Ransomware attacks, in which hackers hold hostage the files on their victims’ computers, are on the rise. A new report found that each quarter in 2016 saw a significant increase in the number of attacks:
“It would be inaccurate to say the threat landscape either diminished or expanded in 2016,” according to the report, which was released last week by SonicWall, a cybersecurity firm. “Rather, it appears to have evolved and shifted.”
The report identified 638.2 million unique ransomware attempts in 2016, up more than 16,000% from 3.8 million in 2015. The company used several methods to gather the numbers, including “honeypot” servers set up to detect attacks, and information from “more than 50 industry collaboration groups and research organizations.”
In a ransomware attack, the hackers gain access to the victim’s computer and encrypt its files. The hackers then charge the victim to decrypt the files, which only they can do.
Throughout 2016, ransomware attacks made news by forcing money out of private and public organizations, including a hospital in Los Angeles and the public transportation system in San Francisco. Once they’ve infected a system, hackers typically demand payment via anonymous bitcoin.
|February 2016||Hollywood Presbyterian Medical Center||$17,000|
|April 2016||Lansing Board of Water & Light||$25,000|
|September 2016||VESK cloud services||$22,800|
|November 2016||San Francisco Transit Authority||$73,000|
These kinds of attacks appear to be a more direct route to hard cash than traditional malware, which is still the most common form of attack by far. And SonicWall discovered fewer new unique malware versions in 2016 (60 million) than it did in 2015 (64 million)–a decline of 6.3%.
Meanwhile, ransomware attacks show no signs of slowing in 2017. Hackers have so far demanded $35,000 from St. Louis libraries, an undisclosed amount from an Illinois police station, and wreaked havoc on 28,000 database servers, among other attacks.
What is Ransomware
Ransomware stops you from using your PC. It holds your PC or files for “ransom”. This page describes what ransomware is and what it does, and provides advice on how to prevent and recover from ransomware infections.
You can also read our blog about ransomware: The 5Ws and 1H of ransomware.
On this page:
What does ransomware do?
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Prevent you from accessing Windows.
Encrypt files so you can’t use them.
Stop certain apps from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Frequently asked questions
- Is it true that the legal authorities in my area have detected illegal activities in my PC?
No. These warnings are fake and have no association with legitimate authorities. The message uses images and logos of legal institutions to make the it look authentic.
- I cannot access my PC or my files. Should I just go ahead and pay to regain access?
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
- How do I get my files back?
How to recover your files depends on where your files are stored and what version of Windows you are using.
Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
For Microsoft Office files stored, synced, or backed up to OneDrive
OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features.
To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
OneDrive for Business customers should see the Manage document versions help article on the Office help site.
For files on your PC
You need to have turned on File History (in Windows 10 and Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or network administrator.
Some ransomware will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History, if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn’t connected when you were infected with the ransomware, might still work.
See the Windows Repair and recovery site for help on how to enable file recovery for your version of Windows.
If you’ve been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:
- What should I do if I’ve paid?
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
In Australia, go to the SCAMwatch website
In Canada, go to the Canadian Anti-Fraud Centre
In France, go to the Agence nationale de la sécurité des systèmes d’information website
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
In Ireland, go to the An Garda Síochána website
In New Zealand, go to the Consumer Affairs Scams website
In the United Kingdom, go to the Action Fraud website
In the United States, go to the On Guard Online website
If your country or region isn’t listed here, we encourage you to contact your country’s federal police or communications authority.
For general information on what to do if you have paid, see:
- How did message know my IP address?
Your IP address is not usually hidden, and there are lots of tools online that will get it for you. It’s likely they used such a tool.
- How did ransomware get on my PC?
In most instances ransomware is automatically downloaded when you visit a malicious website or a website that’s been hacked.
For other ways malware, including ransomware, gets on your PC, see:
- How do I protect myself against ransomware?
Install and use an up-to-date antivirus solution (such as Microsoft Security Essentials).
Make sure your software is up-to-date.
Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
Ensure you have smart screen (in Internet Explorer) turned on.
Regularly backup your important files.
You can backup your files with a cloud storage service that keeps a history or archive of your files, such as OneDrive which is now fully integrated into Windows 10 and Windows 8.1, and Microsoft Office.
After you’ve removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using “version history”.
See the question “How do I get my files back?” above for more help on how to use this feature in OneDrive.
For more tips on preventing malware infections, including ransomware infections, see:
- How do I remove ransomware from my PC?
How to remove the ransomware depends on what type it is.
If your web browser is locked
You can try to unlock your browser by using Task Manager to stop the web browser’s process:
Open Task Manager. There are a number of ways you can do this:
Right-click on an empty space on the taskbar and click Task Manager or Start Task Manager.
In the list of Applications or Processes, click on the name of your web browser.
Click End task. If you are asked if you want to wait for the program to respond, click Close the program.
In some workplaces, access to Task Manager may be restricted by your network administrator. Contact your IT department for help.
When you open your web browser again, you may be asked to restore your session. Do not restore your session or you may end up loading the ransomware again.
See the question “How do I protect myself from ransomware” above for tips on preventing browser-based ransomware from running on your PC.
If your PC is locked
Method 1: Use the Microsoft Safety Scanner in safe mode
First, download a copy of the Microsoft Safety Scanner from a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you’re in safe mode, try to run the Microsoft Safety Scanner.
Method 2: Use Windows Defender Offline
Because ransomware can lock you out of your PC, you might not be able to download or run the Microsoft Safety Scanner. If that happens, you will need to use the free tool Windows Defender Offline:
See our advanced troubleshooting page for more help.
Steps you can take after your PC has been cleaned
Make sure your PC is protected with anti malware software.
Microsoft has free security software that you can use:
If you have Windows 10 or Windows 8.1, your PC comes with antimalware software: Windows Defender.
If you’re using Windows 7 or Windows Vista, you should install anti malware software, such as Microsoft Security Essentials.
You can update Microsoft security software on our updates page.
If you don’t want to use Windows Defender or Microsoft Security Essentials, you can download other security software from another company. Just make sure it is turned on all the time, fully updated, and provides real-time protection.
Details for home users
There are two types of ransomware – lockscreen ransomware and encryption ransomware.
Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.
Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
- Visiting unsafe, suspicious, or fake websites.
Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
- Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.
That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:
Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
If you’re ever unsure – don’t click it!
Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can backup your files to help protect yourself from ransomware.
Details for enterprises and IT professionals
The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).
The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.
Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.
The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.
In some cases, third-party tools released by some security firms are able to decrypt files for some specifically ransomware families. See our blog FireEye and Fox-IT tool can help recover Crilock-encrypted files for an example. Tim Rains, Microsoft Director of Security, released the blog Ransomware: Understanding the risk in April 2016 that summarizes the state of ransomware and provides statistics, details, and preventative suggestions to enterprises and IT professionals: Our Threat intelligence report: Ransomware also includes suggestions on prevention and recovery, statistics, and details.
Globally, ransomware continues to be a problem. In particular, we’ve seen increases in Italy and the eastern seaboard of the US.
The past six months (between December 2015 and May 2016) have seen the rise of Tescrypt globally. Crowti remains near the top of the pack, as does Brolo and FakeBsod.
Reveton has also dropped down the ladder, now at 1% of the top 10 share, down from 7% for the preceding 6 months.
Figure 1. Top 10 Ransomware (December 2015 to May 2016)
Figure 2. Top 10 Ransomware (June to November 2015)
For the top 10 countries with the most detections, the United States takes a full half of all detections. Italy is second, followed closely by Canada, Turkey, and the United Kingdom. After that the distribution is spread across the globe.
Figure 3: Top 10 countries (December 2015 to May 2016)
The greatest detections in the US were for FakeBsod, followed by Tescrypt and Brolo. Tescrypt was also prevalent in Italy.
Figure 4: Top detections in top countries (December 2015 to May 2016)
An example of the fake warning message is shown in Figure 5:
Figure 5: Message used by FakeBsod to lock your web browser
You can regain control of your web browser without paying anything by closing the warning message using the Task Manager.
When you reopen your browser, make sure you don’t click Restore previous session.
Read more about this threat in the Ransom:JS/FakeBsod.A description.
Examples of ransomware
NOTE: IF YOU NEED ANY HELP REGARDING YOUR IMAC, MAC BOOK PRO, MAC BOOK AIR, IPAD, MICROSOFT WINDOWS XP, MICROSOFT WINDOWS NT, MICROSOFT WINDOWS VISTA, MICROSOFT WINDOWS 7, MICROSOFT WINDOWS 8.1, MICROSOFT WINDOWS 8, MICROSOFT WINDOWS 10, LINUX COMPUTER DESKTOP AND LAPTOP and PRINTER”s and ROUTER’s or ABOUT THE SECURITY of YOUR HOME or OFFICE NETWORK or INTERNET SECURITY. EMAIL US ON OOMIKATECHNOLOGY@HOTMAIL.COM or OOMIKATECHNOLOGY@GMAIL.COM or YOU MAY ALSO LEAVE A MESSAGE ON OUR FACEBOOK OFFICIAL PAGE :- https://www.facebook.com/oomikatechnology/?ref=aymt_homepage_panel OR YOU MAY VISIT OUR WEBSITE:- WWW.OOMIKATECHNOLOGY.COM.
VALENTINES OFFER: YOU MAY EMAIL US AND GET YOUR MAC or WINDOWS or LINUX DESKTOP AND LAPTOP’s SERVICED FOR JUST $49.99 WHICH WILL INCLUDE ANTIVIRUS FOR YOUR WINDOWS, MAC BOOK PRO, MAC BOOK AIR and IMAC FOR 15 MONTHS WHICH IS MORE THAN AN YEAR SO THAT YOUR MACHINE STAY’s PROTECTED FROM ANY KIND OF INFECTIONS.
If we can’t fix, we provide free service for lifetime.
For a moment, forget computer and smartphone malware. There’s even a bigger danger in town in the form of brain malware. By exploiting brain-computer interfaces (BCI) being used in medical and gaming applications, hackers can read your private and sensitive data. Recently, a team of researchers from the University of Washington shed more light on the subject, demanding a policy-oriented regulation on BCIs.
Imagine a scenario where you are dealing with your online bank accounts or browsing your favorite social network, and someone is busy reading your mind–gathering you most sensitive and private information.
While you might call this fictitious, researchers are busy exploring such situations and conducting experiments. With the advent of brain-computer interfaces (BCI), that are already being used for medical and non-medical purposes, there’s a need to implement some method to secure our brain signals from being misused.
The researchers at the University of Washington in Seattle, talking to Motherboard, say that there’s actually very little time. “If we don’t address this quickly, it’ll be too late,” they say.
Motherboard’s Victoria Turk recently interacted with Howard Chizeck, who is working Tamara Bonaci, and her team. They strapped Turk into a BCI swimcap to play Flappy Whale and recorded her brainwaves. While doing so, the researchers were also sending messages to her brain.
Turk says that as she played along, something unusual started happening and the logos of American banks started appearing and disappearing.
Researchers say that with this method, hackers can insert some images into apps and games, and record your brain’s response using the BCI. Doing so, hackers can know which banks they need to target or something more uncomfortable like your sexual orientation and fetishes.
The same technique can be implemented to read your mind for knowing your political or religious mindsets. Here’s what Bonaci has to say:
When you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,. And that whole EEG signal contains rich information about us as persons.
The researchers say that they haven’t perfected this art of mind-reading. But, they have been successful in reading people’s personal preferences based upon their strong emotional response. In such cases, after about 300 milliseconds of seeing a stimulus, there’s going to be a “positive peak hidden with their EEG signal.”
The researchers say that soon hackers will target people using fake and brain malware-packed games. Back in 2013, some researchers have already provedthe possibility of side-channel attacks against BCIs, revealing private data like credit card pin, addresses, passwords etc.
The University of Washington researchers suggest that there should be a policy-oriented approach to figure out what’s acceptable to do with the data obtained from BCIs.
Hackers have spyware in your mind. You’re minding your business, playing a game or scrolling through social media, and all the while they’re gathering your most private information direct from your brain signals. Your likes and dislikes. Your political preferences. Your sexuality. Your PIN.
It’s a futuristic scenario, but not that futuristic. The idea of securing our thoughts is a real concern with the introduction of brain-computer interfaces—devices that are controlled by brain signals such as EEG (electroencephalography), and which are already used in medical scenarios and, increasingly, in non-medical applications such as gaming.
Researchers at the University of Washington in Seattle say that we need to act fast to implement a privacy and security framework to prevent our brain signals from being used against us before the technology really takes off.
“There’s actually very little time,” said electrical engineer Howard Chizeck over Skype. “If we don’t address this quickly, it’ll be too late.”
I first met Chizeck and fellow engineer Tamara Bonaci when I visited the University of Washington Biorobotics Lab to check out their work on hacking teleoperated surgical robots. While I was there, they showed me some other hacking research they were working on, including how they could use a brain-computer interface (BCI), coupled with subliminal messaging in a videogame, to extract private information about an individual.
Tamara Bonaci (right) and the author in the University of Washington Biorobotics Lab. Image: Motherboard
Bonaci showed me how it would work. She placed a BCI on my head—which looked like a shower cap covered in electrodes—and sat me in front of a computer to playFlappy Whale, a simple platform game based on the addictive Flappy Bird. All I had to do was guide a flopping blue whale through the on-screen course using the keyboard arrow keys. But as I happily played, trying to increase my dismal top score, something unusual happened. The logos for American banks started appearing: Chase, Citibank, Wells Fargo—each flickering in the top-right of the screen for just milliseconds before disappearing again. Blink and you’d miss them.
The idea is simple: Hackers could insert images like these into a dodgy game or app and record your brain’s unintentional response to them through the BCI, perhaps gaining insight into which brands you’re familiar with—in this case, say, which bank you bank with—or which images you have a strong reaction to.
Bonaci’s team have several different Flappy Whale demos, also using logos from local coffee houses and fast food chains, for instance. You might not care who knows your weak spot for Kentucky Fried Chicken, but you can see where it’s going: Imagine if these “subliminal” images showed politicians, or religious icons, or sexual images of men and women. Personal information gleaned this way could potentially be used for embarrassment, coercion, or manipulation.
The ‘Flappy Whale’ game. Images appeared in the top right. Image: Motherboard
“Broadly speaking, the problem with brain-computer interfaces is that, with most of the devices these days, when you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,” explained Bonaci. “And that whole EEG signal contains rich information about us as persons.”
And it’s not just stereotypical black hat hackers who could take advantage. “You could see police misusing it, or governments—if you show clear evidence of supporting the opposition or being involved in something deemed illegal,” suggested Chizeck. “This is kind of like a remote lie detector; a thought detector.”
Of course, it’s not as simple as “mind reading.” We don’t understand the brain well enough to match signals like this with straightforward meaning. But with careful engineering, Bonaci said that preliminary findings showed it was possible to pick up on people’s preferences this way (their experiments are still ongoing).
“It’s been known in neuroscience for a while now that if a person has a strong emotional response to one of the presented stimuli, then on average 300 millisecondsafter they saw a stimulus there is going to be a positive peak hidden within their EEG signal,” she said.
The catch: You can’t tell what the emotional response was, such as whether it was positive or negative. “But with smartly placed stimuli, you could show people different combinations and play the ‘20 Questions’ game, in a way,” said Bonaci.
When I played the Flappy Whale game, the same logos appeared over and over again, which would provide more data about a subject’s response to each image and allow the researchers to better discern any patterns.
“One of the cool things is that when you see something you expect, or you see something you don’t expect, there’s a response—a slightly different response,” said Chizeck. “So if you have a fast enough computer connection and you can track those things, then over time you learn a lot about a person.”
A brain-computer interface. Image: Motherboard
How likely is it that someone would use a BCI as an attack vector? Chizeck and Bonaci think that the BCI tech itself could easily take off very quickly, especially based on the recent sudden adoption of other technologies when incorporated into popular applications—think augmented reality being flung into the mainstream by Pokémon Go.
BCIs have already been touted in gaming, either as a novel controller or to add new functionality such as monitoring stress levels. It’s clear that the ability to “read” someone’s brain signals could also be used for other consumer applications: Chizeck painted a future where you could watch a horror film and see it change in response to your brain signals, like a thought-activated choose-your-own-adventure story. Or imagine porn that changes according to what gets your mind racing.
“The problem is, even if someone puts out an application with the best of intentions and there’s nothing nefarious about it, someone else can then come and modify it,” said Chizeck.
In the Flappy Whale scenario, the researchers imagine that a BCI user might download a game from an app store without realising it has these kind of subliminal messages in it; it’d be like “brain malware.” Chizeck pointed out that many fake, malware-ladenPokémon-themed apps appeared in the app store around the real game’s release.
But hacking aside, Bonaci and Chizeck argued that the biggest misuse of BCI tech could in fact be advertising, which could pose a threat to users’ privacy as opposed to their security.
“Once you put electrodes on people’s heads, it’s feasible”
You could see BCIs as the ultimate in targeting ads: a direct line to consumers’ brains. If you wore a BCI while browsing the web or playing a game, advertisers could potentially serve ads based on your response to items you see. Respond well to that picture of a burger? Here’s a McDonald’s promotion.
“We usually know when we’re giving up our privacy, although that’s certainly become less true with online behaviour,” said Chizeck. “But this provides an opportunity for someone to gather information from you without you knowing about it at all. When you’re entering something on a web form, you can at least think for a second, ‘Do I want to type this?’”
Brain signals, on the other hand, are involuntary; they’re part of our “wetware.”
The reason the University of Washington team is looking into potential privacy and security issues now is to catch any problems before the tech becomes mainstream (if indeed it ever does). In a 2014 paper, they argue that such issues “may be viewed as an attack on human rights to privacy and dignity.” They point out that, unlike medical data, there are few legal protections for data generated by BCIs.
One obvious way to help control how BCI data is used would rely on policy rather than technology. Chizeck and Bonaci argue that lawyers, ethicists, and engineers need to work together to decide what it’s acceptable to do with this kind of data. Something like an app store certification could then inform consumers as to which apps abide by these standards.
“There has to be an incentive for all app developers, programmers, manufacturers to do it,” said Bonaci. “Otherwise why would they change anything about what they’re doing right now?”
The Washington team has also suggested a more technical solution, which would effectively “filter” signals so that apps could only access the specific data they require. In their paper, they call this a “BCI Anonymizer” and compare it to smartphone apps having limited access to personal information stored on your phone. “Unintended information leakage is prevented by never transmitting and never storing raw neural signals and any signal components that are not explicitly needed for the purpose of BCI communication and control,” they write.
Chizeck said a student in the lab was currently running more tests to characterise further the type and detail of information that can be gleaned through BCIs, and to try a method of filtering this to see if it’s possible to block more sensitive data from leaking out.
By doing this work now, they hope to nip future privacy and security concerns in the bud before most people have ever come into contact with a BCI.
“It’s technically becoming feasible; once you put electrodes on people’s heads, it’s feasible,” said Chizeck. “The question is, do we want to regulate it, can we regulate it, and how?”