How to remove ransomware

by Jake Doevan - - Updated | Type: Ransomware

Ransomware functions as malevolent software (or malware) that blocks victim’s access to the computer and demands to pay the ransom. The ransom and the official reason, why a victim should pay it, depends on the type of the virus.

Some versions claim that the payment should be made to avoid the punishment of the governmental authority (usually, FBI or local agency), others inform that this is the only way to decrypt encrypted data.

These threats may involve stealing user’s sensitive information, terminating legitimate software (anti-virus, anti-spyware, etc.), showing survey warnings and causing other unwanted activities as well.

Types of malware

Depending on the peculiarities of the malware, IT experts classify file-encrypting threats into these categories:

File Encrypting Ransomware. This version is mostly spread with the help of trojans. Once it infiltrates computer, it finds the mostly used files and encrypts them. Traditionally, encrypted files include photos, music files, videos, art, business and other data that is considered important for the victim.

In addition, such virus starts displaying a huge warning message claiming that the only way to decrypt encrypted data is to pay a ransom. In fact, it is right because the most of such malware deletes the shadow copies of files and prevents their recovery.

Ransomware
Many ransomware viruses demand a payment to be made in a certain amount of time. Otherwise, hackers threaten to destroy encryption key or double the ransom size.

Non-Encrypting Ransomware. This type blocks the entire PC system and seeks to threaten PC user into paying an invented fine. For that, it presents itself as the warning message of the governmental authority. Typically, hackers use such names as FBI, police, and others.

Once it infects the system, it checks it for illegal files, like the pornographic content or unlicensed program versions on victim's computer. Once they are detected, a virus locks the computer down and starts displaying a huge warning message that looks like it belongs to some governmental authority. In this case, a victim is informed that there are illegal files that were detected after the scan on his/hers computer. In addition, user is asked to pay a fine in order to avoid getting into jail.

Browser-Locking Ransomware. This version does not infect the computer system. It relies on JavaScript that blocks the browser and causes a huge warning message. This fake notification is very similar to the one that is displayed by non-encrypting malware. It mostly claims about the illegal user’s activity on the Internet and asks to pay a ransom for avoiding the jail. Of course, such virus has nothing to do with FBI, Europol and other governmental authority.

Ransomware-as-a-service (RaaS) is one of the main factors why crypto-malware business is booming. If felons, who are interested in earning easy money but lack programming knowledge to create their own, may contact the ransomware developers via the darknet and engage in the distribution campaign.

After gaining access to malware configuration, crooks spread the virus via their networks. In exchange, they often receive 20% of the total revenue. Since the business is conducted in secret servers, RaaS has become a great cyber issue.

Modus operandi of file-encrypting threats

Despite their differences in visual graphic interface or source, their purpose is only one – extort money. In order to do so, the cyber criminals employ different techniques. Here is a short summary how crypto-malware differ from ordinary malware.

  • Ransomware viruses encrypt sensitive user's data, such as business documents, videos, photos and other files.
  • Ransom is demanded in exchange to the encrypted files.
  • Such viruses can delete predetermined documents, multimedia objects or any other files containing important information. They also manifest ability to delete essential system components or important parts of other software.
  • Trojanized versions steal login names, passwords, valuable personal documents, and other confidential information. This data is sent through a background Internet connection to a remote host.
  • Ransomware assault may cause you operating systems system to underperform, more specifically, it may force a system restart or significantly affect its CPU speed.
  • Certain types of this malware category may shut down cyber security-related software.
  • More elaborate samples are able to disguise their activity on an operating system until they finish encrypting users' files.

Although they usually do not self-replicate, such threats can make lots of problems on your computer. They can make your vital information inaccessible. It is highly recommended not to pay ransom, which is asked by this threat because that doesn't help to remove the parasite and restore affected information.

Eliminating crypto-malware
Victims should be aware that decryption of files should only be attempted after ransomware removal is performed. Otherwise, all data will be locked again.

Distribution techniques and methods

The most of ransomware parasites are able to propagate themselves and infect their target PC systems without users' knowledge. They can affect computers running Windows operating system, Mac OS X, Android and other operating systems. There are two major ways how these parasites can get into your computer.

Trojan Horse and other malware. The most of this type of infections are spread with the help of trojans. Trojan.Lockscreen is the most used threat for installing ransomware on the system. They get into the system without user's knowledge as they tend to arrive in files attached to e-mail messages that present themselves as messages from reputable parties, such as Amazon, Ebay, financial institutions, etc. Once a user is tricked into downloading such attachment, the trojan, carrying the ransomware payload, gets activated.

Fake pop-up notifications. Some samples of this malware category are distributed by fake pop-up notifications that can be seen either on illegal or on legitimate websites. Mostly, they are set to report about missing updates but they can also “inform” you about a need to scan the system for free and remove viruses from it. These ads are usually filed with unsuspicious names and legitimate logos, so they can trick even the most experienced PC user into clicking them.

Spam emails. This is the most profitable technique in ransomware distribution. Ironically, if users were more cautious, they could be able to prevent the hijack of most destructive threats. The key principle of this technique lies in wrapping the malware into a .doc or .js file. The notorious crypto-malware Locky is especially known to employ this technique.

By emphasizing the importance of the fake invoice or package delivery attachment, victims are persuaded to extract the attached file. If it is a .doc file, it might ask users to enable macro settings. If they are enabled, the corrupted file downloads the main payload of the malware. Alternatively, cyber criminals counterfeit subpoenas or the email supposedly sent by the FBI. Users should pay attention to the content of such emails. They often contain grammar mistakes and typos, and altered credentials.

Exploit kits. This technique is mostly preferred by developers of more sophisticated threats. Locky and Cerber virus authors are especially keen in using Angler, RIG, and Neutrino exploit kits. While, the former, Angler, was fortunately terminated, Rig and Neutrino continue facilitating the transmission peculiarities of crypto-malware. Their main principle of operation lies in compromising in selected domains. By injecting corrupted scripts, users, visiting such domains, end up being hacked by the very threats. Thus, the only viable way of preventing such cyber assault remains the usage of cyber security tools.

Browser extensions. This is relatively new technique, mainly employed by Spora ransomware developers. They also relied on EiTest script technique, which would compromise a certain web page by injecting a specific script. After netizens visit such domain, the content is transformed into an unreadable collection of numbers and characters and “The HoeflerText font wasn't found” notification appears.

In order to read the content, users had to “update” a specific Chrome font browser add-on. Nonetheless, they only facilitated the hack of the file-encrypting threat. Lately, other fraudsters developed a technique of distributing malware via fake GoogleDocs invitations. Thus, in order to lower the risk of crypto-malware assault, users have to retain vigilance, while downloading new apps, enabling new features and communicating with users via social network.

Exploit kits used in ransomware campaigns

Exploit kits are usually adopted by sophisticated and large-scale viruses. As IT professionals and security experts discover more vulnerabilities and patch them, the safer systems around the globe become. Thus, those who update their software regularly should not fear the following exploit kits used by cybercriminals.

Rig Exploit Kit

Rig EK is one of the most prominent ones since 2016 and is used to infect victims in various countries. Rig is mostly used through compromised websites, abusing vulnerabilities of Adobe Flash, Internet Explorer and using malvertising techniques to lure users into clicking on compromised links. JavaScript, Flash, and VBscript-based attacks are used to complete the obfuscated infiltration procedure.

Rig Exploit Kit has been distributing ransomware since its appearance back in 2016, including Cerber, GandCrab, TeslaCrypt, Matrix, CryptoMix, and others. Additionally, the kit has been recently spotted to drop banking trojans and crypto-mining malware. 

Grandsoft Exploit Kit

GrandSoft first emerged in 2012 and then stopped being used in 2014. However, it did re-emerge in 2017 and has been active ever since.

GrandSoft exploit kit uses a similar technique as Rig, although it is far less advanced when it comes to obfuscation. As soon as the victim lands on the malicious web page, the versions of Java, Flash, Silverlight, and AdobeReader are checked. If the vulnerability is found, the kit redirects to the payload retrieval function.

The recent usage of GrandSoft EK includes distribution of GandCrab in early 2018, as well as dropping crypto-miners, trojans and password stealers (AZORult stealer).

Magnitude Exploit Kit

Magnitude EK was offered in the Dark Web since 2014, shifting into a private exploit kit in 2016 which was used exclusively to target South Koreans and Taiwanese. While at the start it focused Flash Player vulnerabilities, it now only relies on Internet Explorer exploitation.

Initially, it delivered Cerber ransomware during 2017. At the end of the same year, hackers began to distribute their own virus – Magniber ransomware. While malware went to great lengths to specifically target North Korea, researchers recently noticed it being used on other Asia Pacific countries.

Cybercrime
Cybercriminals work as an underground organization which continually improve and updates its malware code.

The biggest ransomware outbreaks in history

WannaCry ransomware

Cyber criminals have not failed to astonish the virtual community. However, on the eve of May 11th, 2017, the world was yet to witness the unprecedented cyber assault in the entire history of computer viruses. The next day, different public and governmental institutions, as well as private companies, all around the world started reporting their cyber systems to have been taken by ransomware. Its name was WannaCry.

  • infected more than 200 000 devices in 150 countries
  • demanded over 300 dollars in bitcoins 
  • devised on the basis of “EternalBlue” vulnerability
  • targeted older and outdated Windows OS versions
  • possibly created by Chinese hackers

It targeted solely Windows OS systems. World-class companies such as “Hitachi” or German transportation agency “Deutsche Bahn” were affected by the malware. The ransom note was visible on digital information and advertising boards. The outbreak led international IT cyber specialists to join forces in seizing the attack. Interestingly, that WannaCry hackers were able to wreak havoc due to a seemingly minor factor – EternalBlue (CVE-2017-0144) vulnerability.

The story of WannaCry dates several months ago when the gang of cyber crooks known as “ShadowBrokers” stole the hacking tool developed according to this vulnerability. Surprisingly, the merits for creating such tool do not belong to hackers as many may expect, but rather to National Security Agency.

The image illustrating  the attack of WannaCry
WannaCry devastated several organizations in what is considered to be the biggest ransomware outbreak in history.

With the help of this tool, older versions of Windows which possessed weak transport SMB protocols, fell into the trap set by the malware. Though after the leak was exposed and Microsoft quickly released the patch in March, the scale of WannaCry revealed the high number of outdated system globally.

Nonetheless, the rampage of the malware did not take too long. An IT specialist Marcus Hutchins bought an unregistered domain monitored by the malware developers. Fortunately, he was able to find a “kill switch.” By activating it, the traffic of the malware was finally ceased. While the world was recovering from the attack and estimating losses and scale of damage, the virtual community expected the second wave of the attack.

Since then, affiliated versions, such as WanaCrypt0r, Wana Decryot0r 3.0, made an appearance. Recently, another IT specialist warned netizens as he found a peculiar domain which may be related to the distribution campaign of WannaCry 3.0.

As the virtual community retains focus on this family of viruses, further analysis has presented interesting results. The extracts of the source code of the malware hinted to “Lazarus,” a notorious gang of hackers who are suspected to be working under the protection of the North Korea government. However, other specialists found evidence suggesting that the culprit might have been of Chinese origin.

Speculations over the new series of attacks flickering in the media might indeed provoke the hackers to make a rush and launch the another wave of the attack. Latest versions will, certainly, not include the “kill switch.” On the other hand, every computer virus, despite how powerful it may seem, has a weakness.

Petya ransomware

Petya ransomware is one of the most notorious viruses that crippled multiple high-profile organizations like airports, gas stations, banks and even mostly in Russia and Ukraine in 2017, soon after WannaCry outbreak.

The virus was first spotted in March 2016, infecting victims through contaminated e-mail attachments. Petya targeted Microsoft Windows operating systems, infecting the master boot record and encrypting system files which prevent Windows from booting. Instead, users were prompted to pay $300 in Bitcoin to regain access to their devices.

A new variant of malware hit the world in June 2017 and propagated via the NSA's EternalBlue exploit which was used in WannaCry attacks. Due to the different nature of proliferation, the virus was dubbed NotPetya by security researchers. Although this variant of the virus primarily targeted Ukraine (around 80% of all attacks) and Russia, several infections were spotted in the United Kingdom, the United States, Germany, France, Poland, and Italy.

Ukranian tax preparation software M.E.Doc was compromised to spread the virus, researchers believe. Although M.E.Doc denies any involvement in the ordeal, claiming that they are themselves, victims, the analysis revealed that the backdoor was present in the update system for the six weeks before the attack occurred, making it a well-planned and meticulously executed operation.

Ukranian cybercrime division confiscated the servers from the company, which revealed that software was not patched since 2013; because of this, the company might be liable for the attack as a whole, as security measures were not adequately undertaken. Additionally, the research found that one of the employee's account was compromised, and Russian involvement was detected.

Unlike WannaCry, NotPetya was programmed so that changes made to devices could not be reverted. Therefore, security specialists believe that its purpose was not money extortion, but rather fame and devastation caused to multiple organizations around the world. Among the victims were WPP,  Maersk, DLA Piper, DHL, Rosneft and many others. The operation of firms was disturbed so that some suffered over a $300m loss in revenues (Maersk).

Locky ransomware

Locky was first released in 2016 and was propagated via contaminated spam email attachments over 500,000 were sent out containing malicious document files. The payload would only be executed if victims allow the document to use macro function. Unfortunately, many users did.

The virus locked up personal files and demanded a ransom of 0.5 – 1 in BTC cryptocurrency. The instructions, which were dropped on users' desktops, contained information about how to download and install the Tor browser and how to execute the payment. 

In the time of its operation, Locky was updated several times, and new versions emerged. Not surprisingly, each variant came with improved obfuscation and proliferation techniques, making it one of the biggest threats of 2016. Hackers added offline encryption function, and variants like Diablo6 and Lukitus came as most prevalent ransomware. 

Locky was also distributed using Necrus botnet which included over five million hacked machines. An interesting fact is that the virus kept disappearing each time Necrus was used for the distribution of something else, for example, during Jaff ransomware spree. Nevertheless, the two viruses seem to be connected, security researches believe.

One of the most notorious cases when it comes to Locky occurred in February 2016, when Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of 40 Bitcoins, which at the time came close to $17,000. The staff could not operate the systems, neither could they access medical data of patients.

Cerber ransomware

Cerber virus was another significant threat of 2016 as it infected over 150,000 Windows users in July alone, including a total of 161 active virus campaigns. It was distributed using various exploit kits, including Magnitude, Neutrino, and Rig. 

The malware was updated several times, adding new file extensions and asking for 1.2 BTW for data recovery. According to research, the virus was generating around $2.3 million of annual income.

Additionally, malware authors decided to share the functionality with whoever wants it – for a price. Cerber is known to be operated as Ransomware-as-a-service (RaaS), and bad actors can use the virus as long as they share 40% of the profits received from ransom payments. Bitcoin Mixing Service allows authors to obtain the percentage of payment automatically.

Cerber ransomware works in collaboration with other viruses, such as Kovter Trojan. The obfuscated email attachments from FedEx, UPS and other delivery services were used as an effective method to spread both viruses. It was capable of looking for files that belong to various Bitcoin wallet apps, and stealing crypto wallet data.

Another interesting feature is that malware does not target users from ex-Soviet countries, including Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia,  Uzbekistan, and Ukraine. 

While Cerber is an advanced infection, it does have certain weaknesses. Several early versions are decryptable, and experts noticed some attacks failing to remove Shadow Volume Copies, allowing victims to restore files without much trouble. Nevertheless, several new versions are not decryptable, and virus keeps coming back stronger.

Unblocking computer and removing file-encrypting threats

In case of the assault, it is not recommended paying the ransom. There are lots of people who have lost their money in this way. Also, do not believe messages stating that you are dealing with governmental authorities because it's not true.

Usually, such statements are displayed just for exerting psychological pressure on people and persuading them into paying ransoms. Fortunately, numerous antivirus and anti-spyware applications can easily find ransomware files on the system and remove each of them. More information about them can be found in the Software section.

Countering crypto-malware on Windows OS

Ransomware is booming
Although there were several cyber threats in 2000s that were wide-spread (Zeus virus), ransomware is the epidemic of 2010s, and it is not going away any time soon.

Despite how elaborate a file-encrypting is, manual termination is never an option. Even if it is just a weak screen locker, opt for an automatic solution. Press Alt+F4 combination of keys and then launch an anti-spyware tool. If, on the way of launching a security tool, you face a series of system errors, perform the below steps. Safe Mode will grant you access to vital functions and then you will be able to eliminate ransomware.

• Reboot computer in Safe Mode and repeat the installation of anti-malware app;
• Reboot computer in Safe Mode with Command Prompt and then install anti-malware program;
• Restore your system settings;
• Disable the affected web browser;
• Use Reimage or Plumbytes Anti-MalwareNorton Internet Security;
• Contact 2spyware customer service through “Ask Us” section;

After the elimination process is finished, you might also install firewall software to complement your anti-virus and anti-spyware tools. The former software proves to be effective in blocking trojans or ransomware which occupy devices by exploiting weak Remote Desktop protocols.

Terminating ransomware on Mac OS

Mac ransomware might become a more frequent phenomenon
Mac ransomware might become a more frequent phenomenon.

Apple users are said to have a certain advantage over Windows OS owners. For a long time, the term “Mac ransomware” only brought a surprised look if not a smile on users faces. However, crypto-malware designed for Mac OS system is no longer a fantasy. Mac OS-based file-encrypting threats target devices in the disguise of rogue applications or corrupted app updates. Indeed, such cases are significantly lower than the number of Windows-based file-encrypting threats.

Therefore, it is crucial to be aware of prevention measures. The same crypto-malware methods apply in terminating the malware on Mac os systems as well. You will find explicit reviews of applications which might be effective in eliminating ransomware on Apple devices. In addition, there are also free tools which solely focus on detecting file-encrypting activities. Having such tool on the device might strengthen the overall immunity of the device.

NoMore ransom project offers solution for ransomware victims

At the end of last year, numerous articles appeared on online media entitling 2016 to be the year of ransomware. With such threats as CryptoLocker, Cerber, Locky rampant online, netizens were entrapped between three options – either pay the ransom and rely on hackers mercy, restore data from backup files (at the best case of scenario) or give up the files.

Fortunately, cyber specialists and international law enforcement forces have worked tirelessly on the project which, later on, was introduced as NoMoreRansom. National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security are credited for this initiative. It helps victims affected by crypto-malware.

At the moment, the domain encompasses a series of decryption tools of most popular file-encrypting threats. However, even if netizens managed to get infected with older samples or less popular threats, they will also find the website highly beneficial. It is regularly updated with the improved decryption tools.

Users, who have ben struck with XData ransomware, might find the tool to decode their files for free. AES-NI, Globe ransomware, TeslaCrypt and HiddenTear victims will also find a solution. With the expanding network of partners, NoMoreRansom keeps also gives prevention tips. The developers note that ransomware education is gaining more importance as mere cautiousness may save from highly troublesome and severe outcomes.

Latest ransomware added to the database

Information updated: 2018-08-09

Read in other languages

Ransomware removal software
Compare
Like us on Facebook