Ransomware: What You Need to Know

Europol Public Information

1/16


Ransomware:WhatYouNeedtoKnowAJointReportbyCheckPointandEuropol

CyberIntelligenceTeam

TheHague, 15/12/2016



2/16

Contents

1 Introduction .............................................................................................................. 3

2 The Founding Fathers ................................................................................................ 4

3 The Current Top Tier ................................................................................................. 5

4 Latest Advancements ................................................................................................ 7

5 Statistics .................................................................................................................. 12

6 The ‘No More Ransom’ Project ............................................................................... 14

7 Tips & Advice – How to Prevent Ransomware from Infecting Your Electronic

Devices .................................................................................................................... 15


3/16

1 Introduction

Ransomwarearemalwaredesignedtoextortmoneyfromuserswhosecomputerstheyinfect. Recent innovative methods for infecting, monetising and targeting lucrativetargetsshowthatthisattackvectorisgrowinginsophisticationsinceitsprimitiveyeteffectiveorigins.

In recent years, there has been a surge of ransomware. It’s been reported all oversecurityblogs, techwebsitesandevenon thenews. Itdoesn’t seemtostop; in fact, itseemstobegettingworseinbothspreadandsophistication.

CryptoLocker, the first famous ransomware,was observed in thewild in 2013. Fromthenuntiltheendof2015therewereonlyafewactiveransomwarevariants.Someofthese variants wereweak enough that it was possible to decrypt the encrypted fileswithout any need to give in to the ransom demand1. The infection methods werelimited.

Whilequitea lotof variantshavebeencreated since then,manyof themeitherdon’tpersist in infecting users’ computers or they run a low profile campaign. A goodexampleisTeslaCrypt,aninfamousransomwarewhoseauthorsreleasedamasterkeyforanyonetouse.

Inother cases, newransomwarevariants ‐ evenones that arewidelydistributedandconstantlymakeheadlines – havequickly been found to havebugswhen it comes toimplementing theencryption itself, suchas the recentlypublisheddecryption tool forthe Jigsaw ransomware. These flaws are either fixed in a newer version, or theransomwareisabandoned.

Thereseemstobeafairlylargedifferencebetweenthetop‐tierofransomware,whichusuallymaintain several active campaigns, and the trendy new ransomware variantswhich come and go. In this report, we provide an overview of the scary world ofransomware. We highlight the differences between the most prevalent ransomwarefamilies,andpresentseveralothers,smalleryetuniqueintheircharacteristics.Finally,wesharesomebasicmethodsforprotectionandmitigation.

1Itshouldbenotedthatpayingtheransomdoesnotalwaysresultinthereleaseoftheencryptedfiles.


4/16

2 The Founding Fathers

Whilenotthefirstransomwareeverobservedinthewild,thesearetheonesthathaveblazedthetrail:

CryptoLocker

CryptoLockerwas the first leaderof the ransomware trendandrapidlybecamea topthreat for lawenforcement. InMay2014,amulti‐national lawenforcementoperationinvolving partners from the security industry and academia led to the arrest of themalware creators and the end of CryptoLocker infections. Most current ransomwarefollowstheCryptoLockerpattern,includingencryptionandtheransomnotestyle.

To confusematters further,when reportingor recording ransomware incidents, boththemediaandlawenforcementcommonlyusetheterm“CryptoLocker”asasynonymforanyneworunidentifiedransomwareusingencryption,makingclearassessmentsofthethreatdifficult.

CryptoWall

CryptoWallstartedasaCryptoLockerdoppelgängerbut,afteritstakedown,CryptoWallbecameoneofthemostprominentransomwarevariantstodate.ItremainsoneoftheleadingransomwarethreatsforlawenforcementintheEU,withhalfofMemberStatesreporting cases ofCryptoWall. Typically installedby an exploit kit ormalicious emailattachment,CryptoWall isknown for itsuseofAESencryptionand for conducting itsCommandandControl(C&C)communicationsovertheToranonymousnetwork.

TeslaCrypt

Until May 2016, TeslaCrypt was one of the most notable ransomware variants. Theransomware,whichwasspreadmainlyviacommonexploitkitssuchasAngler,isnowdefunct:itsauthorsstoppedthemalwarecampaignandreleasedapublicrecoverykey.

CTB‐Locker

Emerging inmid‐2014, Curve‐Tor‐Bitcoin (CTB) Locker (also known as Critroni)wasone of the first ransomware variants to useTor to hide its C&C infrastructure.Whileactiveduring2015,CTB‐Lockeractivitydroppedoff in2016.However,amorerecentvarianthasbeentargetingwebserversandisuniquelyusingtheBitcoinblockchaintodeliver decryption keys to victims. Marginally less prominent among EU lawenforcement investigations compared to CryptoWall, CTB‐Locker was one of the topmalwarethreatsforthefinancialservicesindustry.


5/16

3 The Current Top Tier

These currently active malware families demonstrate the most professionalimplementationandmaintainahighinfectionrate:

Locky

Duringitsfirstmonthinthewild,Locky’sreportedinfectionrateswerebetweenonetofivecomputerseverysecondandapproximately250000PCswere infectedwithin itsfirstthreedaysofactivity.LockymadeheadlinesaftercausingaUSAhospitaltoenterastateofemergencybutonlybegantoappearinEUlawenforcementatthebeginningof2016.AccordingtothefindingsofIntSights,asecurityproviderspecialisinginadvancedcyberintelligence,threatactorsoftendesignmalwarebasedonLocky’scharacteristicsandmarketthemasrelatedtoLocky. However,Lockyisrunbyasingleattackerwhooperatesworldwide via exploit kits and spam campaigns, and does not have specifictargets.

Themalwaremodusoperandiistosenda.docfilewithmaliciousmacrosinitandaskthe user to enable macros in Microsoft Word. Once enabled, the ransomware willencryptthefilesandaddthecharacteristic“.locky”extensiontothem.ThelatestversionofLockyaddstheextension“.osiris”totheencryptedfiles,andscramblestheirnames.Forexample, a file called test.jpgcouldbe renamed to4f594feb4104a2e1_wpxan7ix‐‐dzy9‐‐jah6‐‐67d63cb8‐‐15140b74ba3a.osiris.Afterencryption, thevictim ispresentedwithanotethatprovidesinformationonhowtopaytheransom.Theransompaymenttypicallyvariesbetween0.5and1Bitcoin(BTC).Thenamesoftheseransomnoteshavechanged for the OSIRIS Locky variant and are now named desktopOSIRIS.htm ordesktopOSIRIS.bmp.Inanothercampaignthatwasrecentlyobserved,LockywasspreadviaFacebookMessengeraspartofatwo‐stageattack.

Unfortunately,therearecurrentlynofreetoolsavailabletodecryptfilesencryptedbytheLockyransomware. Theonlyway torecoverencrypted files isviaabackup,or ifyouareincrediblylucky,throughVolumeShadowCopies.ThoughLockydoesattempttoremoveVolumeShadowCopies,inrarecasesransomwareinfectionsfailtodosoforwhateverreason.

CryptXXX

CryptXXXisdistributedbyboththeAnglerExploitKitandtheBedepTrojan,whichdropit as a second‐stage infection. Due to several similarities in the attack vector,researchersspeculatethatthesameoperatorisbehindbothAnglerandCryptXXX.

Thismalwarewas recently revamped (version 3.0)with a new encryption algorithmand a new credential‐stealingmodule so that attackers can drain your bank account


6/16

directly if you refuse to pay up. Exploits used by the Neutrino exploit kit to getCryptXXX3.0ontoyourmachineincludeever‐popularAdobeFlashflaws,mostrecentlybased on CVE‐2016‐4117. The ransomware encrypts files with AES CBC 256‐bitencryption and adds the “.cryp1” extension to all affected files. Currently manyantiviruses can remove it, but there are no 100% effective decryptors for encryptedfiles.

TorrentLocker

TorrentLocker is referred toby itsoperatorsas ‘CryptoLocker’, similar to theoldandfamous ransomware. The first three versions of TorrentLocker contain a bugwhichenablesrecoveryofthedecryptedfiles.Beforethereleaseofversionfour,theflawwasfixedandfromthisversionon,thefilescannotberecovered.

Jigsaw

Jigsawransomwarebecameinfamousthankstoanimageofthekillerfromthehorrormovie ‘TheSaw’displayedon the ransomnote. Adecryption toolwhich can recoverfilesencryptedbymultipleJigsawvariantshasbeenreleasedtothepublic.

Cerber

Cerberversion5.0.1hasalreadybeenreleased.Cerber3evolvedintoCerber4injustonemonth,andCerber4.1.xevolvedinto5.0.xinlessthanamonth.Inadditiontothepreviousversionsof themalware, it addsa fourdigitextension to theencrypted fileswhich is the fourth segment of the “MachineGuid” value of the HKLM\Software\Microsoft\Cryptographyregistrykey.Instructionfilesaredroppedtonotifythevictimsthat their files have been encrypted, and to explain how to pay the ransom. Theinstruction file of this version has the same filename ”_README_XXXX_.hta” as inpreviousversions,andtheformatremainsthesame.Cerberalsochangesthewallpaperof the infected machine to notify victims that they have been compromised. Asexplained above, previous indicators of Cerber versions were the file extensions ofencryptedfiles.ThisisnolongerthecaseforversionsafterCerber4,sincenowthereisno fixed file extension. Instead, the version number is displayed on the modifiedwallpaper. It also appears that the code in this latest version has been optimisedcomparedtoCerber4.0.2.

Crysis

FirstdiscoveredinFebruary2016,Crysisisquicklyyetquietlyspreadingtobusinessesacross theglobe. It can infectWindowsandMac systemsandencryptsabout200 filetypes across internal and external storage, as well as network shares through acombination of RSA and AES encryption algorithms. In addition, to ensure infection,


7/16

Crysis deletes the system´s shadow copies, which serve as back‐up copies of thecomputer´sfilesorvolumes.

Asameasureofpersistence,Crysisalsosetsregistryentriesinordertobeexecutedatevery system start.Uponexecution, it encrypts all file types (including thosewithnoextension),leavingonlynecessaryoperatingsystemandmalwarefilesuntouched.

Afterencryption,a text filenamed “Howtodecryptyour files.txt” isdropped into theDesktop folder; the information initially provided is limited to two email addresseswhichvictimscanusetocommunicatewiththecybercriminals.Aftersendingtheemail,thevictimreceivesfurtherinstructionstobuythedecryptiontoolneededtounlockthefiles.

Crysis was mainly distributed via brute‐forced RDP credentials and through spamemailswithmaliciousattachmentsorlinkstocompromisedwebsites.

4 Latest Advancements

Herearethelatestadvancementsintheransomwareworld:

Extortiontorecruitinsiders:Delilah

Delilah tries to recruit insiders via social engineering and extortion, sometimesusingransomwaretechniques.

Themalwareisdeliveredtovictimsviaindecentsites.Itinfectstheuser’sPCandstartsgathering personal information from the victim so that the individual can later bemanipulatedorextorted.

This includes informationon thevictim’s family andworkplace and includeswebcamoperationstorecordthetarget’sbehaviour. Thesebotsinvolveahighlevelofmanuallabourfromtheattackingactortobuildtheextortionmotive.Oncebuilt,thetargetcanbemanipulatedintoinsidermaliciousdatagatheringandactions.

Thisextortiontechniquewaspreviouslyreportedasbeingexecutedondatingwebsites,where the targets were fooled into sending embarrassing self‐recordings, to be laterused for extortion. The attackerwarned the target theywill share the recording onFacebookiftheextortionfeeisnotmet.

Ransomwareattackersare targetingspecificusersandnot just “castinganet”.This isnowdone in order to extort higher amounts or tomanipulate the target into amorelucrativeaction.


8/16

EncryptionwithoutCommandandControl:SamSam

Attackersaretargetingnetworkswhicharenotconnectedtotheinternet. Atfirsttheattackercreatesafootholdintheorganisationbyscanningthetargetforvulnerabilitiesandgettingontothenetwork.Thentheattackermovestoinfectthemachineswithoutneedfornetworkconnectivityandholdthewholeorganisationtoransomatthesametime. Throughout 2016, SamSam was noted to be targeting organisations in thehealthcareindustry,includinghospitals.

The current common ransomware behaviour is to have a default encryptionmethodwithout the need for a Command and Control (C2). Cutting out the need for a C2infrastructure, and residing in the Tor network, allows for these campaigns to keepgoingaftersuccessfultakedownsofC2infrastructure.

CompleteHard‐Driveencryption:Petya

Petya ransomwarenotonlyencryptsall files foundon thevictim’shard‐drive,but itsoperatorsholdtheentirehard‐drive’scontenthostageaswell,byencryptingitsMaster‐File‐Table (MFT). Check Point researchers revealed multiple flaws in the encryptionalgorithm implementation, and provided a method to restore all data encrypted byPetya.

Synchronisingattacks:Cerber

Attackersaresearchingforholesindefences.Oncefound,theysynchronizetheattacksto massively exploit the hole. This results in a high wave of undetectable malwarebypassingdifferentlayersofprotection.SuchattackswerefoundtobypassOffice365cloudemailsecuritysolutionsandhaveaverylowdetectionratebyanti‐virussoftwareatthedateofthesynchronisedattack.

First published in February 2016, Cerber has been one of the most widespreadransomwarevariantsinthepastyear.Itsfeaturesincludeaudiodeliveryoftheransommessage using Microsoft Speech API, and ignoring machines from several countriessuch as Russia, Georgia and Ukraine. Its latest version, dubbed Cerber v5.0.1, wasreleasedinNovember2016.ItreliesonredirectsviaGoogleandtheuseofaTor2Webproxyservicetodisguiseitsactivityandblockattemptstoshutterservershostingthemaliciouscontent.Emailsaredistributedwiththerecipient'snameinthesubject,givingthem the appearance of legitimacy, and presents hyperlinks to the usual subjects ofpotential interest:pictures,orderdetails, transaction logs, loanacceptance letters,etc.But hiddenwithin themessage, a URL employs Google redirection, leading unwittingvictimstothemaliciouspayloadhostedontheTornetwork.Byclickingthebadlink,itdeliversaWorddocumentcontainingthemalwaredownloaderwiththeCerbervariant.


9/16

Cerberisransomware‐as‐a‐servicewhichisadvertisedandsoldinclosedforumsontheDarkWeb,andthusitstargetsarevariedanddependontheparticipatingaffiliates.Theaffiliatesoperatetheirowncampaigns,whilechoosingthetargetsandthedistributionmethod, and the income from their attacks is divided between them and theransomwarecreator.

Opensourceransomware:LockLock

This ransomware has been observed to be based on the open‐source ransomwareEDA2,andinitialanalysisofattacksshowvictimswhoseIPaddressesappeartocomefrom China. This particular ransomware encrypts using the AES‐256 algorithm andappendsa“.locklock”extensiontoitstargetedfiletypes.Theransomnote,foundinthefile“READ_ME.TXT”,demandsthatthevictimcommunicateswiththecybercriminalsviaanemailaddressorSkype.

Spearphishingattacks:RAA

Last June, RAAmade its first rounds, notably using JScript scripting language. Muchmorerecently,anewRAAvariant targetingcompaniesviaspearphishingattackswasspotted. This evolved variant now arrives in the form of a password‐protected .ziparchive attachment. This is an age‐old technique that would thwart anti‐malwaresystemsfromunpackingthefileandscanningitforitsmaliciouscontent.However,thenewvariantproceedswiththeencryptionprocesswithouttheneedtocommunicatetoa Command& Control server. Unlike its earlier version, the ransomnote,written inRussian,doesnotaskforaspecificamountinbitcoins.

ThreatfromRomania:NoobCrypt

Thereisanewvariantthatreportedlymadethemistakeofusingthesamepasswordforall of its victims. This allowed some researchers to develop a list of decryption keysbasedonthepassword.Whenthescreengetslocked,aransomnoteflashesupsaying“MadeinRomania.” Aransomamount,deadline,andspecificbitcoinaddressarethenprovidedfortheparticularreleaseonaper‐victimbasis.

Cerberlookalike:Razy5.0

BackinJuly,aransomwarevariantthatappearstohavethesametext‐to‐speechfeaturesimilar to Cerber was sighted. Razy encrypted files use AES before appending theextension.razytothelockedfiles.ThenewvariantofRazy,dubbedasRazy5.0usesaJigsawransomware‐inspirednotethatdemandsapaymentofEUR10viaPaySafeCard.Theransomnoteissuesasoftthreatthough—itisnotedthat,unlikeJigsaw,itdoesnotdeletetheencryptedfilesafteritssetdeadline.


10/16

BasedonEDA2:Fantom

Following the surfacingof Fantom– a variantbasedon theopen‐source ransomwareEDA2 – by the end of August 2016, a new variantwas spottedwith several updates.Now,Fantomfollows the trendofevolvedransomwarevariants thatcanencrypt fileswithouthavingtoconnect to itsCommand&Controlservers for thekeys.Apart fromthe offline encryption feature, this updated variant adds network share enumeration,and a per‐victim display of ransom values based on the targeted victim’s files in itsroutines.

RansomwareforAndroid:Dogspectus

This is an exploit kit being used to deliver ransomware to Android devices. It usesseveralvulnerabilitiestosilentlyinstallmalwareontothevictim’sphoneortabletinthebackground.Anovelattackmethodwasdiscoveredwhenatestandroiddeviceinalabenvironmentwashitwith the ransomwarewhenanadvertisement containinghostileJavaScript loaded fromawebpage. During the attack, thedevicedidnotdisplay thenormal“applicationpermissions”dialogueboxthattypicallyprecedesinstallationofanAndroidapplication.

Shade(akaEncoder.858,akaTroldesh)

Shade is a family of ransomware cryptors that emerged in early 2015. Shade usesmalicious spam or exploit kits as primary attack vectors. The latter is the morehazardousmethodbecauseavictimdoesnothavetoopenanyfiles‐asinglevisittoaninfectedwebsitedoes the trick.When the ransomware infiltrates a victim’s computersystem, the Trojan requests an encryption key from the criminal’s Command‐and‐Control (C&C) server or, should the server be unavailable, uses one of the keysembeddedinadvance.ThatmeansthatevenifthePCisdisconnectedfromtheinternet,theransomwarefunctions,providedit’salreadyinthesystem.Oncestarted,itencryptspersonal files stored on computer drives and attached network drives. It uses verystronghybridencryptionwithalargekey(RSA‐3072).Whentheransomwareencryptsa file, it will add the .no_more_ransom extension to each encrypted file. Once themalwarehasfinishedencryptingallfiles,itwillcreateafilenamed“README.txt”withinstructions on how to decrypt all encrypted files. The No_more_ransom (Shade)ransomware requests a payment in bitcoins to get a key to decrypt the files. It isimportanttoknowthatitiscurrentlynotpossibletodecryptthe.no_more_ransomfileswithouttheprivatekeyanddecryptprogram.Makinguseofa“bruteforce”methodisalsonotawaybecauseofthelonglengthofthekey.No_more_ransomisavariantoftheShade ransomware infection. It affects all current versions of Windows operatingsystemssuchasWindowsXP,WindowsVista,Windows7,Windows8andWindows10.Whenthevirus infectsacomputer, itusessystemdirectories tostore itsownfiles. In


11/16

ordertorunautomaticallywheneveryouturnonyourcomputer,theNo_more_ransomransomwarecreatesaregistryentryinWindows.

PopcornTime

Initially discovered byMalwareHunterTeam, the new Popcorn Time ransomware hasbeendesignedtogivethevictimanillegalwayofgettingafreedecryptionkeyfortheirencryptedfilesandfolders.Theransomwareaskstheusertopay1BTCtodecryptthefiles on their computer, or to spread the ransomware to two other users to pay theransominstead. Italsoprovidesanonion link in theransomnote thatcanbeusedtomakeotherusersdownloadthefileviaTor.Thevictimsareallowedtopaytheransomwithin seven days, otherwise their files could be deleted. The source code of theransomwareappearstobenotyetfinished.

When the user enters the decoding code wrong four times, all of their files will bedeleted. Once infected, the Popcorn Time ransomware will check to see if theransomware has been already run on the PC, by checking some files that it leavesbehindafterremoval.Ifithas,theransomwarewillterminateitself.Ifnot,thePopcornTimeransomwarewilleitherdownloadvariousimagestouseasbackgroundsorstartencryptingthefilesusingAES‐256encryption.Theencryptedfileswillhavethe".filock"or".kok"extensionappendedtothem.

Whileencryptingthedata,theransomwarewilldisplayafakescreenthatpretendstobetheinstallationoftheprogram.Assoonastheencryptionisfinished,itwillsavetworansom notes called restore_your_files.html and restore_your_files.txt, and will thenautomaticallydisplaytheHTMLransomnoteaskingfor1Bitcoin.ThelatestversionoftheransomwareencryptsfileslocatedinMyDocuments,MyPictures,MyMusic,andonthedesktop.


12/16

5 Statistics

EUMember States (MS) and third parties submit samples ofmalware to Europol foranalysisintheEuropolMalwareAnalysisSystem(EMAS2).Thegraphbelowshowsthepercentage increase of ransomware samples, quarter‐on‐quarter, submitted during2016. InQuarter 4 therewas a particular increase,with the number of submissions158%higherthanthepreviousquarter.

Ofthesecontributions,theransomwarefamilieslistedbelowwerethemostsubmitted:

Locky;

Troldesh;

Cerber;

CryptoLocker;

CryptoWall.

2 TheEuropolMalwareAnalysisSolution(EMAS)isadynamic,automatedmalwareanalysissolution,

whichexecutesmalwaresamplessubmittedbyMemberStatesandthirdpartiesinatightlycontrolledsandboxenvironment.

Alltheinformationreceivedisstoredinacentraldatabase.Theautomatedcross‐checkscanunveillinksbetweenattacksperformedindifferentcountrieswiththesamemalware,orwiththesamecriminalorganisationbehindthesamemalwarefamily,connectingtothesamedomainsandrelatedtodifferentinvestigationswithintheEUandbeyond.

Q1 Q2 Q3 Q4 To Date

Increase on Previous Quarter (%

)

Number of Ransomware Samples Submitted to EMAS in 2016

+68%

+21%

+158%


13/16

ThetablebelowshowsthemostcommonransomwareinfectionsforEuropeandeachoftheEUMScountriesbetweenJanuaryandDecember2016withinbusiness,governmentandacademia,asresearchedbyCheckPoint:

No.1 No.2 No.3

Europe Locky Cryptowall TeslaCrypt

AT Locky Cryptowall TeslaCrypt

BE Locky TeslaCrypt Cryptowall

BG Locky Cryptowall Fareit

CY Locky Cryptowall TeslaCrypt

CZ Locky TeslaCrypt Cryptowall

DE TeslaCrypt Locky Cryptowall

DK Locky Cryptowall TeslaCrypt

EE Locky TeslaCrypt Cryptowall

ES Locky Cryptowall TeslaCrypt

FI Locky TeslaCrypt Cryptowall

FR Locky TeslaCrypt Cryptowall

UK Locky TeslaCrypt Cryptowall

EL Locky TeslaCrypt Cryptowall

HR Locky Cryptowall TeslaCrypt

HU TeslaCrypt Locky Cryptowall

IE Locky TeslaCrypt Cryptowall

IT Locky Cryptowall TeslaCrypt

LT Locky TeslaCrypt CryptoLocker

LU Locky TeslaCrypt Cryptowall


14/16

LV Cryptowall Locky Fareit

MT Locky TeslaCrypt Autoitcrypt

NL Locky TeslaCrypt Cryptowall

PL Cryptowall Locky TeslaCrypt

PT Locky TeslaCrypt Cryptowall

RO Locky TeslaCrypt Cryptowall

SE Cryptowall Locky TeslaCrypt

SI Locky Cryptowall TeslaCrypt

SK Locky Cryptowall TeslaCrypt

6 The ‘No More Ransom’ Project

The ‘NoMore Ransom’ Project is a joint initiative between law enforcement and theprivate sector to combat ransomware by creating an online portal aimed at victimmitigationandinformingthepublicaboutthedangersofransomware.Theprojectwasofficially launched on 25 July 2016. Since then, there have been two further roundswhere additional partners have been added. This is expected to continue, with theadditionofmoreandmorenewpartners,toolsandlanguageversions.

The initial founding project partners were the Dutch Police, Europol’s EuropeanCybercrime Centre (EC3), Kaspersky Lab, and Intel Security. Threemonths after thelaunchoftheproject,lawenforcementagenciesfromafurther13countriessigneduptoparticipate in the initiative, namely: Bosnia and Herzegovina, Bulgaria, Colombia,France,Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and theUnitedKingdom.TheEuropeanCommissionandEurojustalsojoined.Thesecondroundof 21 additional public and private partners joined the project officially on 15December. The online portal is now available in Dutch, Russian, French, Italian andPortuguese, in addition to English. Translations to yet more languages are currentlyongoing,andtheirimplementationwillfollowverysoon.

Theportalaimstohelpvictimsrecovertheirdatawithouthavingtopaycybercriminalsafter ransomware attacks. The users can download decryption tools that have been


15/16

created based on implementation errors from the criminals, reverse engineering ofalgorithms, law enforcement actions, or data leakedby criminals online. Victims onlyneedtouploadtwoencryptedfilesandtheransomnoteinordertocheckforavailabledecryption solutions. The project also provides prevention information and links toreportcybercrimetotherespectivenationalpoliceforces.

7 Tips & Advice – How to Prevent Ransomware from Infecting

Your Electronic Devices

Ransomwareismalwarethatlocksyourcomputerandmobiledevices,orencryptsyourelectronic files, demanding that a ransom is paid through certain online paymentmethods(andbyanestablisheddeadline)inordertoregaincontrolofyourdata.Ransomware can be downloaded through fake application updates or by visitingcompromised websites. It can also be delivered as email attachments in spam ordropped/downloadedviaothermalware(i.e.aTrojan).Itisascamdesignedtogeneratehugeprofitsfororganisedcriminalgroups.Topreventand minimise the effects of ransomware, Europol’s European Cybercrime Centreadvisesyoutakethefollowingmeasures:


16/16

An infographicwith thesame information isavailable fordownload fromtheEuropolwebsiteat: https://www.europol.europa.eu/activities‐services/public‐awareness‐and‐prevention‐guides/tips‐advice‐to‐prevent‐ransomware‐infecting‐your‐electronic‐devices

Ransomware: What You Need to Know

Documents

Transcript of Ransomware: What You Need to Know