This article provides information on malware threats known as 'ransomware' and answers some of the common questions.
Applies to the following Sophos product(s) and version(s)
Not product specific
Operating System(s) Windows only
Ransomware is malicious software that denies you access to your computer or files until you pay a ransom. There are two types of ransomware that SophosLabs is commonly seeing:
There is also 'MBR ransomware'. The Master Boot Record (MBR) is a section of the computer's hard drive that allows the operating system to boot up. MBR ransomware changes the computer's MBR so the normal boot process is interrupted and a ransom demand is displayed on screen instead.
As with a lot of malware the majority of ransomware is targeted at the Microsoft Windows operating system.
Yes, it includes many defenses against ransomware, including "CXmail" detections for malicious email attachments used to distribute malware. But the malware writers are constantly updating and releasing new variants and families. You must stay fully up to date with the latest Sophos releases and ensure all your computers adhere to our best practice advice on Sophos Anti-Virus settings.
Useful articles are:
Delivery mechanisms are further explained in our SophosLabs technical paper at Ransomware: Next-Generation Fake Antivirus
WinLockers, file encryptors and malware that affects the computer's MBR with monetary demands (all described at the beginning of this article) are ransomware. Fake-antivirus pretends to find malicious files on your computer and for a fee says it will remove them.
Both try to extort money, but in different ways.
Ensure that your computer(s) are running the latest version of our software and up to date with identity files. Also make sure our software is configured for best protection.
If you are a network administrator you should educate your users on staying safe while online and consider a multi-tiered security solution such as our Unified Threat Management (UTM).
There are also more generic detections such as Mal/Encpk-*, which include both ransomware and other malware that shares common properties.
If a malicious file is not being detected or cleanup of the infection is incomplete you need to identify the malicious files and submit samples to SophosLabs for further analysis.
If you cannot identify anything malicious and you have access to the computer (local or remote) download the ZIP version of the Sophos Diagnostic Utility and run the command line version with the '-malware' switch (see article 116537 for details on the malware switch) and submit the output log file set with a support query to Technical Support fully explaining the situation and what you have observed so far.
Once the files have been analyzed by SophosLabs, an update has released and your computer has received that update you can run a full scan of the computer (either locally or from the console) to fully remove the infection.
If you are certain that there are malicious files on your computer that are not being detected see the section Identifying malicious files and submitting samples above before running a full scan. If you are not certain or you have submitted samples and an update has been released, run a full system scan:
Your data cannot be recovered and unfortunately we cannot recover it for you in-house as it is not technically possible.
Once any malicious files have been removed the encrypted files should be replaced from a recent backup.
Note: It was possible to decrypt files encrypted with early versions of ransomware. However the latest versions use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key remains on a central server maintained by the crooks and hence is not available.
Note: If you have been locked out of your computer by a warning screen (see screenshots above) and you know all your personal files have not been encrypted (e.g., by checking in Safe Mode or remotely from another network computer) you have a WinLocker type of ransomware.
If you have access to only one computer (the infected computer) then you should try:
If you cannot access the computer locally then you will need to have access to the infected computer from another computer on the same network - see below.
If the infected computer is connected to the same network as a clean computer you should try:
Once you have gained access to the computer the next step is to identify the files causing the lock screen to appear. See the section Identifying malicious files and submitting samples above.
To find more information and see examples of recent ransomware in the news read and subscribe to our nakedsecurity blog.
If you have not already done so, read our PDF on ransomware: Ransomware: Next-Generation Fake Antivirus.
CryptoLocker is a newer type of ransomware that encrypts personal files and then demands a payment of 300 USD to release them. Watch the video below to see it in action.
Jeder hier hinterlassene Kommentar wird von einem Mitarbeiter gelesen, wir antworten jedoch nicht auf spezifische technische Fragen. Wenn Sie technischen Support benötigen, posten Sie bitte eine Frage in unserer Community. Alternativ können Sie für lizenzierte Produkte auch ein Support-Ticket öffnen.