Ransomware is a sub-category of trojan that locks down your computer by interfering with its interface, blocking other programs or encrypting its files (a process that makes these files unusable until they’re decrypted). During this lockdown, the ransomware will issue a message, most often in the form of a pop-up, that recommends that you pay a fine to reverse the lockdown. This recommendation may also include fake accusations of illegal content that’s associated with your PC or references to police agencies in an attempt to make it more likely than otherwise that you’d pay this fine. However, all forms of ransomware are, themselves, illegal, and any warnings that they issue regarding legal penalties should be considered fraudulent by definition.
How to Know When You’re Under a Ransomware Attack
Ransomware trojans are among the simplest of PC threats to identify since they will always attempt to prevent you from using your computer normally and will display very obvious ransom-related messages in their attacks.
Some subclassifications of ransomware that our malware experts have noted according to their symptoms include:
- Ransomware trojans that encrypt files. This form of ransomware makes you unable to use popular file types (such as text or media files) and often displays its ransom message when you attempt to launch an encrypted file. Encryption may or may not be removable by third-party tools, and if removable, it doesn’t cause permanent harm to the files in question. However, under no circumstances do our malware researchers recommend paying criminals to acquire a decryption utility or code, since it’s highly likely that the criminals will simply take the ransom without giving anything in return. Ransomware trojans in this category include Trojan.Encoder.94, the QWCiPhErEd Trojan and Trojan.Ransom.HM.
- Ransomware trojans that threaten to encrypt files but refrain from doing so. Since encryption takes some additional coding effort to pull off, some forms of Ransomware will simply warn you about fake encryption attacks and then block you from using them without actually encrypting them. Disabling the ransomware with standard anti-malware tactics will allow you to access the files as usual.
- Ransomware trojans that block other programs. This variant of ransomware will terminate other programs once they’re seen in memory or delete components to make them dysfunctional (such as Registry entries). If this ransomware deletes components, you may need to restore some files from a backup or reinstall the affected programs.
- Ransomware that conceal the OS interface. This is the most primitive form of ransomware in that it merely uses a popup that covers up your taskbar, desktop and other means of accessing applications. This form of ransomware has been popularized in the public mind by the widespread ‘Ukash Virus’ family, a family that includes Athens Security Prosecution of Electronic Crime Ransomware, Sacem Police Nationale Ransomware, Royal Canadian Mount Police (RCMP) Ransomware and the Scotland Yards Ukash Virus.
Using the Long Arm of the Law to Slap Ransomware Off of Your PC
Although precise solutions may vary with the type of ransomware that attacks your PC, our malware research team recommends that you always try to disable ransomware before you remove it, ideally with anti-malware software. Most forms of ransomware will hinder your ability to use security and anti-malware programs in some way, and they may launch themselves with your OS to do so. In cases where Safe Mode is inadequate or inapplicable for disabling ransomware, you should consider booting your PC from an uninfected source, which can include USB drive devices, DVDs and CDs.
Once you’ve launched your PC without symptoms of ransomware being open, anti-malware scans should be adequate for detecting and deleting the ransomware and any other PC threats that may be related to its attacks. However, encrypted files will remain encrypted, and programs that have been damaged may need to be reinstalled or restored from a backup.