Ransomware FAQ

Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in form of cryptocurrencies like Bitcoin, in exchange for access to data.

Read our latest comprehensive ransowmare report: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene.

In Windows 10 Fall Creators Update, we released Windows Defender Exploit Guard, new set of intrusion prevention capabilities. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access to folders.

What does ransomware do?

Most ransomware today encrypt files using known algorithms like RSA or RC4, or using custom encryption.

Ransomware like Cerber and Locky search for and encrypt target file types, which are usually document and media files. When the encryption is complete, the malware leaves a ransom note, which can be a text, image, or HTML file with instructions to pay a ransom in order to recover files.

More sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also referred to as NotPetya) add malicious behaviors, such as spreading to other computers in the network via network shares or exploits.

On October 24, 2017 a new ransomware called Ransom:Win32/Tibbar.A (also knwon as Bad Rabbit) was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.

Older ransomware like Reveton don't encrypt files but they lock screens. They do this by displaying an image on full screen and then disabling Task Manager. Files are safe, but effectively they can't be accessed. The image usually contains a supposed message from law enforcement that the computer was used in illegal cybercriminal activities and a fine needed to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware."

How does a ransomware infection occur?

A typical ransomware infection can begin with any of the following vectors:

  • Email messages that carry downloader trojans, which attempt to install ransomware
  • Websites hosting exploit kits, which attempt to exploit vulnerabilities in the browser and other software to install ransomware

More recent ransomware have worm-like cabilities that enable them to spread to other computers in the network. For instance, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability, in adddition to CVE-2017-0145 (also known as EternalRomance), as well as stolen credentials to move laterally across affected networks.

How big is the ransomware problem?

Over the last few years, ransomware has rapidly evolved into one of the most lucrative revenue channels for cybercriminals.

Cybercriminals can launch ransomware attacks using ransomware-as-a-service (RaaS). RaaS is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a lucrative business, at the expense of individuals and businesses.

We observed a downward trend towards the end of 2016, but the number of ransomware in the wild started to pick up again in February 2017. In addition, we’re still seeing significant amounts of email that carry ransomware downloaders. A total of 500M of these emails are being sent out every quarter, but a lot of them are blocked from downloading and executing ransomware.

Monthly ransomware and ransomware downloader encounters
Monthly ransomware and ransomware downloader encounters, July 2016 - June 2017

Ransomware is a global problem. The US, China, Russia, Republic of Korea, and Italy saw the most ransomware encounters in the first six months of 2017.

Geographic distribution of ransomware encounters
Geographic distribution of ransomware encounters, January-June 2017

LockScreen (which is a detection for ransomware for the Android platform) and Cerber are two of the most widespread ransomware families in the first half of 2017. WannaCrypt, which caused an outbreak affecting out-of-date computers in May 2017, was the third most prominent overall. Spora, a family that emerged in January 2017, immediately became of the most widespread ransomware families.

Top ransomware families and top 5 ransomware in top 5 countries
Top ransomware families and top 5 ransomware in top 5 countries, January -June 2017

Details for enterprises and IT professionals

Multiple high-profile incidents have demonstrated that ransomware can affect enterprise networks. Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. In any case, the impact of ransomware infections in organizations is higher, because the value of files is higher. Attackers can take advantage of this and can demand for more bigger ransom when they hit high profile targets.

Additionally, malware authors have been innovating their malware code to include behavior that are impacting organizations. For instance, some ransomware can encrypt files found in enterprise environments, including those found in servers and mapped drives. Newer ransomware also add capabilities to spread using network drives or by exploiting vulnerabilities.

How do I protect my network from ransomware?

We suggest enterprises to take the "assume breach" mindset. Protect, contain, and isolate your high value assets.

Back up your most important files regularly. Use the 3-2-1 rule. Use OneDrive for Business to do a daily backup of files. You can use your backup to restore files in the event of an infection. Learn how.

Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run. This can effectively prevent ransomware and other dangerous software from executing.

Ransomware infections can begin with email messages that carry downloader trojans. Use Office 365 Advanced Threat Protection has machine learning capability that blocks dangerous email threats, such as the millions of emails carrying ransomware downloaders that spam campaigns send.

Additionally, educate your employees so they can identify social engineering and spear-phishing attacks.

Some ransomware arrive via exploit kits. Keep your operating system and software up-to-date. Use Microsoft Edge, which can protect against ransomware by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.

Harden your endpoints with Windows Defender Antivirus, which can block ransomware from running by detecting downloader trojans and exploit kits. Additionally, protect Internet-facing servers to prevent infection in this attack vector.

How do I detect ransomware in my network?

Enable Windows Defender Antivirus to detect ransomware, as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.

Windows Defender Antivirus is built into Windows 10 and, when enabled, provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.

How do I respond to ransomware attacks?

Use Windows Defender Advanced Threat Protection (Windows Defender ATP) to rapidly respond to ransomware attacks. Windows Defender ATP alerts security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families, such as Cerber, and could be observed ransomware in the future. Evaluate Windows Defender ATP free of charge.

Details for home users: Frequently asked questions

Ransomware can prevent you from accessing your documents, photos, and other important files. Ransomware can employ pesky social engineering tactics to pressure you to pay the ransom. Some ransomware, for instance, use a timer that counts down the time you have left to pay the ransom. Some ransomware even play an audio file, informing you about the infection and what to do to get access to files.

How did ransomware get in my PC?

Here are ways in which ransomware can infect your computer:

  • Via email: Ransomware may be installed by downloader trojans attached to spam emails. These email messages employ various social engineering techniques to get you to open the attachment. They can pretend to be credit card bills, job applications, or documents from someone important. If you open the attachment, it installs ransomware on your computers.
  • From the web: Ransomware may also be downloaded automatically when you visit certain sites. These sites contain malicious code known as exploit kits, which take advantage of outdated software to install ransomware on your computer.

If you suspect that you have ransomware on your PC, you can submit files for analysis.

How do I protect my computer against ransomware?

As with all threats, prevention is key. This is especially true for malware as damaging as ransomware.

You should:

  • Back up your important files regularly. Consider using the 3-2-1 rule: Make three backup copies, store in at least two locations, with at least one offline copy. Use a cloud storage service, like OneDrive, which is fully integrated into Windows 10, to store an archive of your files. You can try to restore your files from backup in the event of a ransomware infection.
  • Install and use an up-to-date antivirus solution. In Windows 10, Windows Defender Antivirus is built-in and need only to be enabled. Learn how.
  • Don’t click links or open attachments or emails from people you don’t know or companies you don’t do business with.
  • Make sure your software is up-to-date to avoid exploits.
  • When browsing the Internet, use Microsoft Edge, which stops exploit kits, blocks pop-ups, and uses Microsoft SmartScreen to block malicious URLs.

For more tips, see: Help prevent malware infection on your PC.

How do I remove ransomware from my PC?

Method 1: Use the Microsoft Safety Scanner in safe mode

Download a copy of the Microsoft Safety Scanner using a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.

Try to restart your PC in safe mode:

When you're in safe mode, run the Microsoft Safety Scanner.

Method 2: Use Windows Defender Offline

If you are unable to download or run Microsoft Safety Scanner, use the free standalone tool Windows Defender Offline. Download a copy of Windows Defender Offline using a clean, non-infected PC. Insert a blank USB flash drive or CD into the PC. When you run Windows Defender Offline, you will be prompted to install the tool on the USB flash drive or CD.

Once Windows Defender Online is installed on the removable media, insert it into the infected PC, then restart. You will then be prompted to run the Windows Defender Online tool.

See advanced troubleshooting page for more help.

Should I pay the ransom? How do I get my files back?

Paying the ransom does not guarantee that you will be able to decrypt your files. In some cases, paying the ransom can make you a target for more malware attacks.

Restore from an offline backup

Before you try to restore files, make sure you have removed all ransomware infections from your PC. Use Windows Defender Antivirus to do a full scan of your computer.

You can then try to restore your files from an offline backup.

Restore from OneDrive

If you’re using OneDrive, you can try to restore older versions of your files.

As part of its security features, OneDrive creates an online backup of Microsoft Office files when you save or change the file.

To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.

Restore using File History

If you have File History (or System Protection in older Windows versions) enabled, you can try to restore files.

Note, however, that some ransomware also encrypt or delete backups of your files. This means that even if you have File History enabled, but you have set up the backup on your PC, your backups might be encrypted. If you backed up on a removable drive or a network drive that wasn’t connected when your PC was infected, try to restore from that backup instead.

What should I do if I’ve already paid?

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

The following government-initiated fraud and scam reporting websites may also help:

If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.

For general information on what to do if you have paid, see: What to do if you are a victim of fraud.

Latest news