Microsoft Malware Protection Center (MMPC) is now Windows Defender Security Intelligence (WDSI). Watch out for even more info about threats and protecting you and your Windows computer.
Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in cryptocurrencies like Bitcoin, in exchange for access to data.
What does ransomware do?
Most ransomware today encrypt files using known algorithms like RSA or RC4, or using custom encryption.
Ransomware like Cerber and Locky search for and encrypt target file types, which are usually document and media files. When the encryption is complete, the malware leaves a ransom note, which can be a text, image, or HTML file with instructions to pay a ransom in order to recover files.
More sophisticated ransomware like Spora, WannaCrypt, and Petya add malicious behaviors, such as spreading to other computers in the network via network shares or exploits.
Older ransomware like Reveton don't encrypt files but they lock screens. They do this by displaying an image on full screen and then disabling Task Manager. Files are safe, but effectively they can't be accessed. The image usually contains a supposed message from law enforcement that the computer was used in illegal cybercriminal activities and a fine needed to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware."
How does a ransomware infection occur?
A typical ransomware infection can begin with any of the following vectors:
More recent ransomware have worm-like cabilities that enable them to spread to other computers in the network. For instance, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability, in adddition to CVE-2017-0145 (also known as EternalRomance), as well as stolen credentials to move laterally across affected networks.
How big is the ransomware problem?
Cybercriminals can launch ransomware attacks using ransomware-as-a-service (RaaS). RaaS is a business model in the cybercriminal underground in which malware creators sell their ransomware and other services to cybercriminals, who then operate the attacks.
The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a lucrative business, at the expense of individuals and businesses.
After exploding in the past couple of years, ransomware encounters seem to have begun to decline. However, this trend is not a reflection of the email and exploit kit campaigns that try to install ransomware on computers. Rather, it is a sign of better blocking of attacks by security software like Windows Defender Antivirus. All in all, millions of computers still encountered ransomware in 2016.
We’re still seeing significant amounts of email that carry ransomware downloaders. A total of 500M of these emails are being sent out every quarter. The email attachments reach millions of computers, but a lot of them are blocked from downloading and executing ransomware.
Ransomware is a global problem. The US, Italy, Russia, Korea, and Spain saw the most ransomware encounters in 2016.
In 2016, we tracked over 200 ransomware families. Over half of these families were discovered only in 2016, which means that cybercriminals are constantly releasing new ransomware in the wild. Cerber and Locky were the most prominent ransomware families in 2016.
Top ransomware families
To know more about the latest ransomware, read the following entries on the Windows Security blog:
Details for enterprises and IT professionals
Multiple high-profile incidents have demonstrated that ransomware can affect enterprise networks. Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. In any case, the impact of ransomware infections in organizations is higher, because the value of files is higher. Attackers can take advantage of this and can demand for more bigger ransom when they hit high profile targets.
Additionally, malware authors have been innovating their malware code to include behavior that are impacting organizations. For instance, some ransomware can encrypt files found in enterprise environments, including those found in servers and mapped drives. Newer ransomware also add capabilities to spread using network drives or by exploiting vulnerabilities.
How do I protect my network from ransomware?
We suggest enterprises to take the "assume breach" mindset. Protect, contain, and isolate your high value assets.
Back up your most important files regularly. Use the 3-2-1 rule. Use OneDrive for Business to do a daily backup of files. You can use your backup to restore files in the event of an infection. Learn how.
Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run. This can effectively prevent ransomware and other dangerous software from executing.
Ransomware infections can begin with email messages that carry downloader trojans. Use Office 365 Advanced Threat Protection has machine learning capability that blocks dangerous email threats, such as the millions of emails carrying ransomware downloaders that spam campaigns send.
Additionally, educate your employees so they can identify social engineering and spear-phishing attacks.
Some ransomware arrive via exploit kits. Keep your operating system and software up-to-date. Use Microsoft Edge, which can protect against ransomware by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.
Harden your endpoints with Windows Defender Antivirus, which can block ransomware from running by detecting downloader trojans and exploit kits. Additionally, protect Internet-facing servers to prevent infection in this attack vector.
How do I detect ransomware in my network?
Enable Windows Defender Antivirus to detect ransomware, as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.
Windows Defender Antivirus is built into Windows 10 and, when enabled, provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.
How do I respond to ransomware attacks?
Use Windows Defender Advanced Threat Protection (Windows Defender ATP) to rapidly respond to ransomware attacks. Windows Defender ATP alerts security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families, such as Cerber, and could be observed ransomware in the future. Evaluate Windows Defender ATP free of charge.
Details for home users: Frequently asked questionsRansomware can prevent you from accessing your documents, photos, and other important files. Ransomware can employ pesky social engineering tactics to pressure you to pay the ransom. Some ransomware, for instance, use a timer that counts down the time you have left to pay the ransom. Some ransomware even play an audio file, informing you about the infection and what to do to get access to files.
How did ransomware get in my PC?
Here are ways in which ransomware can infect your computer:
If you suspect that you have ransomware on your PC, you can submit files for analysis.
How do I protect my computer against ransomware?
As with all threats, prevention is key. This is especially true for malware as damaging as ransomware.
For more tips, see: Help prevent malware infection on your PC.
How do I remove ransomware from my PC?
Method 1: Use the Microsoft Safety Scanner in safe mode
Download a copy of the Microsoft Safety Scanner using a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you're in safe mode, run the Microsoft Safety Scanner.
Method 2: Use Windows Defender Offline
If you are unable to download or run Microsoft Safety Scanner, use the free standalone tool Windows Defender Offline. Download a copy of Windows Defender Offline using a clean, non-infected PC. Insert a blank USB flash drive or CD into the PC. When you run Windows Defender Offline, you will be prompted to install the tool on the USB flash drive or CD.
Once Windows Defender Online is installed on the removable media, insert it into the infected PC, then restart. You will then be prompted to run the Windows Defender Online tool.
Should I pay the ransom? How do I get my files back?
Paying the ransom does not guarantee that you will be able to decrypt your files. In some cases, paying the ransom can make you a target for more malware attacks.
Restore from an offline backup
Before you try to restore files, make sure you have removed all ransomware infections from your PC. Use Windows Defender Antivirus to do a full scan of your computer.
You can then try to restore your files from an offline backup.
Restore from OneDrive
If you’re using OneDrive, you can try to restore older versions of your files.
As part of its security features, OneDrive creates an online backup of Microsoft Office files when you save or change the file.
To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
Restore using File History
If you have File History (or System Protection in older Windows versions) enabled, you can try to restore files.
Note, however, that some ransomware also encrypt or delete backups of your files. This means that even if you have File History enabled, but you have set up the backup on your PC, your backups might be encrypted. If you backed up on a removable drive or a network drive that wasn’t connected when your PC was infected, try to restore from that backup instead.
What should I do if I’ve already paid?
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
For general information on what to do if you have paid, see: What to do if you are a victim of fraud.