May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS).  A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe.

WannaCry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow Brokers. In the first few hours, 200,000 machines were infected. Big organizations such as Renault or the NHS were struck and crippled by the attack. But this massive wave wasn’t the only one. A few weeks later, a ransomware strain resembling Petya started spreading around Europe, affecting companies, Ukrainian institutions and banks, and even the even the radiation monitoring system at Chernobyl. Ransomware has been a grosowing trend for the past two years, and this is just a culmination, a grand reveal to the wider world of just how big of a threat it is. But we’ve been writing about this for a while now. Some time ago, a delivery guy walked into our office. While we signed for the package, he realized that we work in cyber security and asked: My entire music collection from the past 11 years got encrypted by ransomware.

Is there anything I can do about it? They’re asking for $500 for the decryption key.

My first thought was: I hope he has a data backup. So I had to ask: Do you have a backup?

He looked down and said a bitter „no”.

This scenario is unfolding right now somewhere in the world. Maybe even in your city or neighborhood. In this very moment, someone is clicking a link in a spam email or activating macros in a malicious document without having proper security software in place. In a few seconds, all their data will be encrypted and they’ll have just a few days to pay hundreds of dollars to get it back. Unless they have a backup, which most people don’t. Ransomware creators and other cyber criminals involved in the malware economy are remorseless. They’ve automated their attacks to the point of targeting anyone and everyone. Take this story from the New York Times:

MY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever. Sincerely, CryptoWall.

I hope you’re reading this post to be prepared for a malware attack. Prevention is absolutely the best security strategy in this case. This guide is packed with concrete information on:

  1. What ransomware is
  2. How it evolved
  3. Who ransomware creators target most frequently
  4. How ransomware spreads via the web
  5. How ransomware infections happen
  6. Why ransomware often goes undetected by antivirus
  7. The most notorious ransomware families
  8. How to set up the best protection against ransomware
  9. How to decrypt your data without paying the ransom

But there is no reason for you to feel helpless. There are a lot of practical provisions you can take to block or limit the impact of cyber attacks on your data. And I’m about to show you just what to do.

What is ransomware?

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files, and the only way to regain access to the files is to pay a ransom.

There are two types of ransomware in circulation:

  1. Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the  blocked content. Examples include CryptoLockerLockyCrytpoWall and more.
  2. Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.

Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families. Crypto-ransomware, as encryptors are usually known, is the most widespread ones, and also the subject of this article. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment (and it’s been so for the past few years).

Ransomware has some key characteristics that set it apart from other malware:

  • It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  • It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
  • It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
  • Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
  • It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
  • It can spread to other PCs connected to a local network, creating further damage;
  • It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame.
  • It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.

Their feature list keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.

As families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles. Encrypting ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cyber criminals a huge amount of money. We’re talking millions! If you’re curious how it all started, it’s time to go over:

A quick history of ransomware

It may be difficult to imagine, but the first ransomware in history emerged in 1989 (that’s 28 years ago). It was called the AIDS Trojan, whose modus operandi seems crude nowadays. It spread via floppy disks and involved sending $189 to a post office box in Panama to pay the ransom. How times have changed! The appearance of Bitcoin, and evolution of encryption algorithms helped turn ransomware from a minor threat used in cyber vandalism, to a full-fledged money-making machine. As a result, every cyber criminal wants to be a part of this. This graph shows just how many types of encrypting malware researchers have discovered in the past 10 years. Image source: F-secure And keep in mind 3 things, so you can get a sense of how big the issue really is:

  • There are numerous variants of each type (for example, CrytpoWall is on its 4th version);
  • No one can map all the existing families out there since most attacks go unreported.
  • New ransomware is coming out in volumes at an ever-increasing pace.

ransomware spread Source Here’s a great source if you’re curious to learn more about the history of this malware threat. As you can see for yourself, things escalated quickly and the trend continues to grow. Cyber criminals are not just malicious hackers who want public recognition and are driven by their quest for cyber mischief. They’re business-oriented and seek to cash out on their efforts. Ransomware is here to stay. The current conditions are a perfect storm which makes it the easiest and viable source of money for any malicious hacker out there:

  • Ransomware-as-a-service, where malware creators sell its services in exchange for a cut in the profits.
  • Anonymous payment methods, such as Bitcoin, that allow cybercriminals to obtain ransom money knowing their identity can’t be easily revealed.
  • It’s impossible to make a completely secure software program. Each and every program has its weaknesses, and these can be exploited to deliver ransomware, as was the case with WannaCry.
  • The number of infections would drastically shrink if all users were vigilant. But most people aren’t, and they end up clicking infected links and other malicious sources.

Top targets for ransomware creators and distributors

Cybercriminals soon realized that companies and organizations were far more profitable than users, so they went after the bigger targets: police departmentscity councils and even schools and, worse, hospitals! To give you some perspective, nearly 70% of infected businesses opted to pay the ransom and recover their files. More than half of these businesses had to pay a ransom worth $10,000 to $40,000 dollars in order to recover their data. But for now, let’s find out how online criminals target various types of Internet users. This may help you better understand why things happen as they do right now.

Why ransomware creators and distributors target home users:

  • Because they don’t have data backups;
  • Because they have little or no cyber security education, which means they’ll click on almost anything;
  • Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
  • Because they lack even baseline cyber protection;
  • Because they don’t keep their software up to date (even if specialists always nag them to);
  • Because they fail to invest in need-to-have cyber security solutions;
  • Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
  • Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
  • Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).

Why ransomware creators and distributors target businesses:

  • Because that’s where the money is;
  • Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid;
  • Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
  • Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
  • Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;
  • Because cyber criminals know that businesses would rather not report an infection for fear or legal consequences and brand damage.
  • Because small businesses are often unprepared to deal with advanced cyber attacks and have a relaxed BYOD (bring your own device) policy.

ransomware damage statistics Read the rest of the infographic.

Why ransomware creators and distributors target public institutions:

  • Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
  • Because budget cuts and mismanagement frequently impact the cybersecurity departments.
  • Because the staff is not trained to spot and avoid cyber attacks (malware frequently uses social engineering tactics to exploit human naivety and psychological weaknesses);
  • Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
  • Because a successful infection has a big impact on conducting usual activities, causing huge disruptions;
  • Because successfully attacking public institutions feeds the cyber criminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).

In terms of platforms and devices, ransomware doesn’t discriminate either. We have versions tailor-made for personal computers (too many types to count, but more on that in “Notorious families” section), mobile devices (with Android as the main victim and a staggering growth) and servers. mobile ransom evolution report Fig. 12: The number of users encountering mobile ransomware at least once in the period April 2014 to March 2016. Source. When it comes to servers, the attack is downright vicious:

Some groups do this by infiltrating the target server and patching the software so that the stored data is in an encrypted format where only the cybercriminals have the key to decrypt the data. The premise of this attack is to silently encrypt all data held on a critical server, along with all of the backups of the data. This process may take some time, depending on the organization, so it requires patience for the cybercriminals to carry it out successfully. Once a suitable number of backups are encrypted, the cybercriminals remove the decryption key and then make their ransom demands known, which could be in the order of tens of thousands of dollars.

Source. This prompted the FBI and many other institutions and security vendors in the industry to urge users, companies and other decision-makers to prepare against this threat and set up strong cyber protection layers. Attacks on critical infrastructure (electricity, water, etc.) could be next, and even the thought of that can make anyone shudder.

How do ransomware threats spread?

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.

Nevertheless, these are the most common infection methods used by cybercriminals

  • Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  • Security exploits in vulnerable software;
  • Internet traffic redirects to malicious websites;
  • Legitimate websites that have malicious code injected into their web pages;
  • Drive-by downloads;
  • Malvertising campaigns;
  • SMS messages (when targeting mobile devices);
  • Botnets;
  • Self-propagation (spreading from one infected computer to another); WannaCry, for instance, used an exploit kit that scanned a user’s PC, looking for a certain vulnerability, and then launched a ransomware attack that targeted it.
  • Affiliate schemes in ransomware-as-a-service. Basically, the developer behind the ransomware earns a cut of the profits each time a user pays the ransom.

Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).

These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions. The WannaCry attack is a perfect example of this since it used a wide-spread Windows vulnerability to infect a computer with basically no user interaction. That’s why each new variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more. For example, here’s how online criminals find vulnerable websites, inject malicious JavaScript code into them and use this trigger to redirect potential victims to infected websites. small websites spreading angler exploit kit and ransomware Which gets us to the next important answer in our common quest to understand how your files end up encrypted.

How do ransomware infections happen?

Though the infection phase is slightly different for each ransomware version, the key stages are the following: simple ransomware infection chain

  1. Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
  2. If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
  3. The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
  4. The contacted C&C server responds by sending back the requested data.
  5. The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
  6. A warning pops up on the screen with instructions on how to pay for the decryption key.

Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief. Most of them feel betrayed because they can’t seem to understand one thing:

But I have antivirus! Why didn’t it protect me from this?

Why ransomware often goes undetected by antivirus

Ransomware uses several evasion tactics that keep it hidden and allow it to:

  • Not get picked up by antivirus products
  • Not get discovered by cyber security researchers
  • Not get observed by law enforcement agencies and their own malware researchers.

The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.

So here are just a few of the tactics that encryption malware employs to remain covert and maintain the anonymity of its makers and distributors:

  1. Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
  2. It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
  3. It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
  4. It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals.
  5. It features Fast Flux, another technique used to keep the source of the infection anonymous;
  6. It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
  7. It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
  8. It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.

If you’re keen on reading more about why your antivirus has trouble detecting advanced malware, we actually created a guide on that exact topic.

The most notorious ransomware families

By now you know that there’s plenty of versions out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, a handful of families have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.


On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without them taking any action. Until May 24, 2017, the infection has affected over 200,000 victims in 150 countries and it keeps spreading. wanna cry infection map Source Read more in the dedicated security alert about the Wanna ransomware campaign.

Petya ransomware

The Petya ransomware family was first discovered in 2016, and its trademark includes infecting the Master Boot Record in order to execute the payload and encrypt the data available locally. A strain similar to Petya started creating havoc in late June 2017, when it emerged, enhanced with self-replicating abilities. We covered this outbreak in a dedicated security alert.

Uiwix ransomware

As a recent development, another type of encrypting malware that tries to replicate the impact that WannaCry had. However, it improves by not including a killswitch domain, while keeping its self-replicating abilities. Up to date details in this security alert which also anticipates addition waves of malicious encryption.

Cerber ransomware

Cerber is a relatively old version encryption malware, and its usage has frequently gone up and down. However, recent updates and added features have brought it back firmly into center stage. In the first quarter of 2017, Cerber had a huge, 90% market share among all the ransomware families. For the time being, it is likely to stay on top of the food chain.


Image source. One of the newest and most daring ransomware families to date is definitely Locky. First spotted in February 2016, this strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000. But they weren’t the only victims. In fact, two days after we published the Locky alert, we received the following comment from one of our readers:

We were attacked tuesday by this ransomware. 150 Emails spoofed to our mailserver. 149 Mails were blocked by the Barracuda spamfilter. One slipped through and was initialised by a coworker from the saledepartment. In half an hour our fileserver, applicationserver and shared maps on local PC’s was encrypted. After locating the PC where it all started, we took that one from the network and started to restore everything from the backup. In one hour the file server and application server was back working. Except for one local folder with lots of data in that wasn’t on the fileserver was completely destroyed. We succeeded in fixing this as follows. First we installed RECUVA, on this PC and tried to recover the lost map.The fact that the user kept working on it, had as result that most files were’nt recoverable because they were overwritten by cookies and temporary internetfiles. (So when noticing the LOCKY files … stop working). Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus … but … we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files ! But as someone said before …. nothing helps to prevent it so backup, backup and backup…

Since then, Locky has had a rampant distribution across the world. Here’s its geographical distribution by April 2016. locky ransomware infection Source: Securelist analysis As you’ve seen, things never stop changing in cyber crime, so Locky’s descendant, Zepto, made its debut in early July 2016.


This file-encrypting malware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness. Since then, TorrentLocker relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically. Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, to they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims. Source: Sophos analysis TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked. But soon they released a new variant which featured stronger encryption and narrowed the chances for breaking it to zero. Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the TorrentLocker.


Image source In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that a large joint operation between law agencies and security companies employed:

traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.

He was talking about Operation Tovar, one of the biggest take-downs in the history of cyber security, which Heimdal Security also participated in. Operation Tovar aimed to take down the Gameover ZeuS botnet, which authorities also suspected of spreading financial malware and CryptoLocker. As Brian Krebs mentioned in his take on CryptoLocker:

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…

CryptoLocker infections peaked in October 2013, when it was infecting around 150,000 computers a month! ransomware infections with locky Image source Since then, we’ve reported sightings of CryptoLocker in numerous campaigns spoofing postal or delivery services in Northern Europe.


cryptowall ransomware source Though the CryptoLocker infrastructure may have been temporarily down, it doesn’t mean that cybercriminals didn’t find other methods and tools to spread similar variants. CryptoWall is such a variant and it has already reached its third version, CryptoWall 4.0. This number alone shows how fast this malware is being improved and used in online attacks! In 2015, even the FBI agreed ransomware is here to stay. This time, it wouldn’t stop to home computers, but it will spread to infect:

Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.

Until then, this prediction became reality and now we understand the severity and impact of the crypto-ransomware phenomenon. In a similar manner to CryptoLocker, CryptoWall spreads through various infection vectors since, including browser exploit kits, drive-by downloads and malicious email attachments.

CTB Locker

Image source CTB Locker is one of the latest variants of CryptoLocker, but at a totally different level of sophistication. Let’s take a quick look at its name: what do you think CTB stands for?

  • C comes from Curve, which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key;
  • T comes from TOR, because it uses the famous P2P network to hide the cybercriminals’ activity from law enforcement agencies;
  • B comes from Bitcoin, the payment method used by victims to pay the ransom, also designed to hide the attackers’ location.

What’s also specific to CTB-locker is that includes multi-lingual capabilities, so attackers can use it to adapt their messaging to specific geographical areas. If more people can understand what happened to their data, the bigger the payday. CTB-Locker was one of the first ransomware strain to be sold as a service in the underground forums. Since then, this has become the norm, but two years ago it was an emerging trend. Now, potential cyber criminals don’t really need strong technical skills, as they can purchase ready-made malware which include even dashboard where they can track their successful infections and return on investment. In 2014, malware analyst Kafeine managed to access one of these black markets and posted all the information advertised by online criminals. By taking a quick look at the malware creators’ ad, we can see that the following support services are included in the package:

  • instructions on how to install the Bitcoin payment on the server;
  • how to adjust the encryption settings in order to target the selected victims;
  • details such as the requested price and the localized language that should be used;
  • recommendations on the price that you can set for the decryption key.

Heimdal Security specialists noticed that CTB Locker spreads through spam campaigns, where the e-mail message appears as an urgent FAX message. This is a sample of the e-mail content: From: Spoofed / falsified content Subject: Fax from RAMP Industries Ltd Incoming fax, NB-112420319-8448 New incoming fax message from +07829 062999 [Fax server]= +07955-168045 [Fax server]: [Random ID] Content: No.: +07434 20 65 74 Date: 2015/01/18 14:56:54 CST For those who want to explore this strain further, I can recommend this extensive presentation.


reveton ransomware Image source. In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family. Its signature feature was to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. Unlike the other kinds families mentioned here, Reveton was a locker, meaning that it restricted access to the computer itself, not just the files. Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn. The graphic display enforced the idea that everything is real. Elements like the computer IP addresslogo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening. Brian Krebs published larger analysis on Reveton, indicating that security exploits have been used by cybercriminals and that: insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs. Four years later, Java is the same pain in the proverbial backend.


Image source. When it first emerged, TeslaCrypt focused on a specific audience: gamers. Not all of them, but actually a segment that player a series of specific games, including Call of Duty, World of Warcraft, Minecraft and World of Tanks. By exploiting vulnerabilities mainly in Adobe Flash (a serial culprit for ransomware infections), TeslaCrypt moves on to bigger targets, such as European companies. Cyber security experts managed to find flaws in TeslaCrypt’s encryption algorithm twice. They created decryption tools and did their best so that the malware creators wouldn’t find out. But, as you can guess, TeslaCrypt makers corrected the flaws and released new versions that featured stronger encryption and enhanced data leakage capabilities. We announced TeslaCrypt 4.0 in March 2016, but only two months later, it was shut down! To everyone’s surprise, the cyber criminals even apologized. ESET researchers managed to get the universal master decryption key from them and built a decryptor that you can use if you happen to be a victim of TeslaCrypt. No one knows why the guys behind TeslaCrypt quit, but we can only hope to see more of that in the cyber crime scene. What will come next? Although we can’t guess future encryption attacks, there is one trend that cyber criminals seem to be pursuing: attacks that are more targeted, more carefully prepared and which require a smaller infrastructure to be deployed. We finally got to the best part, where you can learn what to do to stay protected against ransomware attacks.


RobbinHood along with Emotet, Ryuk, Maze, and Trickbot are ‘big-game hunters’, meaning that they focus on large businesses, institutions or strategic objectives (i.e. powerplants, oil rigs, hydroelectric dams etc.).  First detected in the wild in or around 2019, RobbinHood has gained high notoriety after crippling several computer networks from three major North American cities. In a matter of days, RobbinHood has garnered close to $2 million. This ransomware is distributed through infected emails (i.e. weaponized macros). Cybersecurity researchers have hypothesized that the reason behind RobbinHood increased efficacy is its ability to exploit a vulnerability residing mostly in machines using legacy software (i.e. outdated motherboard drivers, especially those developed and distributed by Gigabyte). Subsequent RobbinHood variants have been retrofitted to install the vulnerable motherboard driver kernel on target systems.


Debuting in winter 2018, GRIM SPIDER’s Ryuk showed great cunning in taking down entire networks. After the Tribune Publishing attack, this ransomware strain took on bigger prey – healthcare providers, gas and oil facilities, police precincts, and online security companies. Despite its rather short time span, Ryuk managed to fetch on behalf of its creators close to $10 million. As some cybersecurity researchers (e.g., Cohen and Herzog from Checkpoint) Ryuk shares any number of similarities with Hermes, the ransomware behind the 2017 attack on the Taiwanese Far Eastern International Bank. Despite the dauting similarity between Ryuk and Hermes, the former is difficult to reverse-engineer and, in some cases, next to impossible.


Emotet is widely regarded as the uncrowned king of banking trojans, not because of its efficiency, rather its criminal career spanning half of decade. The most notable attacks attributed to Emotet are Allentown raids, Kammergericht, and the 2020 attempt at locking down the Lithuanian government’s computer networks. Emotet has coined the term MaaS (Malware-as-a-Service), an on-demand and commercial-facing service which makes malware readily available to everyone, regardless of intent. Like many malware, Emotet spreads through malicious scrips, phishing links, and macro-enabled files. In 2018, US’s Department of Homeland Security put out an APB on Emotet and urged companies to upgrade their cyberdefenses.

15 Items to take your ransomware protection to the next level

This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I’ve seen too many cries for help and too many people confused and panicking when their files get encrypted. How I wish I could say that ransomware protection is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work. So here’s what I want you to promise me: 

Locally, on the PC

  1. I don’t store important data only on my PC.
  2. I have 2 backups of my data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.
  3. The Dropbox/Google Drive/OneDrive/etc. application on my computer is not turned on by default. I only open them once a day, to sync my data, and close them once this is done.
  4. My operating system and the software I use is up to date, including the latest security updates.
  5. For daily use, I don’t use an administrator account on my computer. I use a guest account with limited privileges.
  6. I have turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc. In the browser
  7. I have removed the following plugins from my browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If I absolutely have to use them, I set the browser to ask me if I want to activate these plugins when needed.
  8. I have adjusted my browser’s security and privacy settingsfor increased protection.
  9. I have removed outdated plugins and add-ons from my browsers. I only kept the ones I use on a daily basis and I keep them updated to the latest version.
  10. I use an ad-blocker to avoid the threat of potentially malicious ads.

Online behavior

  1. I never open spam emails or emails from unknown senders.
  2. I never download attachments from spam emails or suspicious emails.
  3. I never click links in spam emails or suspicious emails.

Anti-ransomware security tools

  1. I use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.
  2. I understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today Offer valid only for companies.

You can read an extended version of this plan in our dedicated article.

I’m really going to apply the 15 things on this list to be safe against #ransomware:

I want you to be prepared, so you’ll never have to deal with the dreaded question of: “should I pay the ransom or not?” My answer will always be a big, fat NO. Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you’d be further funding their greedy attacks and fueling the never-ending malicious cycle of cyber crime. To put things into perspective, 1 out of every 4 users who paid the ransom didn’t get their data back. They lost both the information and their money.

How to get your data back without paying the ransom

There hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack. To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools work beforehand so that you’re sure that this is the best solution for your case. Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It’s a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data.


Ransomware brought extortion to a global scale, and it’s up to all of us, users, business-owners and decision-makers, to disrupt it.

We now know that:

  • creating malware or ransomware threats is now a business and it should be treated as such;
  • the“lonely hacker in the basement” stereotype died a long time ago;
  • the present threat landscape is dominated by well defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;
  • even more,cyber criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.

We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don’t forget the best protection is always a backup!

Spend time with your family, not updating their apps!
Heimdal™ Free anti malware and ransomware protection
Let Heimdal™ FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus


Download Heimdal™ FREE

Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated]

The Anti-Ransomware Protection Plan You Need to Follow Today

Ransomware Distribution: How One Infection Can Go Network-Wide


Hi, i am using malwarebytes to protect my pc from ransomware, but is malwarebytes safe?

Thanks for sharing this information

Thanks for the genuine article good work keep it up. I would like to offer you guys tons of thanks for the detailed information and most importantly the information about the marketing strategies is top notch.

Elena Georgescu on June 10, 2021 at 5:06 pm

Thank you very much for your beautiful words!

WE STAY AHEAD OF THE TREND AT MAS8SG - mas8sg on December 9, 2020 at 10:40 am

Thank you for a lovely article. I subscribed to your blog and shared this on my Twitter. Thanks again for a great post!

This is a very interesting subject. And people wonder why I don’t click on their emails

Good post thanks!

Please help me my hdd is infect for ransome extention .TODAR and .ADAME
how to decrypt my files

I have never come across such will studied , will written article on ransomware ,its has given me deep knowledge , Thank U Andra keep the good going keep writing and keep helping us.

Nice And Very useful info, This article important and really good the for me is. Keep it up and thanks to the writer. awesome writing, Great article. Thanks!

Ꮋi, Stevе at Bridges.
Wow “Whatt is Ransomware – 15 Easy Stepѕ To Protect Your Ꮪystem
[Updated]” is indeed an original subject
Merely wanted to say that I lіke your blog post.

Thanks for sharing the tips on how to protect your system from ransomware.

This appears very Nice. Thank you to your sharing.

Wow! Great article! Well just making sure that my business is protected, I use boomerang data recovery as well. Other than protecting than ransomware. Just in case if my files are gone.

Thanks for helping us by providing unique things

Great tips! Thanks for this informative post.

Nothing beats a good backup. Always test backups on a monthly or even weekly basis. Also you must make sure your backup has versioning.

Must educate your employees! They’re the target entryway into your network.

Here you are providing such a great news !! Best thing is that always take backup your data after work because when ever any ransomware or virus attack your data is in safe hand and you can work properly. Always enjoying while reading your blog.

very helpful article…thanks for sharing valuable information….you can also find more information at for linksys login router and linksys login with advance settings.

Highly descriptive article, I enjoyed that a
lot. Will there be a part 2?

Howdy! Do you use Twitter? I’d like to follow you if that
would be ok. I’m absolutely enjoying your blog and look forward to new posts.

Hello and thanks for the message!Yes, we do have a Twitter account. You can follow us here: Thanks for reading our blog!

Thanks for any other informative site. The place else could
I get that type of information written in such an ideal approach?

I have a undertaking that I’m just now running on, and
I’ve been on the look out for such information.

This is very interesting, You are an excessively professional blogger.
I have joined your rss feed and sit uup for looking for extra of
your fantastic post. Additionally, I’ve shared your website in my
social networks

Thank you so much for your feedback! We appreciate it!

Many of these shows are based in bigger cities like New York or Los Angeles, which means you get to travel free of charge when you
get in to the finals. ” It was President Theodore Roosevelt who had given it the White House in 1901. This can be very advantageous for you just like you’re fast learner, with just an endeavor, you might learn all you could wanted to simply and free.

Well impressive work Andra. keep on .

Indeed ransomware is a nightmare. Victims of this virus are increasing day by day. Also the amount asked to decrypt the encrypted file is huge. Hope no one become a victim of cryptolocker ransomware snapchat emoji meanings

Do Heimdal do IT Security Management for small businesses? My business doesn’t think it would be targeted as we are so small, but we would rather be safe than sorry! I’ve been looking at a company called Ivanti, but I am unsure of what is the best way to avoid being held at ransom!

Hello Niall! Thank you for your comment. Regarding your question, it depends on what market you are interested in. My colleague, Alex from the Sales team can help you with that. Please contact him at Thank you!

Thanks for this deep insight on cyber security, i thinks that we would get more information on cyber security, Thanks for this pro tips 🙂

Ransomware could cost you an immense data loss and to unlock this data most of the people eventually end up with paying ransom amount. Fortunately, there are free tools to decrypt ransomware files through which you can recover valuable data without paying for it.

Thank you Andra for well presented and detailed information, it was simple to follow and understand, something important to me.
My husband got caught with I think, scareware, on Sunday and we follishly allowed them access to his computer, but managed to back out when payments were requested, we turned off our modem and we’ve since scanned all computers. My question is did we compromise my Sierra o/s Imac?

In theory, if you scanned your systems with a reliable anti-malware solution, you should be fine, but you should use more than one product to ensure that your system hasn’t been compromised. What’s more, I’d recommend doing a system restore from an older backup, if you have one, because there’s no telling what they might have planted on your system.

Great post.luckily i always back up my data in external hard disk. God save computer cannot effect me. One more thank for awareness article about ramdam ware.

I spent my whole time in traffic this morning reading this good stuff. Thank you for this article

Thank you for the kind feedback, Emmanuel! Drive safe!

Great post! Now I know what ransomware all about!.. Thanks Andra,…

Good article here. thank you for that. guys here also a great video to understand wannacry ransomware.
Ramsomware WannaCry Attack you didn’t know before 2017
thank you..!

If the computer has partitioned drives, then ransomware will encrypt only the drive having the windows operating drive.
Then while booting the PC change the boot sequence to UB.
then save and exit.
after that use a USB with linux operating system to boot (Hirens CD) and format the drive with windows operating system. Then reload the windows system.
I feel we can recover the files.
Please advise whether this can help

Thank you.. this article is great.. All the detailed information about ransomware, its types, its life cycle.. The best article i have read so far

This is one of the best and detailed blogs I have seen recently.

Hi, Zaheera,
very nice and informative article, this article help me to improve my knowledge thank-you very much keep updating us.
I have a query, Is it possible to protect my PC by disabling SBMv1 in windows, if yes then how?
waiting for your valuable feedback thanks once again.

Hi nice article about ransomware now I got full detail about ransomware and how to be secure from ransomware thanks for sharing this article and keep updating us

It was a very nice article, I would have thanked you Ms. Andra Zaharia, for creating awareness on ransomware.

mphoentle rangaka on May 17, 2017 at 10:26 am

Thank you for shedding some light, this was extremely helpful.

interesting article thank u very much

Are these ransomware attacks only happening on Windows users?

First of all, lovely article. Love how it’s well explained and very very detailed. I did not flinch for a second while reading it. I was subjected to ransomware, although I had a mac. In short, in order to stay safe from ransomware is people should not be stupid. gonna share few tips I got from reading another short article recently( which is to stop downloading from suspicious links. trust your guts and always backup frequently, no matter how much annoying it is – however worth it in the long run, update your windows and also enable windows defenders. you don’t know how much difference these tips can make. and have been virus free ever since after reading that article.

This is very informative but can anyone tell me what to do to get my COMPWUNLOCKED W/OF PAYING???!!!

ThereseMarie Sollberger on May 16, 2017 at 6:26 pm

I agree, great aeticle, but can anyone tell me how to get around it W/OF PAYING SO I CAN GET MY COMPUTER BACK???!!!!!

If you got time and competency, 0) keep the original hard drive untouched 1) brute force attack the encryption with another computer on a full dump (sector by sector) 2) to a deep recovery file with recuva or R-studio on encrypted drives.

Great post, Got Some new knowledge. It is true that we need more knowledge about cyber security.

What to do when back up server is attacked by some ransomware? Please help.

1. Do not reset your server
2. Try a backup with the extension to non-“bak”
3. The quick freeze your clients (for example,deep freeze)

Got Some new knowledge about cyber security …

so currently im running insider (preview/ beta) version of windows 10 and instead of using mbr partition i used gpt (because it sounds cooler to me). by running preview version of windows some software does not work for me (such as avg), can you tell me:
– can the attackers attack my computer easily? due to new and instable code implementation to the system or will it be the same as normal windows pc?
-about partition kind of ransomware, is gpt actually better or just as mbr?
-im currently running windows defender with your heimdal free (because it sounds cool and the ui is very attractive to me)

thank you for your contributions to cyber security, hope you can answer my questions

For small or non-business, I think an easy block to extortion is never having anything on my computer hard drive, other than the operating programs and emails. USBs are so cheap, all my files are stored on one I keep in my laptop bag. (A red one so it goes faster. The USB not the bag.) I just copy the whole USB to a plug-in hard drive every day or so as a back up. I also copy it to another USB when I remember. This way, there’s really nothing to encrypt; well nothing I care about and I can use any computer at hand. I hope I haven’t overlooked an obvious flaw in this plan.

I’m concerned that since ransomware can be dormant for a significant period, it could exist in all my backups and be restored, then causing the whole thing over again.

Do a full system reinstallation regularly, and have an heterogeneous OS ecosystem (with Windows, Linux, FreeBSD, etc)

Sandeep Ghadge on May 3, 2017 at 8:31 am

Very informative article. Taking regular backups is key to protect the data and in case of attack one can revive from it by recovering the data from backup.

So glad you found it helpful, Sandeep!

Thank you for a lovely article. Also to all who have contributed in the comments box.
How lovely to see a community coming together for greater good.

Thanks for this article, Andra! It was very thorough. I work for Cybereason and we recently released a ransomware protection tool. It’s free and we don’t require registration or personal information in order to download the product. Thought I’d share it as an additional resource –

Hi all

Found this interesting blog recent post on the general guidelines by Microsoft

Nice read.


Andra, this is one of the most detailed articles about ransomware I’ve ever seen!
There is a full list of free ransomware decryption tools developed by different security companies – . I hope it can help someone here

Thank you for the lovely feedback, Magnus! I’m really glad you enjoyed reading it.

Your link is most welcome. We’ve also put together a similar list. You can find it here:

I was about to fell victim to a Ransomware at once, but luckily I had an Anti-Malware called MalwareFox which blocked the installation and notified me. Speaking of which, this is the first time that I see this blog and I noticed that you have a security application, is that an Antivirus? An Anti-Malware? A little bit of both?

Q – Are private data in public (free) cloudsystems (f.e. HVO hubiC, Googledrive etc) save for ransomware?

Q – Do you have to backup data in such cloudsystems to be save for ransomware?

Hi there!
They are safe if you don’t keep them synced locally all the time. If you do get infected with ransomware and your Google Drive is synced locally, it will infect the data in it as well.
In terms of backup, experts recommend that you have at least 2 data back-ups, in 2 different locations: one on an external drive and one in the cloud (that’s not synced locally, for certainty). But 3 backups is ideal to have. More info here:

Tejender Thapliyal on January 17, 2017 at 1:12 pm

Hi, this is very interesting and a good material. Is there any website or tool to track bitcoin account/bitcoin ID? please also suggest how to track the culprits.

Ransomware attacks are increasing year on year… businesses and their employees should have the knowledge on how to make back-ups for critical data, how to update software on the devices that are used for work and how to implement high-end information security solutions. Businesses that are not prepared for ransomware attacks will have a pretty rough time, it claims that around 55% of businesses surveyed said it had taken them several days to restore access to encrypted data after being attacked.

Great job, Andra! (and the Whole Heimdal team) Having good anti-malware/virus software is very important in defending against digital malfeasance, so check out the reviews, do the research, and get the one you think is best for you installed and running ASAP. There are some excellent choices available and they don’t all work the same way.

Thank you very much, Keith! I really appreciate the feedback and thanks for joining our effort to help everyone become more aware of the importance of basic cyber security.

Are you a soft target for ransomeware. Take the risk analysis quiz.

Surendra Singh Pal on November 11, 2016 at 8:57 am

very well written and helpful for Non IT users and IT Pro as well

a Malware/Adware that can convert all JPEG File to .9213 Extension.
Anybody have solution for that……

In-fact what I wanted to know about Ransom-ware is lucidly written and full kudos to her to make me knowledgeable. It is a complete insight blog and a never miss.

found a quick solution for ransomware. from f8 access command prompt and use diskpart to format C drive. restart computer and from f8 you can now use the reset my computer option.

maybe i could have used sytem restore first as the the lock had been removed from c drive with the format.

hope that helps

Indeed ransomware is a nightmare. Victims of this virus are increasing day by day. Also the amount asked to decrypt the encrypted file is huge. Hope no one become a victim of cryptolocker ransomware.

Philip Fullerton on July 25, 2015 at 12:27 pm

Make sure to protect your password frequently at least once a month. Very useful tips. Thank you for sharing it Aurelian. The 9 easy steps to keep your system safe from ransonware article is very helpful. Technology can helps us to protect our home but we should always be careful. The treats are everywhere.

Leave a Reply

Your email address will not be published. Required fields are marked *