Ransomware

Data on the computer is no longer available or is encrypted.

Encryption Trojans (also known as blackmail Trojans) are a specific family of malicious software that encrypts files on the victim's computer and on connected network drives, rendering them unusable for the victim. The ransomware scene is continually expanding. The gateways for such encryption Trojans include in particular poorly secured systems and emails with attachments.

Encryption Trojans can cause considerable damage, especially if your data backups are also affected. In the event of such an incident, remain calm and act with caution.

Specific measures

The main aim of post-incident clean-ups is to find the infection route and prevent a new infection. Reinstall the affected systems and restore data using existing backups. If the necessary expertise is not available in your company/your authority, seek support from a specialised company.
For further information, see :
Companies: Encryption Malware - What next?
Authorities: Encryption Malware - What next?

Preventive measures

Regularly make a backup of your data. The backup should be stored offline, i.e. on an external medium such as an external hard drive. Therefore, make sure that the medium where the backup is saved is disconnected from the computer after the back-up procedure is complete. Otherwise, data on the back-up medium might be encrypted and rendered unusable in the event of a ransomware attack.
Provide employees with training on how to deal with email.
You can further strengthen your IT infrastructure's protection against malware (such as ransomware) by using Windows AppLocker, which allows you to define which programs can be run on the computers in your company/your authority.
Block the receipt of dangerous email attachments on your email gateway. A more detailed and updated list can be found on the GovCERT website at:
https://www.govcert.ch/downloads/blocked-filetypes.txt
Make sure that dangerous email attachments like these are also blocked if they are sent to recipients in your company/your authority in archive files such as ZIP and RAR, or even in encrypted archive files (e.g. in a password-protected ZIP file).
In addition, all email attachments containing macros (e.g. Word, Excel or PowerPoint attachments that contain macros) should be blocked.

Effects and risks

Rendering data unusable on the computer
Financial loss in the event of payment of the ransom
Existential threat to companies/authorities if the backup was also encrypted.

Further Information

You will find further information on our website:

Companies: Encryption Malware - What next?
Authorities: Encryption Malware - What next?

Ransomware

National Cyber Security Centre NCSC

National Cyber Security Centre NCSC

Ransomware

Main Navigation

National Cyber Security Centre NCSC

Search

Breadcrumb

Ransomware