What is crypto-ransomware?

Ransomware is a type of malicious program that uses deceptive and alarming

messages to extort money from a victim. The messages are usually accompanied by
harmful actions on the user's computer or mobile device - for example, by 'locking' it to
prevent normal use - so that the user feels pressured into paying the money demanded.

Crypto-ransomware is a type of ransomware that encrypts files stored on the user's

computer or mobile device. Simply put, encryption 'scrambles' the contents of a file, so
that it is unreadable by either the user or the device itself. To restore it for normal use, a
decryption key is needed to 'unscramble' the file.

When crypto-ransomware encrypts a user's files, it is essentially taking those files

hostage; a ransom demand is then displayed offering the user the decryption key
needed to restore the files, if a specified sum is paid. In some cases, the user only has
a limited time period to make the payment.

Encountering crypto-ransomware
Users may encounter crypto-ransomware in a variety of ways. The most common are:

In maliciously crafted files that contain the crypto-ransomware itself, or download

it from a remote website
As part of the payload of other malware, such as trojan-downloaders or exploit
kits

Delivery by email
Email messages are often used to deliver crypto-ransomware. The emails may
appropriate the names and/or branding of various legitimate companies to appear
above-board. The text of the email messages may be either generic spam content or
specially crafted to the recipient's interests (also known as phishing emails).
 F-Secure Weblog: An example of spam used to spread the CTB-Locker crypto-
ransomware.

Some email messages will include a file attached to it. The files attached to the emails
can be any of the following formats:

Microsoft Word document (file name ends with .doc or .docx)

Microsoft XSL document (.xsl or .xslx ending)
XML document (.xml or .xslx ending)
Zipped folder containing a JavaScript file (.zip containing a file with a name
ending in .js)

Some files being distributed as email attachments may also use multiple file extensions
- for example, <INVOICE#132435>.PDF.js. This is a common tactic used to trick users
into believing that the file is meant to run on a different program.
Other email messages will contain a link to a file hosted on a cloud storage service.
Though the email claims the file is a document (usually a resume), it is actually an
executable program.

Receiving the email itself does not trigger a potential infection. To do so, the user must
either open the attached file, or download the linked file and then open it.

If the user opens the attached file, malicious code contained in it will try to run. If the file
is in JavaScript, it will try to download and install the actual ransomware program from a
remote website or server. If the file is a Word or XSL document, the code is embedded
in the file as a macro, or a series of commands that will be executed in sequence if
launched by the user. For the code to successfully infect the user's machine, at least
one of two scenarios must occur:

In Microsoft Word, macros are enabled (by default, this is disabled)

The user is tricked into enabling macros in Microsoft Word

If for any reason macros are enabled in Microsoft Word, the malicious code will run
immediately. If macros are not enabled in Microsoft Word, the file will display a
notification prompt asking the user to enable them. If the user clicks 'Enable Content' on
the prompt, macros are enabled and the malicious code will run immediately.

Screenshot of a specially-crafted Word document luring the user into enabling macros>
Delivery by exploit kit
More rarely, crypto-ransomware is delivered by exploit kits, which are toolkits that are
planted by attackers on websites. These kits then probe the devices of each website
visitor for any flaws or vulnerabilities that can be exploited. There are numerous exploit
kits currently delivering ransomware in the wild, such as Angler, Neutrino and Nuclear.

If a vulnerability is found and exploited, the exploit kit can immediately download crypto-
ransomware onto the affected device. Once there, the ransomware runs immediately.

Infection
Once it is run, the ransomware will hunt for and encrypt files on the user's system.

Some crypto-ransomware, such as older variants of TeslaCrypt, will only encrypt

specific types of files. Others are less discriminating and will encrypt many types of files
(for example, Cryptolocker). There is also one known ransomware family, Petya, that
encrypts the Master Boot Record (MBR), a special section of a computer's hard drive
that runs first and starts (boots) its operating system, allowing all other programs to run.

After the encryption is done, the ransomware will display a message containing the
ransom demand. The amount will vary depending on the specific ransomware, and the
payment is often only in Bitcoins, or a similar digital cryptocurrency. Specific instructions
are also provided.
 F-Secure Weblog: the ransom notice displayed by CTB-Locker crypto-ransomware.

Consequences
Ransomware works on the assumption that the user will be pressured enough at losing
access to the files to be willing to pay the sum demanded. If the files are on a computer
that belongs to an organization - such as a hospital, a finance firm or a government
department - more than one person may be impacted by the ransomware's action.

Depending on the data contained in the encrypted files, the number of machines
affected, and the ease of restoring the files from clean backups, the effect of a
ransomware infection can range from mild to severe.

Respond & recover

If the worst happens and crypto-ransomware does infect your device, there are a couple
of steps you can take to contain the damage:
 IMMEDIATELY disconnect the affected device or devices from the local
network and/or the Internet. Doing so prevents the infection from spreading to
other connected devices.
Scan all connected devices and /or cloud storage for similar flaws and
additional threats. Not only should other connected devices and storage media
be checked for infection by the same threat, but also for any other threats that
may have been installed on the side.
If possible, identify the specific ransomware responsible. Knowing the
specific family involved makes it easier to search online for information about
remedial options. The ID-Ransomware project site may be able to help you
identify the ransomware involved.

Once you are certain the infection is contained, you can then try to remove the infection,
recover the device and the data saved on it.

Recovering files that have been encrypted by crypto-ransomware is technically

extremely difficult; in most cases, it is simpler to wipe the device clean and reinstall the
operating system, then recover the affected data from a clean backup. You can take the
following steps for recovery:

If possible, format and reinstall the device. Usually, this is the most expedient
way to remove a ransomware infection. In a small handful of cases, there are
removal tools available for specific ransomware families (see Family-specific
removal tools below) which you may consider as an alternative.
Restore data from clean backups. If available and clean, the encrypted data
can be recovered by restoring from backup files. In cases where no decryption is
possible, this is the method recommended by law enforcement authorities and
security experts to avoid paying the operators responsible for crypto-
ransomware.
Reevaluate the security of any software installed. To prevent a recurrence,
ensure any software installed (including the operating system) is up-to-date with
the latest security patches.
Report the incident to the appropriate local law enforcement
authority. Each country handles incidents of electronic crime differently, but in
general most national law enforcement agencies urge affected individuals or
companies to report incidents and avoid paying any ransom demanded.

Family-specific removal tools

For certain crypto-ransomware families, security researchers have been able to obtain
the decryption keys from the attackers' servers, and use them to create special removal
tools that can recover the contents of files that were encrypted with the keys.

Do note however that these tools generally require some level of technical knowledge to
use. They are also only effective for these specific ransomware families, or even just for
threats that were distributed in specific campaigns.

For more information about these tools, visit the No More Ransom! project site. This
initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's
European Cybercrime Centre and security researchers aims to help victims of
ransomware retrieve their encrypted data without having to pay the criminals
responsible for the threat.

Prevention
As an individual computer user, you can take a number of simple precautions to avoid
becoming a victim of crypto-ransomware:

Backup all necessary files regularly, and store them in a location not connected
to the computer or network. This means that even if your computer is affected,
you always have unaffected backups available.
Apply all critical and important security patches for all installed operating systems
and applications. This prevents scenarios where the attack vector is not simply
email file attachments, but vulnerability exploit attacks.
Enable all your antivirus solution's security features and keep it up-to-date with
the latest signature databases.
Avoid opening emails sent by an unknown sender, especially if it contains an
attachment or a link.
Enable "Show hidden Files, Folders and Drives" and disable "Hide extension of
known file types". This helps you spot files that have multiple file extensions.
In Microsoft Office, make sure that the settings for 'Macro Settings' are set to
'Disable macros with notification'. This will block macros from running
automatically when the document file is opened.
In Office 2016, you can modify the settings to block macros from running at all in
documents that come from the Internet. This new feature was added in response
to the resurgence of macro malware. More information and instructions are
available at: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-
in-office-2016-can-block-macros-and-help-prevent-infection/