of cases when crooks ignored their own promises and stopped the conversation after getting the payment. Hence, paying the ransom is not a riskless solution.

How ransomware is distributed?

In every particular situation, it is a very simple procedure to make a new copy of the malware and start to infect computers and spread it to different computers. Such a spreading scheme is called “ransomware-as-a-service”: crooks buy the ransomware program from its developer and spread it as they want. The ransomware executive file may be sent via email, as a macro file attached to an email or a link in a text message. In rare cases, ransomware is injected through the exploit landing pages.

Malicious email attachment

The example of spam message that contains ransomware in the attachment

Corporations-oriented attacks are committed not only through the bait emails, but also through the security breaches. Microsoft Exchange, RDP, some of the Adobe products and different other programs allow hackers to break into the corporate network and deploy ransomware1. Such attacks are prepared much longer than on individual computers, but bring way much more profit.

Ransomware examples

How can you get your files decrypted?

There is no good, one-size-fits-all advice. Every situation is different and there’s no point in repeating the same mistake twice. The best you can do is to learn from others and to try to avoid the mistakes made by other victims. Here they are:

  • Renaming the files;
  • Using the computer actively after the malware attack;
  • Paying the unauthorized third parties for files decryption;
  • Using the computer for daily purposes before the ransomware removal;
  • Starting the files decrypiton before deleting the ransomware.

File decryption tools that are present on the market are usually free. The offers like “pay us less than fraudsters ask and get your files back” is a risky thing, and your money still goes to crooks. Such “file recovery teams” just contact the crooks and ask them for providing the decryption key for a less price. But there is no guarantee that such diplomacy tricks will give an effect. Moreover, they may just take your money and vanish, leaving you with files ciphered and your wallet emptied.

Decrypt the files with special tools

Ransomware variant from each “family” is unique, and requires a special decryption tool. STOP/Djvu ransomware, for example, can be deciphered with a special Emsisoft tool – STOPDecrypter; REvil ransomware ciphers – by Bitdefender decryptor. It is free but gives you no guarantee of files decryption. Still, decrypting the ciphers used by ransomware is impossible at the current level of PC power. These tools offer you the ability to try to decrypt your files with the decryption keys leaked from other victims.

Emsisoft Decrypter interface

The interface of Emsisoft Decrypter

When you are paying money to decrypt your files, you receive an unlisted decryption key from the hackers. Since this type of malware is often created by professionals, they will give you this decryption key when they start selling their software. The code that hackers use to create the virus is usually unlisted, and it can be difficult to identify.

How to prevent ransomware injection?

The most important way to avoid ransomware infection is to have a reliable antivirus program. An antivirus will detect the viruses that have infected your computer, clean them up and update the virus definitions.

Only antivirus programs will be able to detect and remove this type of malware. If you have an ordinary antivirus program, you can follow the first step and install the free version. The paid versions of the programs allow you to use them on multiple computers, so they will be more useful.

Besides having a security tool, you need to follow the elementary security rules. Don’t open the attachments to the email, and never enable macros in Microsoft Office2. Avoid any dubious links on the Internet, especially at work – besides being punished for procrastination, you may also trigger the ransomware attack.

Macro MS Office

What should you do if you detect ransomware infection?

In general, no matter how hard you try to avoid ransomware infection, you may end up being infected. First of all, search for the readme file with the data decryption instruction. Don’t haste to pay – the information in the readme is needed for another purpose. Search our website for the guide to remove your ransomware variant – it is recognized as “.[extension] ransomware.

After the ransomware removal, you need to report your case to the local law enforcement which investigates cybercrime. There is a rule of law that a legal entity must reimburse victims of ransomware infections. Here is the list of counter-cybercrime law enforcements in different countries:

Politsei – Estonia
Ministry of the Interior – Croatia
Garda Síochána – Ireland
Cyber Crime Cell – India
Cyber Police – Iran
Police – Belgium
CyberCrime – Bulgaria
Polícia Federal – Brazil
Polizei – Austria
ACSC – Australia
Police Scotland – Scotland
Singapore Police Force – Singapore
IC3 – United States
Polisen – Sweden
Policija – Slovenia
Ministerstvo Vnútra – Slovakia
National Police Agency – South Korea
Cyber Police – Ukraine
Policia Nacional – Spain
Centre for Cyber Security – Canada
Nomoreransom project – Israel
Polizia di Stato – Italia
Cybercrime Project – Japan
Policija – Latvia
ePolicija – Lithuania
Police – Luxembourg
Pulizija – Malta
Politie – Netherlands
Police – New Zealand
Rendőrség – Hungary
Hong Kong Police – Hong Kong
Hellenic Police – Greece
Polizei – Germany
Poliisi – Finland
Ministère de l’Intérieur – France
Action Fraud – Great Britain
Politi – Denmark
Policie – Czech Respublic
Cyber Crime Police – Cyprus
Ministy of Internal Affairs – Russia

How to remove ransomware?

Ransomware is not very easy to remove, since it has a lot of features that provide it significant sustainability. The majority of ransomware variants can block the installation of anti-malware software. Others, especially ones that are oriented at individuals, even carry the cleaning utilities that allow the virus to delete the present antivirus programs. In general, that class of viruses often blocks access to the websites where you can find a removal guide or the decryption tool. To prevent the situation when any advice is useless because it brings no effects, I’d recommend you to boot your PC into Safe Mode with Networking.

Reboot your Windows in Safe Mode with Networking

Don’t be afraid of its name – it is just a specific Windows mode3. In this mode, your system does not launch all startup apps, and also the vast majority of services. Hence, the ransomware will not be able to stop your attempts to remove it. Press the Start button, then Power, and choose Reboot while holding the Shift button on your keyboard. That will turn on the Troubleshooting mode.

Reboot PC in the Safe Mode

After booting into the Troubleshooting screen, pic the Troubleshoot -> Advanced options -> Startup Settings. There, you need to press the key on your keyboard that corresponds to the number of Safe Mode with Networking options. It differs from one Windows version to another, so I cannot predict which one it will be in your case.

Reboot into Safe Mode with Networking

Now, when the computer is launched without any malware running in the background, you are good to download the removal tool. My choice for ransomware removal is GridinSoft Anti-Malware. That anti-virus tool is able to deal with ransomware in less than 10 minutes, and recover the system elements that malware changed during its activity.

Download and install GridinSoft Anti-Malware. After the installation, you can activate a free 6-day trial period, in which all functions of a licensed program will be available for you. Specify your email and check it for the activation key.

When you activated the free trial, launch the Full scan. It will check each corner of your system, and will surely detect ransomware.

Scan GridinSoft Anti-Malware

When the scan is finished, click the Clean Up button to remove the virus from your PC. It will take less than 10 seconds.

Clean Now GridinSoft Anti-Malware

  1. Read more about the vulnerabilities.
  2. About exploits in Microsoft Office macros.
  3. Official Microsoft guide at booting into the Safe Mode