What to do if your PC or network has been infected by GoldenEye, WannaCry or other ransomware.
Ransomware first hit the headlines a few years ago as one of the nastiest types of malware yet, taking control of a victim's computer, encrypting their files and extorting money to remove it.
Sadly, the threat of ransomware has grown worse – much worse, in fact – culminating in the latest GoldenEye and WannaCry.outbreaks. Not only has it spread from PCs to phones, tablets and Macs, but there has been a massive increase in the number of instances of ransomware detected. Moreover, the methods that hackers use have become more devious and more difficult to deal with.
In this feature, we provide a guide to understanding, detecting, removing and recovering from ransomware. Of course, it's far better to avoid an infection in the first place with the steps that we've explained in our ransomware defence guide.
But if you are infected, don't panic. We'll explain what to do if you've been infected, but first, a quick primer on what ransomware is.
Your ransomware questions answered
What is ransomware?
Ransomware is a particularly virulent form of malware that locks your computer and encrypts your files so that you can't access them. The exact details vary, but it may stop you using Windows or certain programs such as your web browser. Once your files are encrypted, the ransomware will ask for payment to unlock them, usually in the untraceable virtual currency Bitcoin. Although removing ransomware is actually quite easy, your files will remain encrypted. There's also another spiteful trick the malware uses to get you to pay up: if the money is not paid on time, the ransom is doubled.
How do I get infected?
As with most forms of malware, the primary source of infection is an email attachment or malicious link. The senders use con tricks to get you to open the attachment, such as pretending that it's an invoice for something you've bought from a reputable company. This tactic preys on your fear of being charged for an item you didn't buy, so that you'll open the invoice without thinking about it.
Where does ransomware come from?
Ransomware in its modern form originated in Russia and Eastern Europe. Thanks to decentralised digital currencies such as Bitcoin, which make it easy for attackers to demand a ransom and be paid without leaving a trace, ransomware is now so lucrative that it's become the primary revenue stream for some cybercriminals.
It doesn't even take much skill to create your own ransomware. Last year, a Turkish security researcher called Utku Sen created a strain of ransomware called Hidden Tear and published the source code online. It was described as being "for educational purposes only" (as were some early viruses) and ostensibly designed to teach security professionals how to defend against such threats. However, it provided a quick way for anyone with average computer skills to get into the ransomware business.
What does it look like?
Once your PC has been infected and your personal files encrypted, a message appears telling you what's happened and provides info about how – and how much – to pay. The look of this message will vary depending on which ransomware family is behind the attack.
Is it really that common?
Sadly, yes. In 2016, the number of ransomware attacks increased 300 percent from 2015, with over 4,000 attacks detected per day, according to US government statistics.
However, Kaspersky Lab warns that "the real number of incidents is several times higher", because it can't always distinguish ransomware from other forms of malware.
As we saw with the WannaCry outbreak, there have been several high-profile victims, including The UK’s National Health Service (NHS), global delivery service FedEx and Spanish telecommunications company Telefonica.
Are only Windows PCs at risk?
Not anymore. Ransomware developers have started targeting Linux, too, because a lot of web servers use that operating system. There have also been attacks on Macs and Android devices.
Why don't the police stop it?
It's very difficult for law-enforcement agencies to track down the source of ransomware because the criminals use state-of-the-art encryption and routing tricks to make their location impossible to identify.
What happens if I pay the ransom?
If everything goes to plan, once the ransom has been handed over, a key will be generated that you can use to decrypt your files. But first, you should read our full advice on the next page.
How can I be sure I'll receive this key?
You can't. Some ransomware, such as KeRanger and CTB-Locker, lets you decrypt one or two files to prove that the key exists and works, but there's no guarantee that once you've paid a ransom all your files will be unlocked.
What happens if I don't pay?
Your files will remain locked and unusable, unless the encryption has been cracked and there is a program you can use to unlock the files for free. Such tools are rare but they do exist, so you might get lucky.