This article provides information on malware threats known as 'ransomware' and answers some of the common questions.
Applies to the following Sophos product(s) and version(s)
Not product specific
What is Ransomware?
Ransomware is malicious software that denies you access to your computer or files until you pay a ransom. There are two types of ransomware that SophosLabs is commonly seeing:
- Encrypts personal files/folders (e.g., the contents of your My Documents folder - documents, spreadsheets, pictures, videos). Files are deleted once they are encrypted and generally there is a text file in the same folder as the now-inaccessible files with instructions for payment. You may see a lock screen but not all variants show one. Instead you may only notice a problem when you attempt to open your files. This type is called 'file encryptor' ransomware. For example, CryptoLocker is a file encryptor that Sophos Anti-Virus detects as Troj/Ransom-ACP.
- 'Locks' the screen (presents a full screen image that blocks all other windows) and demands payment. No personal files are encrypted. Example screenshots of with type running on a computer are shown below (click for larger view).. This type is called 'WinLocker' ransomware.
There is also 'MBR ransomware'. The Master Boot Record (MBR) is a section of the computer's hard drive that allows the operating system to boot up. MBR ransomware changes the computer's MBR so the normal boot process is interrupted and a ransom demand is displayed on screen instead.
Which operating systems are susceptible to this type of attack?
As with a lot of malware the majority of ransomware is targeted at the Microsoft Windows operating system.
Does Sophos Endpoint Security and Control protect my computer from ransomware?
Yes, but the malware writers are constantly updating and releasing new variants and families. You must stay fully up to date with the latest Sophos releases and ensure all your computers adhere to our best practice advice on Sophos Anti-Virus settings.
Useful articles are:
How does a computer become infected with ransomware?
|Infection vector ||How... ||Advice |
|SPAM email ||By opening email attachments in SPAM email. || |
- prevent SPAM email from reaching end users.
- educate users not to open any attachments that they are not expecting.
- ensure local anti-virus is up to date on all computers and is active (ensure the user has not disabled the protection).
- ensure your central shares (that endpoints update from) are receiving updates from Sophos Update Manager - check your console.
- avoid opening any attachment emailed to you that you were not expecting.
- watch out for emails with attachments suggesting you must reply quickly or 'act fast' and hence feel compelled to open the attachment quickly - without considering the source.
- check your Sophos shield in the system tray and make sure it does not have a red cross or warning triangle.
Move your mouse point over the shield and ensure 'On-access scanning: disabled' is not shown.
Double-click the Sophos shield to open the program. On the left hand side, under the 'Status' panel make sure the 'Last updated' value is recent...
|Good || |
|Bad || |
...the date shown when hovering the mouse point over the shield does not indicate a recent update in protection, but only that it checked with the update source and is in sync.
- contact your IT department if in any doubt.
|Botnet ||Your computer was already infected with malware, but not ransomware that encrypted files and you may not even be aware malware was running. Included in the existing botnet malware was a general purpose "upgrade" command that allows the crooks to update, replace, or add to the malware already on your PC. ||Ensure your (all) computers are up to date and run a full scan locally or from the console. |
|Operating system or software exploit ||The malware exploits a security vulnerability in the computer's operating system or an application that is installed on the computer. ||Ensure your (all) computers are up to date with Microsoft patches. Performing a 'Windows Update' locally on a regular basis is important. For IT admins we offer Sophos Patch which allows you to scan for missing OS and software patches. See article 114162 for more information. |
Delivery mechanisms are further explained in our SophosLabs technical paper at Ransomware: Next-Generation Fake Antivirus
Useful articles are:
What's the difference between ransomware and fake-antivirus?
WinLockers, file encryptors and malware that affects the computer's MBR with monetary demands (all described at the beginning of this article) are ransomware. Fake-antivirus pretends to find malicious files on your computer and for a fee says it will remove them.
Both try to extort money, but in different ways.
Can I do anything more to protect my computer from ransomware?
Ensure that your computer(s) are running the latest version of our software and up to date with identity files. Also make sure our software is configured for best protection.
If you are a network administrator you should educate your users on staying safe while online and consider a multi-tiered security solution such as our Unified Threat Management (UTM).
Useful articles are:
What names are reported when ransomware is detected?
There are also more generic detections such as Mal/Encpk-*, which include both ransomware and other malware that shares common properties.
Identifying malicious files and submitting samples
If a malicious file is not being detected or cleanup of the infection is incomplete you need to identify the malicious files and submit samples to SophosLabs for further analysis.
If you cannot identify anything malicious and you have access to the computer (local or remote) download the ZIP version of the Sophos Diagnostic Utility and run the command line version with the '-malware' switch (see article 116537 for details on the malware switch) and submit the output log file set with a support query to Technical Support fully explaining the situation and what you have observed so far.
Once the files have been analyzed by SophosLabs, an update has released and your computer has received that update you can run a full scan of the computer (either locally or from the console) to fully remove the infection.
Useful articles are:
How do I remove the malicious files from my computer that are detected?
If you are certain that there are malicious files on your computer that are not being detected see the section Identifying malicious files and submitting samples above before running a full scan. If you are not certain or you have submitted samples and an update has been released, run a full system scan:
What should I do if files have been encrypted?
Your data cannot be recovered and unfortunately we cannot recover it for you in-house as it is not technically possible.
Once any malicious files have been removed the encrypted files should be replaced from a recent backup.
Note: It was possible to decrypt files encrypted with early versions of ransomware. However the latest versions use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key remains on a central server maintained by the crooks and hence is not available.
What should I do if I am locked out of my computer?
Note: If you have been locked out of your computer by a warning screen (see screenshots above) and you know all your personal files have not been encrypted (e.g., by checking in Safe Mode or remotely from another network computer) you have a WinLocker type of ransomware.
If you have access to only one computer (the infected computer) then you should try:
- Logging on to the computer with another user account (to bypass the malware if it is only affecting your current user account).
- Restart the computer in Safe Mode.
If you cannot access the computer locally then you will need to have access to the infected computer from another computer on the same network - see below.
If the infected computer is connected to the same network as a clean computer you should try:
- Running the Sophos Diagnostic Utility remotely using article 112981.
- Using Windows programs and network administrator techniques to investigate the infection such as: a remote registry editor connection; tasklist.exe; taskkill.exe; browsing the C$ share.
Once you have gained access to the computer the next step is to identify the files causing the lock screen to appear. See the section Identifying malicious files and submitting samples above.
Where can I get more information on ransomware?
View the presentation below or on Brainshark.
To find more information and see examples of recent ransomware in the news read and subscribe to our nakedsecurity blog.
If you have not already done so, read our PDF on ransomware: Ransomware: Next-Generation Fake Antivirus.
Watch CryptoLocker in action
CryptoLocker is a newer type of ransomware that encrypts personal files and then demands a payment of 300 USD to release them. Watch the video below to see it in action.