AVG Signal Blog Security Ransomware The Ultimate Guide to Ransomware

What is ransomware?

Ransomware is malicious software which encrypts files on your computer or completely locks you out. It’s spread by hackers who then demand a ransom (usually 300-500$/GPB/EUR, preferably paid in bitcoins), claiming that, if you pay, you’ll receive the decryption key to recover your files.

This article contains:

    The first recorded ransomware attack occurred in 1989, when evolutionary biologist Joseph Popp infected floppy disks with the AIDS Trojan and distributed them to fellow researchers. The malware didn’t run immediately, but instead waited until victims booted their PCs 90 times. Finally, it encrypted all system files and asked users to pay $189 to undo the damage. Luckily, experts came up with tools to remove the malware and decrypt infected files.

    But is ransomware a virus? Nope. Viruses infect your files or software, and have the ability to replicate, but ransomware scrambles your files to render them unusable, then demands you pay up. They can both be removed with an antivirus, but if your files are encrypted chances are you’ll never get them back.

    Types of ransomware

    Ransomware comes in all shapes and sizes. Some variants are more harmful than others, but they all have one thing in common: the ransom.

    Types of ransomware

    1. Crypto malware or encryptors are the most common type of ransomware, and they can do a lot of damage. Besides extorting more than $50,000 from its victims, WannaCry actually put thousands of lives at risk when it hit hospitals around the world and blocked medical staff from accessing patient files.

    2. Lockers infect your operating system to completely lock you out of your computer and make it impossible to access any apps or files.

    3. Scareware is fake software (like an antivirus or a cleaning tool) which claims to have found issues on your PC and demands money to fix them. Some variants lock your computer, others flood your screen with annoying alerts and pop-ups.

    4. Doxware (or leakware) threatens to publish your stolen information online if you don’t pay up. We all store sensitive files on our PCs (from contracts and personal documents to embarrassing photos), so it’s easy to see why that might cause panic.

    5. RaaS (Ransomware as a Service) is malware hosted anonymously by a hacker who handles everything — distributing the ransomware, collecting payments, managing decryptors — in exchange for a cut of the ransom.

    Android ransomware

    Your Android mobile devices aren’t safe from ransomware either. There’s even a WannaCry copycat which spreads on gaming forums and targets Android devices in China. Since data can easily be restored by syncing devices, cyber criminals often prefer blocking your smartphone instead of just encrypting files.

    Mac ransomware

    Even though it takes more than opening an email attachment or clicking on a link to infect Apple devices, Mac ransomware is also on the rise. The latest malware affecting Macs appears to have been coded by software engineers with a specialty in OS X. Cyber criminals often target iCloud accounts or attempt to lock smartphones through the Find My iPhone system.

    Ransomware attacks in 2017

    With dozens of malware toolkits available on the Internet’s black market, hackers have a solid base to build on. Recent attacks have shown that cyber criminals put a lot of effort into improving their code, adding features that make detection more difficult, and fine-tuning their malicious emails to make them look legitimate.

    Let’s have a closer look at the biggest ransomware attacks in 2017, WannaCry and Petna.


    After infecting more than 10,000 organizations and 200,000 individuals in over 150 countries, WannaCry earned its reputation as the most widespread ransomware attack to date. It used an exploit known as ETERNALBLUE, which takes advantage of a Windows SMB (Server Message Block, a network file sharing protocol) vulnerability labeled as MS17-010.Top 10 countries affected by WannaCry


    The more recent Petya-based outbreak (dubbed Petya, Petna, NotPetya, EternalPetya, or Nyetya) gave everyone a big scare, but it was far less damaging than WannaCry. Petna affected mainly Ukraine (more than 90% of attacks), but we’ve seen attempts in the US, Russia, Lithuania, Belarus, Belgium, and Brazil as well.

    Two other major ransomware attacks made the news in 2016:

    • Locky - First seen in February 2016, Locky was reportedly sent to millions of users around the world, in an email scam which claimed to be an invoice or a receipt of order. The emails contained an illegible Word document, asked users to enable macros to view its content, then started downloading the malware. With every attack, Locky’s authors keep improving the code to make it difficult to detect once it’s on your computer.

    • Cerber ransomware - This malware comes as a toolkit, freely available for anyone to download, set up and spread. It’s distributed via an email attachment or the Unsubscribe link in a spam email (which redirects victims to the same attachment), it can operate even if you’re offline, and it can encrypt more than 400 file types, including database files.

    As hackers keep improving their code, either of these variants could reappear at any point, so it’s important to know that they’re out there even when you don’t read about it in the news.

    Are you a ransomware target?

    When it comes to ransomware, anyone can be a target. For example, WannaCry took advantage of a Windows vulnerability to spread and infect more than 200,000 users like yourself, as well as 10,000 companies, public authorities, and organizations worldwide.

    Anyone who hadn’t installed the security patch Microsoft released in March was vulnerable. Windows XP users were hit hardest: Microsoft had ended support for that version of Windows 3 years ago, and was only spurred into releasing a patch for it until well after the attack had become severe. (And if you are still running that version, you really ought to consider an upgrade.)

    While a patch or update to fix such issues is generally quick and easy for regular users, companies and organizations are far more vulnerable. They often run custom made software that would break with updates and need to deploy the fixes on massive numbers of devices, all of which slows them down. Some organizations also just don’t have the funds. Hospitals budgets are expected to save lives, not computers — but those can sometimes be one and the same when their systems get taken over and they are locked out of patient histories.

    Cybercrime is the no. 1 concern for organizations working with sensitive data, but that doesn’t mean regular PC users are safe — your family photos or personal files are just as valuable to hackers.

    How ransomware infects your PC

    From malicious email attachments and fake links to social media scams, ransomware spreads quickly and hits hard. Here’s how it gets on your computer:

    • Social engineeringa fancy term for tricking people into downloading malware from a fake attachment or link. Malicious files are often disguised as ordinary documents (order confirmations, receipts, bills, notices) and appear to have been sent by a reputable company or institution. It’s enough to download one of these to your PC, try to open it, and boom! You’re infected.

    • Malvertising - paid ads delivering ransomware, spyware, viruses and other nasty things, at the click of a button. Yes, hackers will even buy ad space on popular websites (including social media networks or YouTube) to get their hands on your data.

    • Exploit kits pre-written code, wrapped nicely in a ready-to-use hacking tool. As you may have guessed, these kits are designed to exploit vulnerabilities and security holes caused by out-of-date software.

    • Drive-by downloads dangerous files you never asked for. Some malicious websites take advantage of out-of-date browsers or apps to silently download malware in the background, while you’re browsing an innocent-looking website or watching a video.

    How to know if you’re infected

    It may start with an innocent-looking email, supposedly sent from a legitimate source, asking you to download an invoice or some other important document. Hackers often mask the file’s real extension to trick victims into thinking it’s a PDF, doc or Excel sheet. It’s actually an executable file which starts running in the background when you click on it.

    For a while, nothing out of the ordinary happens. Your files can still be accessed and everything works just fine, as far as you know. But the malware is silently contacting the hacker’s server, generating a pair of keys — a public one to encrypt your files, and a private one, stored on the hacker’s server, used to decrypt them.

    Once the ransomware makes its way to your hard drive, you don’t have much time to save your data. From here on, your input is no longer needed. The ransomware simply starts running and encrypting your files, and only reveals itself once the damage is done.

    A ransom note pops up on your screen, telling you how much you’re expected to pay and how to transfer the money. Once the clock starts ticking, you usually have 72h to pay the ransom, and the price goes up if you didn’t make the deadline.

    Meanwhile, you won’t be able to open your encrypted files, and if you try to do so you’ll get an error saying your file can’t be loaded, is corrupt or not valid.

    How to remove ransomware

    Unless you’re locked out of your PC, deleting ransomware is pretty easy. In fact, it’s the same as removing a virus or any other common type of malware. We’ve covered how to remove all kinds of malware before, but here’s the gist of it: enter Safe Mode and either run your antivirus to delete the malware, or remove it manually.

    How to remove ransomware

    Things are a bit more complicated if your PC is infected with a locker, which prevents you from entering Windows or running any programs. There are 3 ways to fix it: do a System Restore to restore Windows back to a point in time where your PC was still safe, run your antivirus program from a bootable disk or an external drive, or reinstall your operating system.

    System Restore on Windows 7:

    • Turn your PC on and press F8 to enter the Advanced Boot Options menu

    • Select Repair Your Computer and press Enter

    • Log in with your Windows account name and password (or leave that field blank if you don’t have one)

    • Click System Restore

    System Restore on Windows 8, 8.1, or 10:

    • Turn your PC on and hold the Shift key to enter the recovery screens (restart if it didn’t work)

    • Select Troubleshoot

    • Go to Advanced Options

    • Click System Restore

    You can also use our AVG PC Rescue CD to safely remove ransomware from an external drive. The following video contains instructions on how to create a bootable AVG Rescue CD or USB.

    How to recover your files

    Recovering your data is a whole other story. 32- and 64-bit encryption are easy to crack. Our free ransomware decryption tools will help you recover files infected with more harmless ransomware like Apocalypse, Crypt888, or TeslaCrypt.

    However, these days most types of ransomware — including the notorious WannaCry, Locky or Cerber — use 128-bit, or even stronger, 256-bit encryption (sometimes a combination of both). This complex level of encryption is also used by servers, browsers, and VPNs to protect your data, because it’s secure and unbreakable.

    If your files are infected with one of these deadlier variants, recovery is nearly impossible. That’s why prevention is the best thing you can do to protect yourself from ransomware.

    Ransomware prevention tips

    Besides avoiding suspicious websites or links, spam and email attachments you weren’t expecting, there are essentially three things you can do to make sure you don’t lose your files in the next ransomware attack.

    1. Back up your important files

    On external drives. Or in the Cloud. Or both. With so many free cloud storage services out there, you really have no excuse. Dropbox, Google Drive, Mega… take your pick and make sure to have all your important documents and photos stored securely. To be extra safe, choose a service with version histories. That way, if anything bad ever happens to your account, you can easily restore it to a previous version.

    Diagram of a folder being backed up to different cloud services

    2. Use an up-to-date antivirus

    Antivirus software offers essential protection against anything trying to mess with your computer. We don’t like to brag, but our AVG AntiVirus FREE alone covers more than you’d expect. And with AVG Internet Security you also get Ransomware Protection, which blocks suspicious apps from changing your files.

    3. Keep your operating system updated

    If you paid attention earlier when we talked about WannaCry, you should already know that security updates are vital for your computer’s safety. Out-of-date software makes you more vulnerable to all kinds of malware, including ransomware.

    To pay or not to pay the ransom?

    At this point, the dreaded question has probably crossed your mind. And with ransomware being so scary, we can’t blame you!

    Hackers don’t discriminate. Their only goal is to infect as many computers as possible, because that’s how they make money. And it’s a very profitable “business” too, with victims paying hundreds of thousands of dollars to recover their data.

    In June 2017, South Korean web hosting company Nayana paid 397.6 bitcoin (worth approximately $1 million at that time) after an Erebus ransomware attack. This is the highest ransom paid to date, and it proves just how vulnerable businesses are.

    But you’re dealing with scammers here, so paying the ransom doesn’t guarantee anything. Sometimes they simply up the price, if they’ve found someone desperate enough to pay. Or take Petya, for instance — the ransomware had a bug in its code which made it impossible to recover anything. But most importantly, paying encourages hackers to come back, hit harder, and demand more money.

    So should you pay? Our answer is “hell no”. Instead, get a good antivirus, so you never have to worry about ransomware in the first place.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install