Ransomware blocks user access to data and demands payment to restore access. It's possibly the most dangerous form of malware the average person regularly encounters. Once infected, the victim often has no choice but to pay the "ransom," usually a few hundred dollars.
In the past several years, ransomware has hit thousands of small businesses, government agencies and private individuals in North America, making millions for and the online criminals who distribute and operate it. It initially affected only Windows computers, but has spread to Android devices and even Macs.
A worldwide encrypting ransomware outbreak hit the internet on May 12, 2017, after cybercriminals weaponized a Windows exploit that had been previously been stolen from the National Security Agency and posted on WikiLeaks. Microsoft had fixed the underlying flaw two months before the attack, but thousands of machines were left vulnerable by users and administrators who did not install software updates. Even that scare didn't completely fix the problem — another ransomware worm exploiting the same flaw struck six weeks later.
However, it's not difficult to avoid or prepare for ransomware infection, which is not always irreversible. Here's what you need to know about ransomware, how to avoid becoming its victim — and what to do if you become infected.
MORE: Best Antivirus Software
How ransomware works
There are two main types of ransomware: encrypting or "crypto" ransomware, which encrypts some or all of the files on the victim's device; and screen-locking or "locker" ransomware, which disables the user interface.
Most ransomware infects a computer or mobile device in "Trojan horse" fashion — infection is secretly triggered when you open an unexpected email attachment, visit a malicious website or install infected software downloaded from the Internet. Simply visiting a malicious or corrupted Web page may trigger a drive-by download, even if you immediately navigate elsewhere.
Once installed, locker ransomware will freeze the user interface. The screen will display a banner informing you that the computer has been "locked" or "seized," often by the FBI or another law-enforcement agency. Keyboard and mouse inputs will not work.
Crypto ransomware does not freeze the user interface. Instead, it spends a couple of minutes searching your hard drive for common file types such as images and documents. It encrypts such files with a very strong key, then presents a ransom note. The user can still access other files.
In most cases, the amount of money demanded is substantial but not crippling — somewhere between $200 and $700 for North American victims. (Ransomware notes vary in language and currency according to the victim's location.) The notes provide details on how and to where to send payments. Sometimes, the notes give deadlines for paying the ransom, accompanied by a threat of deleting files at regular intervals (typically every 30 minutes).
Once the ransom payment is received and processed, the victim will be sent a numerical key to unlock the screen or encrypted files, or a serial key for activating a decryption program found on the scammer's website. It's rare for a payment not to be honored; ransomware distributors depend on victims trusting that they're good for their word.
Protecting yourself from ransomware
The best ways to avoid any kind of ransomware are to keep your operating system and other software fully updated and patched, and to run robust, self-updating antivirus software. (Firewalls don't always protect against infiltration, and they cannot stop you from opening email attachments.)
In Windows, go to Windows Update in the Control Panel, or Update & Security in the Settings menu, and make sure that updates are set to install automatically. On a Mac, go to Settings, then App Store, and make sure "Automatically check for updates" and "Install system data files and security updates" are checked.
Most forms of ransomware are recognized and blocked by antivirus programs, and most exploit software vulnerabilities for which fixes have long existed. People who don't patch their systems and don't run antivirus software get infected first.
You should also back up all of your computers and mobile devices regularly, preferably daily, to both external hard drives and cloud-based backup services. Then, if your files are locked up by crypto ransomware, you can restore files from backups. But beware that some crypto ransomware encrypts backup drives. It's best to disconnect or switch off backup drives after each backup.
If you use a Windows PC, make sure that it's set up to periodically save "restore points" to which the system can be "rolled back" in case of a serious problem. (This is activated by default in Windows 7 and later.) But again, some ransomware will delete Windows restore points.
Recovering from a ransomware attack
If you see a ransomware note on your computer screen, record the information presented (perhaps by snapping a photo). Call the police and report the incident; the police probably can't help you, but this is a serious crime that should be reported.
Then, see if you can access files or folders on the machine, such as the Documents or Pictures directories in your User folder. If you can't get past the ransom note, you're infected by locker ransomware. If you can navigate the machine, but find files encrypted, you have crypto ransomware.
If you have locker ransomware: Reboot your computer in Safe Mode by pressing the power button and S key on the keyboard at the same time. When the computer restarts, run antivirus software to remove the ransomware.
If that doesn't work, try rolling back Windows to the latest "safe" restore point. Open the Control Panel or Settings menu, then find the Recovery option (under System and Security in Windows 7, and under "Update and Security" in Windows 8.1 and 10). Recovery, aka System Restore, won't affect personal files, but it will remove newly installed software. (Sadly, it won't restore encrypted files.)
If you have crypto ransomware: The first thing to do is download and run the Kaspersky Ransomware Decryptor (opens in new tab), which can decrypt locked files created by certain strains of ransomware.
If that doesn't work, but you have a good backup, overwrite the encrypted files with the unencrypted backup versions.
If you don't have a good backup, but need the files, then you might have to pay the ransom. It will hurt, but it won't bankrupt you. You'll be joining thousands of small businesses, local governments, medical facilities and law enforcement agencies across North America that have had no choice but to pay up.
When all is said and done: Run antivirus software to clean out your system.
If you have the time, back up your files and reinstall the operating system to make sure you start afresh. You'll need an installation disk or recovery partition to do so on Windows 7 or 8.1; on Windows 10, you can simply choose Reset this PC in the Update and Security settings.
Types of ransomware
Screen-locking ransomware originated in Russia around 2010 and spread to the West a year or two later. Initially, payment was often made through Ukash, an online payment system that didn't require proof of identity to use — now, payment is handled primarily through the virtual currency Bitcoin.
One common variant of locker ransomware tells victims they've violated the law by visiting child-pornography websites and that they must pay a fine to have their systems unlocked. Researchers call this kind of ransomware a "police Trojan"; the best-known strain is the notorious Reveton family.
Another kind of locker ransomware informs the user that he or she is running a pirated version of Windows, and demands payment for a "legitimate" Microsoft license to restore access to the computer.
Screen-locking ransomware was extraordinarily effective from 2011 to 2014 — until users learned how to get past lockscreens by restarting PCs in Safe Mode and then running antivirus software to remove the malware.
Encrypting ransomware first appeared in 1989 with the AIDS Trojan, distributed by a mad scientist (really) on floppy disks to attendees of a medical conference. The AIDS Trojan encrypted the names (but not other data) of user files and demanded $189 be sent to a post office box in Panama. Its creator, an eminent biologist, was caught but ruled mentally unfit to stand trial.
Around 2005, the first wave of widely distributed crypto ransomware began. Two of the most prominent strains were Cryzip and PGPCoder, and individuals who found their computers infected with either strain were emailed ransom notes demanding $100 to $300 in e-gold, an early virtual currency, for the key to unlock their files. However, many of the first-wave crypto-ransomware bugs had weak encryption or other flaws that often let users recover data without paying up.
The current wave of crypto ransomware uses much stronger encryption that, in most cases, is impossible to break. It initially appeared in Russia in 2012, but broke into the wider world in late 2013 with the CryptoLocker Trojan after global Bitcoin payment processing became reliable.
As with the "police Trojan" locker ransomware, ransom notes are usually not emailed, but put right on the computer screen. Payment is made through Western Union or Bitcoin, and many strains show users how to buy and sent bitcoins.
Other well-known variants include TeslaCrypt, which targets gaming PCs; CryptoWall, which spread via malicious online ads, or "malvertising"; Linux Encoder, which attacks Linux-based Web servers; and KeRanger, which infected Macs via a corrupted BitTorrent installer.
In some instances, there's no ransom note. Instead, the criminal relies on victims to go to the Internet in search of a solution. Search results will bring up the ransomware controllers' website, which sells legitimate software for decrypting files, making the criminals appear uninvolved with the incident while still getting money from willing buyers.