Follow:

Ransomware

What is ransomware?

Ransomware stops you from using your PC. It holds your PC or files for ransom.

Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.

What does it look like and how does it work?

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can:

  • Prevent you from accessing Windows.

  • Encrypt files so you can't use them.

  • Stop certain apps from running (like your web browser).

They will demand that you do something to get access to your PC or files. We have seen them:

  • Demand you pay money.

  • Make you complete surveys.

Often the ransomware will claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

Prevalent ransomware

Crowti (also known as Cryptowall) and Tescrypt (also known as Teslacrypt) are two ransomware families that have infected over half a million PCs running Microsoft security software in the first half of 2015. Since the start of 2015, we've observed Crowti to be the most prevalent ransomware overall, accounting for 30% of all ransomware families, as shown in Figure 1.


Notice in particular that Tescrypt sits within the six families that each had less than a 5% share of the total. This is because Tescrypt is relatively new – while we’ve seen big detection numbers between April and June, it still hasn’t been enough to wipe out Crowti and Krypterade.

Figure 1. Top 10 Ransomware (January to June 2015)


While Tescrypt has only been prevalent since April 2015, we've seen its infection rate spike dramatically during that time. Between April and May, it increased by over 600%. This increase in activity is likely due to it being distributed by a number of active exploit kits, specifically Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu  (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange). Figure 2 shows the share it had during May.


Figure 2. Top 10 Ransomware (May 2015)


A breakdown of the top 10 ransomware distribution for the past 30 days (May 19 to June 18, 2015) is represented in Figure 3.


Figure 3. Top 10 Ransomware (June 2015)


Both Crowti and Tescrypt target home users and enterprise industries. Their infection chains are also similar, and we’ve seen that email spam and exploit kits are the main infection vectors.

Figure 4 is a representation of the infection chain for both families.

These ransomware families encrypt files on the PC and direct the machine’s user to a webpage that typically asks for ransom payment using bitcoins.

See the following descriptions for a list of the file type extensions each family targets for encryption:

Figure 4. Tescrypt/Crowti infection chain

Crowti can be downloaded by other malware, such as:

It can also be downloaded when you click on a link in a spam email. It’s important to be aware of the dangers in opening suspicious emails to avoid falling prey to these ransomware attacks.

See the Win32/Crowti and Win32/Tescrypt descriptions for information on how these threats work.

Examples of ransomware
Ransom:Win32/Adslock.A
Ransom:Win32/Cribit.A
Ransom:Win32/Crilock.A

Frequently asked questions

Expand all
  • No. These warnings are fake and have no association with legitimate authorities. The message uses images and logos of legal institutions to make the it look authentic.

  • We don’t recommend you pay. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.

  • How to recover your files depends on where your files are stored and what version of Windows you are using.

    Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.

    For Microsoft Office files stored, synced, or backed up to OneDrive

    For files on your PC

    • You need to have turned on File History (in Windows 10 and Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or network administrator.

    • Some ransomware will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History, if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn't connected when you were infected with the ransomware, might still work.

    • See the Windows Repair and recovery site for help on how to enable file recovery for your version of Windows.

    If you've been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:

  • You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

    The following government-initiated fraud and scam reporting websites may also help:

    If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.

    For general information on what to do if you have paid, see:

  • Your IP address is not usually hidden, and there are lots of tools online that will get it for you. It’s likely they used such a tool.

  • In most instances ransomware is automatically downloaded when you visit a malicious website or a website that's been hacked.

    For other ways malware, including ransomware, gets on your PC, see:

  • You should:

    You can backup your files with a cloud storage service that keeps a history or archive of your files, such as OneDrive which is now fully integrated into Windows 10 and Windows 8.1, and Microsoft Office.

    After you've removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using "version history".

    See the question "How do I get my files back?" above for more help on how to use this feature in OneDrive.

    For more tips on preventing malware infections, including ransomware infections, see:

  • Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

    If you've already paid, see the question "What should I do if I've paid?" above.

    How to remove the ransomware depends on what type it is.

    If your web browser is locked

    You can try to unlock your browser by using Task Manager to stop the web browser's process:

    • Open Task Manager. There are a number of ways you can do this:

      • Right-click on an empty space on the taskbar and click Task Manager or Start Task Manager.

      • Press Ctrl+Shift+Esc.

      • Press Ctrl+Alt+Delete.

    • In the list of Applications or Processes, click on the name of your web browser.

    • Click End task. If you are asked if you want to wait for the program to respond, click Close the program.

    • In some workplaces, access to Task Manager may be restricted by your network administrator. Contact your IT department for help.

    When you open your web browser again, you may be asked to restore your session. Do not restore your session or you may end up loading the ransomware again.

    See the question “How do I protect myself from ransomware” above for tips on preventing browser-based ransomware from running on your PC.

    If your PC is locked

    • Method 2: Use Windows Defender Offline

      Because ransomware can lock you out of your PC, you might not be able to download or run the Microsoft Safety Scanner. If that happens, you will need to use the free tool Windows Defender Offline:

      See our advanced troubleshooting page for more help.

    Steps you can take after your PC has been cleaned

    Make sure your PC is protected with antimalware software.

    Microsoft has free security software that you can use:

    If you don't want to use Windows Defender or Microsoft Security Essentials, you can download other security software from another company. Just make sure it is turned on all the time, fully updated, and provides real-time protection.

Top ransomware