Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission.Learn more.

What is ransomware?

In This Article

In This Article

Ransomware is malicious software that secretly encrypts the files on your PC to try to force you to pay the ransomer it order to obtain the decryption key needed to regain access to your digital life.

While large corporate and government organisations have been the most famous targets of ransomware attacks, they also affect private individuals. In 2021, ransomware cost businesses an estimated$20 billionin 2020.Ransomware is frequentlyspreadthrough malicious and sometimes highly targeted email attachments and links, as well as malicious ads that download malware when you interact with them, drive-by downloads that automatically download the payload, and across local networks where an infection has taken hold. Malicious ads and drive-by downloads can appear on otherwise legitimate sites.

Many notorious attacks, such as those by the Conti group, have stolen data before encrypting it, leading to private data beingreleasedonline. Other ransomware attacks lie about the decryption aspect, leaving those who pay the ransom with inoperable computers.

While Windows remains the most popular target, attacks have also affectedmacOSandLinuxsystems. Ransomware even exists for mobile devices and embedded systems.

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

A brief history of encrypting ransomware

A brief history of encrypting ransomware

Ransomware hasn’t always used the challenging asymmetric full-fileencryptionwe see today. The first recorded ransomware attack, created in 1989 and intended to disrupt the work of AIDS researchers, encrypted file names to prevent them from being accessed, making the system unusable unless a $189 decryption key was purchased from the malware’s creator.

In 2005, a family of viruses known as PGPCoder or GPCode emerged, trojan horses that encrypted all the document and archive files it could find, leaving a text file containing instructions for paying a ransom via online gold trading sites to get the decryption key.

Researchers atKasperksywere able to identify GPCode’s creator based on their IP address. The malware creator actually contacted the antivirus firm and tried to sell them a tool to decrypt the PGPCoder malware. Kaspersky obviously refused and, after investigating the systems of multiple victims to resolve proxied IP addresses the malware used to phone home, pinpointed the perpetrator’s location. To this day it’s not clear whether police ever acted on the information Kaspersky provided. The last known version of GPCode was released in 2010.

As new payment methods became popular, ransomware developers embraced them. In the 2010s, the WinLock malware family used premium-rate SMS messages to extract cheap-by-modern-standards ransoms of around £10.

The popularisation of crypocurrencies, particularly Bitcoin, created in 2008, gave criminals a relatively hard-to-trace method of receiving ransomware payments, and now the majority of attacks demand payment via cryptocurrency.

Perhaps the most famous ransomware was 2017’s Wannacry, used in a vast attack thataffectedsome 200,000 computers worldwide, according to Europol, until a kill switch wasdiscoveredby British security researcher Marcus “MalwareTech” Hutchins.

We currently see hundreds of ransomware attacks every year, and there’s little sign of the trend abating.

Non-encrypting ransomware

Ransomware is scary stuff, and some criminals try to use the threat of locking your PC, reporting your to the authorities, or destroying your most precious files to extract a ransom without actually doing anything.

Reveton, the “police virus” that claimed your system had been locked by local authorities until a “fine” was paid actually just used a registry key to lock up your system. The gang responsible for that one was caught byEuropolin 2013, but not before having scammed vulnerable users out over over €1 million a year.

Just last week, a colleague in IT security saw a new, but very old-school in-browser “screen locker” attack that seized window focus and instructed the user to call “Microsoft” for assistance, which would obviously lead into a fraudulent and expensive “computer repair”. The message threatened dire consequences for rebooting… which is hardly surprising, given that rebooting and clearing all open browser tabs was all that was needed to do to get rid of that particular irritant. To make sure the screen locker wouldn’t return, the system was thoroughly virus scanned using both bootable and installed anti-malware tools, and its registry and startup applications were checked.

What to do with suspected encrypting ransomware?

If you suspect that you’ve been infected by ransomware but not everything has been fully encrypted yet, immediately shut down or turn off your computer. Rebooting is unlikely to prevent your data from being encrypted, as the encryption process will restart with your PC. Scan the drive for malware without booting the OS, for example by using arescue disk.

If the rescue disk can identify the ransomware, but not decrypt the files that it’s locked, all is not lost. Ransomware is constantly being analysed by security security specialists. You first ports of call should beEmisoft, which specialises in creating decryptors, and Europol’sNo More Ransom, which will help you identify your ransomware and find a decryptor for it.

If you have to boot the system, disconnect it from all wired and wireless networks. This can prevent the ransomware from encrypting network drives, stop it from spreading to other deivces of the network, help prevent copies of your personal files from being stolen, and block secondary activites of the malware, such as using your PC for cryptocurrency mining.

If your system disk has already been fully encrypted, and you can’t decrypt it, you’re left with two choices. If the hard disk contained genuinely important or irreplaceable files, you can remove it, label it, store it somewhere safe, and keep an eye out for the release of a decryptor. These might be reverse engineered, released by ransomware groups when they cease business, or even stolen and released by security researchers working against the malware creators, as in the case of March 2022’sConti leak.

If you’ve been keeping backups, by far the best and quickest way to deal with a ransomware-infested PC is reinstall the operating system and restore your data from backups.

If you’re in the UK,reportthe attack to the National Cyber Security Centre.

Don’t pay the ransom. Your money will prop up organised crime and there’s no guarantee that you’ll ever get a functional decryptor.

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

How to protect against ransomware?

K.G. Orphanides is a writer and developer whose areas of expertise include internet security, VPNs, Linux for the desktop, small-scale game development, software preservation and computer audio techno…

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.