Ransomware FAQ

Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom", usually in form of cryptocurrencies like Bitcoin, in exchange for access to data.

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Read our latest comprehensive ransomware report:

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

In Windows 10 Fall Creators Update, we released Windows Defender Exploit Guard, new set of intrusion prevention capabilities. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access to folders.

What does ransomware do?

Most ransomware today encrypt files using known encryption algorithms like RSA or RC4, or custom encryption.

Ransomware like Cerber and Locky search for and encrypt target file types, which are usually document and media files. When the encryption is complete, the malware leaves a ransom note, which can be a text, image, or HTML file with instructions to pay a ransom in order to recover files.

More sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also referred to as NotPetya) include other capabilities, such as spreading to other computers via network shares or exploits.

On October 24, 2017 a new ransomware called Ransom:Win32/Tibbar.A (also known as Bad Rabbit) was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.

Older ransomware like Reveton don't encrypt files but instead lock screens. They do this by displaying an image full screen and then disabling Task Manager. Files are safe, but they are effectively inaccessible. The image usually contains a supposed message from law enforcement that the computer has been used in illegal cybercriminal activities and that a fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".

How does a ransomware infection occur?

A typical ransomware infection can begin with any of the following vectors:

  • Email messages that carry downloader trojans, which attempt to install ransomware
  • Websites hosting exploit kits that attempt use vulnerabilities in web browsers and other software to install ransomware

More recent ransomware have worm-like capabilities that enable them to spread to other computers in the network. For instance, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across affected networks.

How big is the ransomware problem?

Over the last few years, ransomware has rapidly evolved into one of the most lucrative revenue channels for cybercriminals.

Cybercriminals can launch ransomware attacks using ransomware-as-a-service (RaaS). RaaS is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a lucrative business, at the expense of individuals and businesses.

We observed a downward trend towards the end of 2016, but the number of ransomware in the wild started to pick up again in February 2017. In addition, we’re still seeing significant amounts of email that carry ransomware downloaders. A total of 500M of these emails are being sent out every quarter, but a lot of them are blocked from downloading and executing ransomware.

Monthly ransomware and ransomware downloader encounters
Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017

Ransomware is a global problem. The US, China, Russia, Republic of Korea, and Italy saw the most ransomware encounters in the first six months of 2017.

Geographic distribution of ransomware encounters
Geographic distribution of ransomware encounters, January to June 2017

LockScreen (which is a detection for ransomware that run on Android) and Cerber are two of the most widespread ransomware families in the first half of 2017. WannaCrypt, which caused an outbreak affecting out-of-date computers in May 2017, was the third most prominent overall. Spora, a family that emerged in January 2017, immediately became one of the most widespread ransomware families.

Top ransomware families and top 5 ransomware in top 5 countries
Top ransomware families and top 5 ransomware in top 5 countries, January to June 2017

Details for enterprises and IT professionals

Multiple high-profile incidents have demonstrated that ransomware can affect enterprise networks. Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. In any case, the impact of ransomware infections in organizations is higher because the value of files is higher. Attackers can take advantage of this and can demand for bigger ransom when they hit high profile targets.

Additionally, malware authors have been innovating their malware code to include behavior that are impacting organizations. For instance, some ransomware can encrypt files found in enterprise environments, including those found in servers and mapped drives. Newer ransomware also include capabilities to spread using network drives or by exploiting vulnerabilities.

How do I protect my network from ransomware?

We suggest enterprises take an "assume breach" mindset. Protect, contain, and isolate your high value assets.

Back up your most important files regularly. Use the 3-2-1 rule. Use OneDrive for Business to back up files daily. You can use your backup to restore files in the event of an infection. Learn how.

Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run. This can effectively prevent ransomware and other dangerous software from executing.

Ransomware infections can begin with email messages that carry downloader trojans. Office 365 Advanced Threat Protection has machine learning capability that blocks dangerous email, including the millions of emails carrying ransomware downloaders.

Additionally, educate your employees so they can identify social engineering and spear-phishing attacks.

Some ransomware arrive via exploit kits. Keep your operating system and software up-to-date. Use Microsoft Edge, which can protect against ransomware by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.

Harden your endpoints with Windows Defender Antivirus, which can detect and block ransomware as well as downloader trojans and exploit kits. To understand how Windows Defender Antivirus can protect your organization, read about how our artificial intelligence infrastructure dynamically stopped the Bad Rabbit ransomware within 14 minutes of the first customer encounter. Additionally, protect internet-facing servers to prevent infection in this attack vector.

How do I detect ransomware in my network?

Enable Windows Defender Antivirus to detect ransomware as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.

Windows Defender Antivirus is built into Windows 10 and, when enabled, provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.

How do I respond to ransomware attacks?

Use Windows Defender Advanced Threat Protection (Windows Defender ATP) to rapidly respond to ransomware attacks. Windows Defender ATP alerts security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families, such as Cerber, and will likely be exhibited by future ransomware. Evaluate Windows Defender ATP free of charge.

Details for home users: Frequently asked questions

Ransomware can prevent you from accessing your documents, photos, and other important files. Ransomware can employ pesky social engineering tactics to pressure you to pay the ransom. Some ransomware, for instance, display a countdown showing the time you have left to pay the ransom. Some ransomware even play an audio file, informing you about the infection and what to do to get access to files.

How did ransomware get in my PC?

Here are ways in which ransomware can infect your computer:

  • Via email: Ransomware may be installed by downloader trojans attached to spam emails. These email messages employ various social engineering techniques to get you to open the attachment. They can pretend to be credit card bills, job applications, or documents from someone important. If you open the attachment, it installs ransomware on your computer.
  • From the web: Ransomware may also be downloaded automatically when you visit certain sites. These sites contain malicious code known as exploit kits, which take advantage of outdated software to install ransomware on your computer.

If you suspect that you have ransomware on your PC, you can submit files for analysis.

How do I protect my computer against ransomware?

As with all threats, prevention is key. This is especially true for threats as damaging as ransomware.

You should:

  • Back up your important files regularly. Consider using the 3-2-1 rule: Make three backup copies, store in at least two locations, with at least one offline copy. Use a cloud storage service, like OneDrive, which is fully integrated into Windows 10, to store an archive of your files. You can try to restore your files from backup in the event of a ransomware infection.
  • Install and use an up-to-date antivirus solution. In Windows 10, Windows Defender Antivirus is built-in and need only to be enabled. Learn how.
  • Don’t click links or open attachments on emails from people you don’t know or companies you don’t do business with.
  • Make sure your software is up-to-date to avoid exploits.
  • When browsing the Internet, use Microsoft Edge, which stops exploit kits, blocks pop-ups, and uses Microsoft SmartScreen to block malicious URLs.

For more tips, see: Help prevent malware infection on your PC.

How do I remove ransomware from my PC?

Method 1: Use the Microsoft Safety Scanner in safe mode

Download a copy of the Microsoft Safety Scanner using a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.

Try to restart your PC in safe mode:

When you're in safe mode, run the Microsoft Safety Scanner.

Method 2: Use Windows Defender Offline

If you are unable to download or run Microsoft Safety Scanner, use the free standalone tool Windows Defender Offline. Download a copy of Windows Defender Offline using a clean, non-infected PC. Insert a blank USB flash drive or CD into the PC. When you run Windows Defender Offline, you will be prompted to install the tool on the USB flash drive or CD.

Once Windows Defender Online is installed on the removable media, insert it into the infected PC, then restart. You will then be prompted to run the Windows Defender Online tool.

See advanced troubleshooting page for more help.

Should I pay the ransom? How do I get my files back?

Paying the ransom does not guarantee that you will be able to decrypt your files. In some cases, paying the ransom can make you a target for more malware attacks.

Restore from an offline backup

Before you try to restore files, make sure you have removed all ransomware infections from your PC. Use Windows Defender Antivirus to do a full scan of your computer.

You can then try to restore your files from an offline backup.

Restore from OneDrive

If you’re using OneDrive, you can try to restore older versions of your files.

As part of its security features, OneDrive creates an online backup of Microsoft Office files when you save or change the file.

To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.

Restore using File History

If you have File History (or System Protection in older Windows versions) enabled, you can try to restore files.

Note, however, that some ransomware also encrypt or delete backups of your files. This means that even if you have File History enabled, but you have configured it to back up files on a local drive, your backups might be encrypted. If you have backups on a removable drive or a network drive that wasn’t connected when your PC was infected, try to restore from those backups instead.

What should I do if I’ve already paid?

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

The following government-initiated fraud and scam reporting websites may also help:

If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.

For general information on what to do if you have paid, read What to do if you are a victim of fraud.

Latest news
VIEW ALL