Ransomware Cleanup

How do I get ransomware?

Malvertising uses infected iframes, or invisible web elements, to accomplish its tasks. The iframe links to an exploit landing page, where malicious code attacks the system via exploit tool. This happens without the user being aware and is often called a drive-by download.

Different types of ransomware

Ransomware can be of three types. They range in severity from mildly offensive to dangerously serious for the Cuban Missile Crisis. These are the main types:


As it turns out, scareware isn’t that scary. This includes scams and rogue security software. A pop-up message might appear claiming that malware has been discovered. You must pay to remove it. You will likely be bombarded with pop-ups, but your files remain safe if you don’t do anything.

This is not how legitimate cybersecurity software programs would solicit customers. You wouldn’t be monitored for ransomware infection if you didn’t have the company’s software installed on your computer. You don’t have to pay for ransomware removal if you have security software.

Screen lockers

These guys will need to upgrade to terror alert orange. Lock-screen ransomware can cause your computer to be locked down. A full-size window appears when you start up your computer. It is often accompanied by a seal from the FBI or US Department of Justice stating that illegal activity was detected on your computer and that you must pay a penalty. The FBI will not block your access to your computer or demand payment. They would pursue the proper legal channels if they suspect you of child pornography, piracy, or any other cybercrimes.

Encrypting ransomware

This is the really nasty stuff. These guys will encrypt your files, then demand payment to decrypt and deliver them. This ransomware is dangerous because cybercriminals can get hold of your files and no security software or system restoration will be able to return them. They are gone unless you pay the ransom. Even if you pay the ransom, it’s not guaranteed that cybercriminals will return your files.

Podcasts about Ransomware

Malwarebytes’ cybersecurity podcast Lock and Code. Check out the most recent episodes about ransomware

Ransomware attacks in the past

In the late 1980s, PC Cyborg, also known as AIDS or PC Cyborg, created the first ransomware. After 90 reboots, PC Cyborg would then encrypt files in the C directory and demand that the user renew their license. The user was required to send $189 via mail to PC Cyborg Corp. It was easy enough to reverse the encryption, so it did not pose a threat to computer-savvy users.

There were very few ransomware variants that appeared over the next decade. A true ransomware threat wouldn’t appear until 2004 when GpCode used weak RSA encryption for personal files to be held hostage.

WinLock was the first ransomware to encrypt files and block people from their computers. WinLock took control of the victim’s screen and displayed pornographic pictures. It then demanded payment by SMS for the removal of pornographic images.

A new type of ransomware was introduced in 2012 with the creation of Reveton’s ransomware family: law enforcement ransomware. Victims would be locked from their computers and presented with an official page that contained credentials for law enforcement agencies like the FBI or Interpol. Ransomware would claim the victim had committed a crime such as hacking computers, downloading illegal files, or being involved in child pornography. The ransomware demanded that a fine of $100-$3,000 be paid to the law enforcement ransomware family.

The average user didn’t know what to think and believed that they were being investigated by law enforcement. Implied guilt is a social engineering tactic that makes users question their innocence. Instead of being called out for something they don’t like, they pay the ransom to get it all gone.

CryptoLocker introduced ransomware encryption to the world in 2013. However, it was much more dangerous. CryptoLocker used military-grade encryption and kept the key needed to unlock files on remote servers. Users were unable to retrieve their data without paying the ransom. This ransomware can still be used today to encrypt data. It’s proven to have been a very effective tool for cybercriminals to make their money. Ransomware was used to entrap users and businesses around the world in large-scale outbreaks like WannaCry in May 2017 or Petya in June 2017.

Ryuk emerged on the ransomware stage in late 2018 with a series of attacks against American news publications, North Carolina’s Onslow Water and Sewer Authority, and a host of other ransomware threats. Interesting twist: Targeted systems were infected first with TrickBot and Emotet, information-stealing Trojans that are now being used to distribute other types of malware such as Ryuk. Adam Kujawa, Director of Malwarebytes Labs speculates that TrickBot and Emotet are being used for high-value targets. Emotet/TrickBot infects the system again with Ryuk after it is flagged as a potential target for ransomware.

Recent news has revealed that the Sodinokibi ransomware, an alleged offshoot from GandCrab, was being used by managed service providers (MSPs) to spread infection. Many dental offices across the country were unable to access patient records in August 2019. In this instance, attackers used a compromised MSP to infect up to 400 dental offices that were using the record-keeping software.

Ransomware for Mac

The first ransomware to attack Mac OSes was released by Mac malware authors in 2016. The ransomware, KeRanger infected Transmission, an app that copied malware files and then waited for three days before it detonated and encrypted files. Apple’s anti-malware program XProtect was able to block the ransomware from infecting users’ systems. However, Mac ransomware has been proven to be real.

Mobile ransomware

Ransomware first became popular on mobile devices after the 2014 emergence of CryptoLocker and similar families. Mobile ransomware usually displays the message that the device was locked because of some illegal activity. After paying a fee, the message will inform you that your phone will be unlocked. Mobile ransomware is commonly delivered by malicious apps. To retrieve your access to your mobile phone, you must turn off the dangers and restart the phone in safe mode.

Who do ransomware authors target?

Ransomware was first introduced and then reintroduced. Its initial victims were individuals (aka regular people). Cybercriminals realized its true potential when ransomware was distributed to businesses. Ransomware proved so effective against businesses that it halted productivity and resulted in lost data, and revenue, that most of its authors decided to attack them. End of 2016, 12.3% of global enterprises detected ransomware. Only 1.8% of consumer detections worldwide were ransomware. By 2017, 35% of medium-sized and small businesses had been affected by ransomware.

Geographically, ransomware attacks remain focused on western markets. The top three countries that are being targeted are the United States, Canada, and the UK. Ransomware authors, like other threats actors, will look for areas with high PC adoption and relative wealth. Expect to see ransomware and other malware increase as emerging markets in Asia, South America, and the Middle East ramp up their economic growth.

What should I do if I get infected?

If you are infected by ransomware, the number one rule is to not pay the ransom. This is the advice that has been endorsed by the FBI. This encourages cybercriminals to launch more attacks against you or another person. You may be able to retrieve encrypted files using free decryptors.

Let’s be clear: Not every ransomware family has had decryptors made for it. In many cases, ransomware uses advanced encryption algorithms. Even if there is a program to decrypt your files, it is not always obvious if it is for the correct version of the malware. It is not a good idea to use the wrong decryption program to further encrypt files. Before you try anything, pay attention to the ransom message.

You can also download a security program that is capable of removing ransomware and run a scan to identify the threat. Although you may not be able to recover your files, the infection will be removed. A complete system restore may be necessary for screen-locking ransomware. You can also try a scan using a USB or bootable CD if that fails.

You must be vigilant if you want to stop an encrypting ransomware attack in its tracks. If your system is slowing down, even if it seems to be for no apparent reason, you should turn it off and disconnect it from the Internet. The malware will stop sending or receiving instructions from the command-and-control server if it is active after you restart your computer. The malware could remain inactive without a key or a way to obtain payment. You can then download and install security software and run a complete scan.

How can I avoid ransomware?

Security experts agree that the best way for ransomware protection is to prevent it from happening.

There are many ways to combat ransomware infections. However, these are not perfect solutions and require more technical skills than the average user. Here’s what we suggest people do to avoid the fallout of ransomware attacks.

First, invest in amazing cybersecurity. This program provides real-time protection and is designed to stop advanced malware attacks like ransomware. Also, look for features that protect vulnerable programs (an anti-exploit technology) and stop ransomware holding files hostage with an anti-ransomware component. Customers who used the premium edition of Malwarebytes Windows were protected against all the major ransomware attacks in 2017.

You should also make regular backups of all your data, even though it might be painful. We recommend cloud storage with multiple-factor authentication and high-level encryption. You can also purchase USBs and an external hard drive to save files. However, after backing up make sure you physically disconnect the devices. Otherwise, ransomware can infect them.

Make sure that your software and systems are up-to-date. WannaCry ransomware exploited a Microsoft software vulnerability. The company released a patch to close the security loophole in March 2017. However, many people didn’t download the update. This left them vulnerable to attacks. It can be difficult to keep up with the ever-growing number of updates for software and apps you use every day. We recommend that you change your settings to allow automatic updates.

Keep informed. Social engineering is one of the most common ways computers become infected by ransomware. If you are a business owner, educate yourself as well as your employees on how to spot suspicious websites and other scams. Use common sense. It may be suspect.

What does ransomware do to my business?

GandCrab and SamSam are all ransomware types that hit businesses hard. As cyber criminals shift away from consumer-focused attacks, ransomware attacks against businesses increased 88% in the second half of 2018. Cybercriminals know that big business means big payouts and they target hospitals, government agencies, as well as commercial institutions. The average cost of data breaches, including penalties and remediation, is $3.86 million.

Most ransomware cases have been identified as GandCrab. GandCrab was first detected in January 2018. It has been through multiple versions since then, as ransomware authors make it harder to detect and stronger its encryption. GandCrab is estimated to have raked in $300,000,000 in ransom with individual ransoms ranging from $600 – $700,000.

Another notable attack occurred in March 2018. The SamSam ransomware hacked the City of Atlanta, causing it to be unable to perform essential services such as revenue collection and police record-keeping. The SamSam attack cost Atlanta $2.6million to fix.

Given the recent spate of ransomware-related attacks and the high cost involved with them, it is now a great time to start thinking about how you can protect your business. While we’ve already covered the topic extensively, here’s a brief overview of how to protect your company from ransomware.

  • Back up your data. If you have backups, it is easy to restore a ransomware attack. Ransomware can infect network shares so you might want to scan backups. You would be wise to keep data backups on a secure cloud storage server with multiple-factor authentication and high-level encryption.
  • Update and patch your software. Ransomware uses exploit kits to gain unauthorized access to networks or systems (e.g. GandCrab Exploit-based ransomware attacks are not possible as long as your network software is up to date. You are at risk of ransomware if you have outdated or insecure software. This is because software manufacturers no longer release security updates. Get rid of abandonware, and replace it with software that is still supported by the manufacturer.
  • Your end-users should be taught about malspam, strong passwords, and how to prevent it. Emotet is being used by cybercriminals to deliver ransomware via the ex-banking Trojan. Emotet uses malspam to infect end-users and gain access to your network. Emotet spreads from one system to another using a list of common passwords once it has infected your network. You can keep your end-users safe by learning how to spot malware and using multi-factor authentication.
  • Make investments in cybersecurity technology. Malwarebytes Endpoint Response for example allows you to detect, respond, and remediate your entire network using one agent. To learn more about ransomware protection technology, you can request a trial of Malwarebytes Anti-ransomware Technology.

What should you do if ransomware has already infected your computer? Ransomware is something that no one wants to deal with after the fact.

  • You can check to see if there’s a decryptor. You may be able to decrypt your data in some cases without having to pay, but ransomware threats are constantly evolving to make it more difficult to decrypt your files.
  • Pay the ransom. We have long supported not paying the ransom, and the FBI has finally agreed to this after some back-and-forth. Cybercriminals aren’t scruples, and it’s not guaranteed that you’ll receive your files back. You’re also showing cybercriminals how ransomware attacks work by paying the ransom.