Warning message... Link to action
Read our in-depth analysis of a new high-volume campaign that marked the resurgence of notorious malware-as-a-service Hawkeye Keylogger. Read the blog post
Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom", usually in form of cryptocurrencies like Bitcoin, in exchange for access to data.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Read our latest comprehensive ransomware report:
In Windows 10 Fall Creators Update, we released Windows Defender Exploit Guard, new set of intrusion prevention capabilities. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access to folders.
What does ransomware do?
Most ransomware today encrypt files using known encryption algorithms like RSA or RC4, or custom encryption.
Ransomware like Cerber and Locky search for and encrypt target file types, which are usually document and media files. When the encryption is complete, the malware leaves a ransom note, which can be a text, image, or HTML file with instructions to pay a ransom in order to recover files.
More sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also referred to as NotPetya) include other capabilities, such as spreading to other computers via network shares or exploits.
On October 24, 2017 a new ransomware called Ransom:Win32/Tibbar.A (also known as Bad Rabbit) was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
Older ransomware like Reveton don't encrypt files but instead lock screens. They do this by displaying an image full screen and then disabling Task Manager. Files are safe, but they are effectively inaccessible. The image usually contains a supposed message from law enforcement that the computer has been used in illegal cybercriminal activities and that a fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
How does a ransomware infection occur?
A typical ransomware infection can begin with any of the following vectors:
More recent ransomware have worm-like capabilities that enable them to spread to other computers in the network. For instance, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across affected networks.
How big is the ransomware problem?
Over the last few years, ransomware has rapidly evolved into one of the most lucrative revenue channels for cybercriminals.
Cybercriminals can launch ransomware attacks using ransomware-as-a-service (RaaS). RaaS is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a lucrative business, at the expense of individuals and businesses.
We observed a downward trend towards the end of 2016, but the number of ransomware in the wild started to pick up again in February 2017. In addition, we’re still seeing significant amounts of email that carry ransomware downloaders. A total of 500M of these emails are being sent out every quarter, but a lot of them are blocked from downloading and executing ransomware.
Ransomware is a global problem. The US, China, Russia, Republic of Korea, and Italy saw the most ransomware encounters in the first six months of 2017.
LockScreen (which is a detection for ransomware that run on Android) and Cerber are two of the most widespread ransomware families in the first half of 2017. WannaCrypt, which caused an outbreak affecting out-of-date computers in May 2017, was the third most prominent overall. Spora, a family that emerged in January 2017, immediately became one of the most widespread ransomware families.
Top ransomware families
To know more about the latest ransomware, read the following posts on the Windows Security blog:
Details for enterprises and IT professionals
Multiple high-profile incidents have demonstrated that ransomware can affect enterprise networks. Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. In any case, the impact of ransomware infections in organizations is higher because the value of files is higher. Attackers can take advantage of this and can demand for bigger ransom when they hit high profile targets.
Additionally, malware authors have been innovating their malware code to include behavior that are impacting organizations. For instance, some ransomware can encrypt files found in enterprise environments, including those found in servers and mapped drives. Newer ransomware also include capabilities to spread using network drives or by exploiting vulnerabilities.
How do I protect my network from ransomware?
We suggest enterprises take an "assume breach" mindset. Protect, contain, and isolate your high value assets.
Back up your most important files regularly. Use the 3-2-1 rule. Use OneDrive for Business to back up files daily. You can use your backup to restore files in the event of an infection. Learn how.
Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run. This can effectively prevent ransomware and other dangerous software from executing.
Ransomware infections can begin with email messages that carry downloader trojans. Office 365 Advanced Threat Protection has machine learning capability that blocks dangerous email, including the millions of emails carrying ransomware downloaders.
Additionally, educate your employees so they can identify social engineering and spear-phishing attacks.
Some ransomware arrive via exploit kits. Keep your operating system and software up-to-date. Use Microsoft Edge, which can protect against ransomware by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.
Harden your endpoints with Windows Defender Antivirus, which can detect and block ransomware as well as downloader trojans and exploit kits. To understand how Windows Defender Antivirus can protect your organization, read about how our artificial intelligence infrastructure dynamically stopped the Bad Rabbit ransomware within 14 minutes of the first customer encounter. Additionally, protect internet-facing servers to prevent infection in this attack vector.
How do I detect ransomware in my network?
Enable Windows Defender Antivirus to detect ransomware as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.
Windows Defender Antivirus is built into Windows 10 and, when enabled, provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.
How do I respond to ransomware attacks?
Use Windows Defender Advanced Threat Protection (Windows Defender ATP) to rapidly respond to ransomware attacks. Windows Defender ATP alerts security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families, such as Cerber, and will likely be exhibited by future ransomware. Evaluate Windows Defender ATP free of charge.
Details for home users: Frequently asked questionsRansomware can prevent you from accessing your documents, photos, and other important files. Ransomware can employ pesky social engineering tactics to pressure you to pay the ransom. Some ransomware, for instance, display a countdown showing the time you have left to pay the ransom. Some ransomware even play an audio file, informing you about the infection and what to do to get access to files.
How did ransomware get in my PC?
Here are ways in which ransomware can infect your computer:
If you suspect that you have ransomware on your PC, you can submit files for analysis.
How do I protect my computer against ransomware?
As with all threats, prevention is key. This is especially true for threats as damaging as ransomware.
For more tips, see: Help prevent malware infection on your PC.
How do I remove ransomware from my PC?
Method 1: Use the Microsoft Safety Scanner in safe mode
Download a copy of the Microsoft Safety Scanner using a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you're in safe mode, run the Microsoft Safety Scanner.
Method 2: Use Windows Defender Offline
If you are unable to download or run Microsoft Safety Scanner, use the free standalone tool Windows Defender Offline. Download a copy of Windows Defender Offline using a clean, non-infected PC. Insert a blank USB flash drive or CD into the PC. When you run Windows Defender Offline, you will be prompted to install the tool on the USB flash drive or CD.
Once Windows Defender Online is installed on the removable media, insert it into the infected PC, then restart. You will then be prompted to run the Windows Defender Online tool.
Should I pay the ransom? How do I get my files back?
Paying the ransom does not guarantee that you will be able to decrypt your files. In some cases, paying the ransom can make you a target for more malware attacks.
Restore from an offline backup
Before you try to restore files, make sure you have removed all ransomware infections from your PC. Use Windows Defender Antivirus to do a full scan of your computer.
You can then try to restore your files from an offline backup.
Restore from OneDrive
If you’re using OneDrive, you can try to restore older versions of your files.
As part of its security features, OneDrive creates an online backup of Microsoft Office files when you save or change the file.
To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
Restore using File History
If you have File History (or System Protection in older Windows versions) enabled, you can try to restore files.
Note, however, that some ransomware also encrypt or delete backups of your files. This means that even if you have File History enabled, but you have configured it to back up files on a local drive, your backups might be encrypted. If you have backups on a removable drive or a network drive that wasn’t connected when your PC was infected, try to restore from those backups instead.
What should I do if I’ve already paid?
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
For general information on what to do if you have paid, read What to do if you are a victim of fraud.