Ransomware: What You Need to Know
Transcript of Ransomware: What You Need to Know
Europol Public Information
1/16
Europol Public Information
Ransomware:WhatYouNeedtoKnowAJointReportbyCheckPointandEuropol
CyberIntelligenceTeam
TheHague, 15/12/2016
Europol Public Information
Europol Public Information
2/16
Contents
1 Introduction .............................................................................................................. 3
2 The Founding Fathers ................................................................................................ 4
3 The Current Top Tier ................................................................................................. 5
4 Latest Advancements ................................................................................................ 7
5 Statistics .................................................................................................................. 12
6 The ‘No More Ransom’ Project ............................................................................... 14
7 Tips & Advice – How to Prevent Ransomware from Infecting Your Electronic
Devices .................................................................................................................... 15
Europol Public Information
3/16
1 Introduction
Ransomwarearemalwaredesignedtoextortmoneyfromuserswhosecomputerstheyinfect. Recent innovative methods for infecting, monetising and targeting lucrativetargetsshowthatthisattackvectorisgrowinginsophisticationsinceitsprimitiveyeteffectiveorigins.
In recent years, there has been a surge of ransomware. It’s been reported all oversecurityblogs, techwebsitesandevenon thenews. Itdoesn’t seemtostop; in fact, itseemstobegettingworseinbothspreadandsophistication.
CryptoLocker, the first famous ransomware,was observed in thewild in 2013. Fromthenuntiltheendof2015therewereonlyafewactiveransomwarevariants.Someofthese variants wereweak enough that it was possible to decrypt the encrypted fileswithout any need to give in to the ransom demand1. The infection methods werelimited.
Whilequitea lotof variantshavebeencreated since then,manyof themeitherdon’tpersist in infecting users’ computers or they run a low profile campaign. A goodexampleisTeslaCrypt,aninfamousransomwarewhoseauthorsreleasedamasterkeyforanyonetouse.
Inother cases, newransomwarevariants ‐ evenones that arewidelydistributedandconstantlymakeheadlines – havequickly been found to havebugswhen it comes toimplementing theencryption itself, suchas the recentlypublisheddecryption tool forthe Jigsaw ransomware. These flaws are either fixed in a newer version, or theransomwareisabandoned.
Thereseemstobeafairlylargedifferencebetweenthetop‐tierofransomware,whichusuallymaintain several active campaigns, and the trendy new ransomware variantswhich come and go. In this report, we provide an overview of the scary world ofransomware. We highlight the differences between the most prevalent ransomwarefamilies,andpresentseveralothers,smalleryetuniqueintheircharacteristics.Finally,wesharesomebasicmethodsforprotectionandmitigation.
1Itshouldbenotedthatpayingtheransomdoesnotalwaysresultinthereleaseoftheencryptedfiles.
Europol Public Information
4/16
2 The Founding Fathers
Whilenotthefirstransomwareeverobservedinthewild,thesearetheonesthathaveblazedthetrail:
CryptoLocker
CryptoLockerwas the first leaderof the ransomware trendandrapidlybecamea topthreat for lawenforcement. InMay2014,amulti‐national lawenforcementoperationinvolving partners from the security industry and academia led to the arrest of themalware creators and the end of CryptoLocker infections. Most current ransomwarefollowstheCryptoLockerpattern,includingencryptionandtheransomnotestyle.
To confusematters further,when reportingor recording ransomware incidents, boththemediaandlawenforcementcommonlyusetheterm“CryptoLocker”asasynonymforanyneworunidentifiedransomwareusingencryption,makingclearassessmentsofthethreatdifficult.
CryptoWall
CryptoWallstartedasaCryptoLockerdoppelgängerbut,afteritstakedown,CryptoWallbecameoneofthemostprominentransomwarevariantstodate.ItremainsoneoftheleadingransomwarethreatsforlawenforcementintheEU,withhalfofMemberStatesreporting cases ofCryptoWall. Typically installedby an exploit kit ormalicious emailattachment,CryptoWall isknown for itsuseofAESencryptionand for conducting itsCommandandControl(C&C)communicationsovertheToranonymousnetwork.
TeslaCrypt
Until May 2016, TeslaCrypt was one of the most notable ransomware variants. Theransomware,whichwasspreadmainlyviacommonexploitkitssuchasAngler,isnowdefunct:itsauthorsstoppedthemalwarecampaignandreleasedapublicrecoverykey.
CTB‐Locker
Emerging inmid‐2014, Curve‐Tor‐Bitcoin (CTB) Locker (also known as Critroni)wasone of the first ransomware variants to useTor to hide its C&C infrastructure.Whileactiveduring2015,CTB‐Lockeractivitydroppedoff in2016.However,amorerecentvarianthasbeentargetingwebserversandisuniquelyusingtheBitcoinblockchaintodeliver decryption keys to victims. Marginally less prominent among EU lawenforcement investigations compared to CryptoWall, CTB‐Locker was one of the topmalwarethreatsforthefinancialservicesindustry.
Europol Public Information
5/16
3 The Current Top Tier
These currently active malware families demonstrate the most professionalimplementationandmaintainahighinfectionrate:
Locky
Duringitsfirstmonthinthewild,Locky’sreportedinfectionrateswerebetweenonetofivecomputerseverysecondandapproximately250000PCswere infectedwithin itsfirstthreedaysofactivity.LockymadeheadlinesaftercausingaUSAhospitaltoenterastateofemergencybutonlybegantoappearinEUlawenforcementatthebeginningof2016.AccordingtothefindingsofIntSights,asecurityproviderspecialisinginadvancedcyberintelligence,threatactorsoftendesignmalwarebasedonLocky’scharacteristicsandmarketthemasrelatedtoLocky. However,Lockyisrunbyasingleattackerwhooperatesworldwide via exploit kits and spam campaigns, and does not have specifictargets.
Themalwaremodusoperandiistosenda.docfilewithmaliciousmacrosinitandaskthe user to enable macros in Microsoft Word. Once enabled, the ransomware willencryptthefilesandaddthecharacteristic“.locky”extensiontothem.ThelatestversionofLockyaddstheextension“.osiris”totheencryptedfiles,andscramblestheirnames.Forexample, a file called test.jpgcouldbe renamed to4f594feb4104a2e1_wpxan7ix‐‐dzy9‐‐jah6‐‐67d63cb8‐‐15140b74ba3a.osiris.Afterencryption, thevictim ispresentedwithanotethatprovidesinformationonhowtopaytheransom.Theransompaymenttypicallyvariesbetween0.5and1Bitcoin(BTC).Thenamesoftheseransomnoteshavechanged for the OSIRIS Locky variant and are now named desktopOSIRIS.htm ordesktopOSIRIS.bmp.Inanothercampaignthatwasrecentlyobserved,LockywasspreadviaFacebookMessengeraspartofatwo‐stageattack.
Unfortunately,therearecurrentlynofreetoolsavailabletodecryptfilesencryptedbytheLockyransomware. Theonlyway torecoverencrypted files isviaabackup,or ifyouareincrediblylucky,throughVolumeShadowCopies.ThoughLockydoesattempttoremoveVolumeShadowCopies,inrarecasesransomwareinfectionsfailtodosoforwhateverreason.
CryptXXX
CryptXXXisdistributedbyboththeAnglerExploitKitandtheBedepTrojan,whichdropit as a second‐stage infection. Due to several similarities in the attack vector,researchersspeculatethatthesameoperatorisbehindbothAnglerandCryptXXX.
Thismalwarewas recently revamped (version 3.0)with a new encryption algorithmand a new credential‐stealingmodule so that attackers can drain your bank account
Europol Public Information
6/16
directly if you refuse to pay up. Exploits used by the Neutrino exploit kit to getCryptXXX3.0ontoyourmachineincludeever‐popularAdobeFlashflaws,mostrecentlybased on CVE‐2016‐4117. The ransomware encrypts files with AES CBC 256‐bitencryption and adds the “.cryp1” extension to all affected files. Currently manyantiviruses can remove it, but there are no 100% effective decryptors for encryptedfiles.
TorrentLocker
TorrentLocker is referred toby itsoperatorsas ‘CryptoLocker’, similar to theoldandfamous ransomware. The first three versions of TorrentLocker contain a bugwhichenablesrecoveryofthedecryptedfiles.Beforethereleaseofversionfour,theflawwasfixedandfromthisversionon,thefilescannotberecovered.
Jigsaw
Jigsawransomwarebecameinfamousthankstoanimageofthekillerfromthehorrormovie ‘TheSaw’displayedon the ransomnote. Adecryption toolwhich can recoverfilesencryptedbymultipleJigsawvariantshasbeenreleasedtothepublic.
Cerber
Cerberversion5.0.1hasalreadybeenreleased.Cerber3evolvedintoCerber4injustonemonth,andCerber4.1.xevolvedinto5.0.xinlessthanamonth.Inadditiontothepreviousversionsof themalware, it addsa fourdigitextension to theencrypted fileswhich is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptographyregistrykey.Instructionfilesaredroppedtonotifythevictimsthat their files have been encrypted, and to explain how to pay the ransom. Theinstruction file of this version has the same filename ”_README_XXXX_.hta” as inpreviousversions,andtheformatremainsthesame.Cerberalsochangesthewallpaperof the infected machine to notify victims that they have been compromised. Asexplained above, previous indicators of Cerber versions were the file extensions ofencryptedfiles.ThisisnolongerthecaseforversionsafterCerber4,sincenowthereisno fixed file extension. Instead, the version number is displayed on the modifiedwallpaper. It also appears that the code in this latest version has been optimisedcomparedtoCerber4.0.2.
Crysis
FirstdiscoveredinFebruary2016,Crysisisquicklyyetquietlyspreadingtobusinessesacross theglobe. It can infectWindowsandMac systemsandencryptsabout200 filetypes across internal and external storage, as well as network shares through acombination of RSA and AES encryption algorithms. In addition, to ensure infection,
Europol Public Information
7/16
Crysis deletes the system´s shadow copies, which serve as back‐up copies of thecomputer´sfilesorvolumes.
Asameasureofpersistence,Crysisalsosetsregistryentriesinordertobeexecutedatevery system start.Uponexecution, it encrypts all file types (including thosewithnoextension),leavingonlynecessaryoperatingsystemandmalwarefilesuntouched.
Afterencryption,a text filenamed “Howtodecryptyour files.txt” isdropped into theDesktop folder; the information initially provided is limited to two email addresseswhichvictimscanusetocommunicatewiththecybercriminals.Aftersendingtheemail,thevictimreceivesfurtherinstructionstobuythedecryptiontoolneededtounlockthefiles.
Crysis was mainly distributed via brute‐forced RDP credentials and through spamemailswithmaliciousattachmentsorlinkstocompromisedwebsites.
4 Latest Advancements
Herearethelatestadvancementsintheransomwareworld:
Extortiontorecruitinsiders:Delilah
Delilah tries to recruit insiders via social engineering and extortion, sometimesusingransomwaretechniques.
Themalwareisdeliveredtovictimsviaindecentsites.Itinfectstheuser’sPCandstartsgathering personal information from the victim so that the individual can later bemanipulatedorextorted.
This includes informationon thevictim’s family andworkplace and includeswebcamoperationstorecordthetarget’sbehaviour. Thesebotsinvolveahighlevelofmanuallabourfromtheattackingactortobuildtheextortionmotive.Oncebuilt,thetargetcanbemanipulatedintoinsidermaliciousdatagatheringandactions.
Thisextortiontechniquewaspreviouslyreportedasbeingexecutedondatingwebsites,where the targets were fooled into sending embarrassing self‐recordings, to be laterused for extortion. The attackerwarned the target theywill share the recording onFacebookiftheextortionfeeisnotmet.
Ransomwareattackersare targetingspecificusersandnot just “castinganet”.This isnowdone in order to extort higher amounts or tomanipulate the target into amorelucrativeaction.
Europol Public Information
8/16
EncryptionwithoutCommandandControl:SamSam
Attackersaretargetingnetworkswhicharenotconnectedtotheinternet. Atfirsttheattackercreatesafootholdintheorganisationbyscanningthetargetforvulnerabilitiesandgettingontothenetwork.Thentheattackermovestoinfectthemachineswithoutneedfornetworkconnectivityandholdthewholeorganisationtoransomatthesametime. Throughout 2016, SamSam was noted to be targeting organisations in thehealthcareindustry,includinghospitals.
The current common ransomware behaviour is to have a default encryptionmethodwithout the need for a Command and Control (C2). Cutting out the need for a C2infrastructure, and residing in the Tor network, allows for these campaigns to keepgoingaftersuccessfultakedownsofC2infrastructure.
CompleteHard‐Driveencryption:Petya
Petya ransomwarenotonlyencryptsall files foundon thevictim’shard‐drive,but itsoperatorsholdtheentirehard‐drive’scontenthostageaswell,byencryptingitsMaster‐File‐Table (MFT). Check Point researchers revealed multiple flaws in the encryptionalgorithm implementation, and provided a method to restore all data encrypted byPetya.
Synchronisingattacks:Cerber
Attackersaresearchingforholesindefences.Oncefound,theysynchronizetheattacksto massively exploit the hole. This results in a high wave of undetectable malwarebypassingdifferentlayersofprotection.SuchattackswerefoundtobypassOffice365cloudemailsecuritysolutionsandhaveaverylowdetectionratebyanti‐virussoftwareatthedateofthesynchronisedattack.
First published in February 2016, Cerber has been one of the most widespreadransomwarevariantsinthepastyear.Itsfeaturesincludeaudiodeliveryoftheransommessage using Microsoft Speech API, and ignoring machines from several countriessuch as Russia, Georgia and Ukraine. Its latest version, dubbed Cerber v5.0.1, wasreleasedinNovember2016.ItreliesonredirectsviaGoogleandtheuseofaTor2Webproxyservicetodisguiseitsactivityandblockattemptstoshutterservershostingthemaliciouscontent.Emailsaredistributedwiththerecipient'snameinthesubject,givingthem the appearance of legitimacy, and presents hyperlinks to the usual subjects ofpotential interest:pictures,orderdetails, transaction logs, loanacceptance letters,etc.But hiddenwithin themessage, a URL employs Google redirection, leading unwittingvictimstothemaliciouspayloadhostedontheTornetwork.Byclickingthebadlink,itdeliversaWorddocumentcontainingthemalwaredownloaderwiththeCerbervariant.
Europol Public Information
9/16
Cerberisransomware‐as‐a‐servicewhichisadvertisedandsoldinclosedforumsontheDarkWeb,andthusitstargetsarevariedanddependontheparticipatingaffiliates.Theaffiliatesoperatetheirowncampaigns,whilechoosingthetargetsandthedistributionmethod, and the income from their attacks is divided between them and theransomwarecreator.
Opensourceransomware:LockLock
This ransomware has been observed to be based on the open‐source ransomwareEDA2,andinitialanalysisofattacksshowvictimswhoseIPaddressesappeartocomefrom China. This particular ransomware encrypts using the AES‐256 algorithm andappendsa“.locklock”extensiontoitstargetedfiletypes.Theransomnote,foundinthefile“READ_ME.TXT”,demandsthatthevictimcommunicateswiththecybercriminalsviaanemailaddressorSkype.
Spearphishingattacks:RAA
Last June, RAAmade its first rounds, notably using JScript scripting language. Muchmorerecently,anewRAAvariant targetingcompaniesviaspearphishingattackswasspotted. This evolved variant now arrives in the form of a password‐protected .ziparchive attachment. This is an age‐old technique that would thwart anti‐malwaresystemsfromunpackingthefileandscanningitforitsmaliciouscontent.However,thenewvariantproceedswiththeencryptionprocesswithouttheneedtocommunicatetoa Command& Control server. Unlike its earlier version, the ransomnote,written inRussian,doesnotaskforaspecificamountinbitcoins.
ThreatfromRomania:NoobCrypt
Thereisanewvariantthatreportedlymadethemistakeofusingthesamepasswordforall of its victims. This allowed some researchers to develop a list of decryption keysbasedonthepassword.Whenthescreengetslocked,aransomnoteflashesupsaying“MadeinRomania.” Aransomamount,deadline,andspecificbitcoinaddressarethenprovidedfortheparticularreleaseonaper‐victimbasis.
Cerberlookalike:Razy5.0
BackinJuly,aransomwarevariantthatappearstohavethesametext‐to‐speechfeaturesimilar to Cerber was sighted. Razy encrypted files use AES before appending theextension.razytothelockedfiles.ThenewvariantofRazy,dubbedasRazy5.0usesaJigsawransomware‐inspirednotethatdemandsapaymentofEUR10viaPaySafeCard.Theransomnoteissuesasoftthreatthough—itisnotedthat,unlikeJigsaw,itdoesnotdeletetheencryptedfilesafteritssetdeadline.
Europol Public Information
10/16
BasedonEDA2:Fantom
Following the surfacingof Fantom– a variantbasedon theopen‐source ransomwareEDA2 – by the end of August 2016, a new variantwas spottedwith several updates.Now,Fantomfollows the trendofevolvedransomwarevariants thatcanencrypt fileswithouthavingtoconnect to itsCommand&Controlservers for thekeys.Apart fromthe offline encryption feature, this updated variant adds network share enumeration,and a per‐victim display of ransom values based on the targeted victim’s files in itsroutines.
RansomwareforAndroid:Dogspectus
This is an exploit kit being used to deliver ransomware to Android devices. It usesseveralvulnerabilitiestosilentlyinstallmalwareontothevictim’sphoneortabletinthebackground.Anovelattackmethodwasdiscoveredwhenatestandroiddeviceinalabenvironmentwashitwith the ransomwarewhenanadvertisement containinghostileJavaScript loaded fromawebpage. During the attack, thedevicedidnotdisplay thenormal“applicationpermissions”dialogueboxthattypicallyprecedesinstallationofanAndroidapplication.
Shade(akaEncoder.858,akaTroldesh)
Shade is a family of ransomware cryptors that emerged in early 2015. Shade usesmalicious spam or exploit kits as primary attack vectors. The latter is the morehazardousmethodbecauseavictimdoesnothavetoopenanyfiles‐asinglevisittoaninfectedwebsitedoes the trick.When the ransomware infiltrates a victim’s computersystem, the Trojan requests an encryption key from the criminal’s Command‐and‐Control (C&C) server or, should the server be unavailable, uses one of the keysembeddedinadvance.ThatmeansthatevenifthePCisdisconnectedfromtheinternet,theransomwarefunctions,providedit’salreadyinthesystem.Oncestarted,itencryptspersonal files stored on computer drives and attached network drives. It uses verystronghybridencryptionwithalargekey(RSA‐3072).Whentheransomwareencryptsa file, it will add the .no_more_ransom extension to each encrypted file. Once themalwarehasfinishedencryptingallfiles,itwillcreateafilenamed“README.txt”withinstructions on how to decrypt all encrypted files. The No_more_ransom (Shade)ransomware requests a payment in bitcoins to get a key to decrypt the files. It isimportanttoknowthatitiscurrentlynotpossibletodecryptthe.no_more_ransomfileswithouttheprivatekeyanddecryptprogram.Makinguseofa“bruteforce”methodisalsonotawaybecauseofthelonglengthofthekey.No_more_ransomisavariantoftheShade ransomware infection. It affects all current versions of Windows operatingsystemssuchasWindowsXP,WindowsVista,Windows7,Windows8andWindows10.Whenthevirus infectsacomputer, itusessystemdirectories tostore itsownfiles. In
Europol Public Information
11/16
ordertorunautomaticallywheneveryouturnonyourcomputer,theNo_more_ransomransomwarecreatesaregistryentryinWindows.
PopcornTime
Initially discovered byMalwareHunterTeam, the new Popcorn Time ransomware hasbeendesignedtogivethevictimanillegalwayofgettingafreedecryptionkeyfortheirencryptedfilesandfolders.Theransomwareaskstheusertopay1BTCtodecryptthefiles on their computer, or to spread the ransomware to two other users to pay theransominstead. Italsoprovidesanonion link in theransomnote thatcanbeusedtomakeotherusersdownloadthefileviaTor.Thevictimsareallowedtopaytheransomwithin seven days, otherwise their files could be deleted. The source code of theransomwareappearstobenotyetfinished.
When the user enters the decoding code wrong four times, all of their files will bedeleted. Once infected, the Popcorn Time ransomware will check to see if theransomware has been already run on the PC, by checking some files that it leavesbehindafterremoval.Ifithas,theransomwarewillterminateitself.Ifnot,thePopcornTimeransomwarewilleitherdownloadvariousimagestouseasbackgroundsorstartencryptingthefilesusingAES‐256encryption.Theencryptedfileswillhavethe".filock"or".kok"extensionappendedtothem.
Whileencryptingthedata,theransomwarewilldisplayafakescreenthatpretendstobetheinstallationoftheprogram.Assoonastheencryptionisfinished,itwillsavetworansom notes called restore_your_files.html and restore_your_files.txt, and will thenautomaticallydisplaytheHTMLransomnoteaskingfor1Bitcoin.ThelatestversionoftheransomwareencryptsfileslocatedinMyDocuments,MyPictures,MyMusic,andonthedesktop.
Europol Public Information
12/16
5 Statistics
EUMember States (MS) and third parties submit samples ofmalware to Europol foranalysisintheEuropolMalwareAnalysisSystem(EMAS2).Thegraphbelowshowsthepercentage increase of ransomware samples, quarter‐on‐quarter, submitted during2016. InQuarter 4 therewas a particular increase,with the number of submissions158%higherthanthepreviousquarter.
Ofthesecontributions,theransomwarefamilieslistedbelowwerethemostsubmitted:
Locky;
Troldesh;
Cerber;
CryptoLocker;
CryptoWall.
2 TheEuropolMalwareAnalysisSolution(EMAS)isadynamic,automatedmalwareanalysissolution,
whichexecutesmalwaresamplessubmittedbyMemberStatesandthirdpartiesinatightlycontrolledsandboxenvironment.
Alltheinformationreceivedisstoredinacentraldatabase.Theautomatedcross‐checkscanunveillinksbetweenattacksperformedindifferentcountrieswiththesamemalware,orwiththesamecriminalorganisationbehindthesamemalwarefamily,connectingtothesamedomainsandrelatedtodifferentinvestigationswithintheEUandbeyond.
Q1 Q2 Q3 Q4 To Date
Increase on Previous Quarter (%
)
Number of Ransomware Samples Submitted to EMAS in 2016
+68%
+21%
+158%
Europol Public Information
13/16
ThetablebelowshowsthemostcommonransomwareinfectionsforEuropeandeachoftheEUMScountriesbetweenJanuaryandDecember2016withinbusiness,governmentandacademia,asresearchedbyCheckPoint:
No.1 No.2 No.3
Europe Locky Cryptowall TeslaCrypt
AT Locky Cryptowall TeslaCrypt
BE Locky TeslaCrypt Cryptowall
BG Locky Cryptowall Fareit
CY Locky Cryptowall TeslaCrypt
CZ Locky TeslaCrypt Cryptowall
DE TeslaCrypt Locky Cryptowall
DK Locky Cryptowall TeslaCrypt
EE Locky TeslaCrypt Cryptowall
ES Locky Cryptowall TeslaCrypt
FI Locky TeslaCrypt Cryptowall
FR Locky TeslaCrypt Cryptowall
UK Locky TeslaCrypt Cryptowall
EL Locky TeslaCrypt Cryptowall
HR Locky Cryptowall TeslaCrypt
HU TeslaCrypt Locky Cryptowall
IE Locky TeslaCrypt Cryptowall
IT Locky Cryptowall TeslaCrypt
LT Locky TeslaCrypt CryptoLocker
LU Locky TeslaCrypt Cryptowall
Europol Public Information
14/16
LV Cryptowall Locky Fareit
MT Locky TeslaCrypt Autoitcrypt
NL Locky TeslaCrypt Cryptowall
PL Cryptowall Locky TeslaCrypt
PT Locky TeslaCrypt Cryptowall
RO Locky TeslaCrypt Cryptowall
SE Cryptowall Locky TeslaCrypt
SI Locky Cryptowall TeslaCrypt
SK Locky Cryptowall TeslaCrypt
6 The ‘No More Ransom’ Project
The ‘NoMore Ransom’ Project is a joint initiative between law enforcement and theprivate sector to combat ransomware by creating an online portal aimed at victimmitigationandinformingthepublicaboutthedangersofransomware.Theprojectwasofficially launched on 25 July 2016. Since then, there have been two further roundswhere additional partners have been added. This is expected to continue, with theadditionofmoreandmorenewpartners,toolsandlanguageversions.
The initial founding project partners were the Dutch Police, Europol’s EuropeanCybercrime Centre (EC3), Kaspersky Lab, and Intel Security. Threemonths after thelaunchoftheproject,lawenforcementagenciesfromafurther13countriessigneduptoparticipate in the initiative, namely: Bosnia and Herzegovina, Bulgaria, Colombia,France,Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and theUnitedKingdom.TheEuropeanCommissionandEurojustalsojoined.Thesecondroundof 21 additional public and private partners joined the project officially on 15December. The online portal is now available in Dutch, Russian, French, Italian andPortuguese, in addition to English. Translations to yet more languages are currentlyongoing,andtheirimplementationwillfollowverysoon.
Theportalaimstohelpvictimsrecovertheirdatawithouthavingtopaycybercriminalsafter ransomware attacks. The users can download decryption tools that have been
Europol Public Information
15/16
created based on implementation errors from the criminals, reverse engineering ofalgorithms, law enforcement actions, or data leakedby criminals online. Victims onlyneedtouploadtwoencryptedfilesandtheransomnoteinordertocheckforavailabledecryption solutions. The project also provides prevention information and links toreportcybercrimetotherespectivenationalpoliceforces.
7 Tips & Advice – How to Prevent Ransomware from Infecting
Your Electronic Devices
Ransomwareismalwarethatlocksyourcomputerandmobiledevices,orencryptsyourelectronic files, demanding that a ransom is paid through certain online paymentmethods(andbyanestablisheddeadline)inordertoregaincontrolofyourdata.Ransomware can be downloaded through fake application updates or by visitingcompromised websites. It can also be delivered as email attachments in spam ordropped/downloadedviaothermalware(i.e.aTrojan).Itisascamdesignedtogeneratehugeprofitsfororganisedcriminalgroups.Topreventand minimise the effects of ransomware, Europol’s European Cybercrime Centreadvisesyoutakethefollowingmeasures:
Europol Public Information
16/16
An infographicwith thesame information isavailable fordownload fromtheEuropolwebsiteat: https://www.europol.europa.eu/activities‐services/public‐awareness‐and‐prevention‐guides/tips‐advice‐to‐prevent‐ransomware‐infecting‐your‐electronic‐devices