Dozens of active ransomware variants such as TeslaCrypt, Locky and Crypt0L0cker continue to extort victims daily. And Ransomware-as-a-Service threatens to make matters worse.

Ransomware – you will not find a more frequently used word in the antivirus industry in these past few months. AVG’s viruslab have analysed dozens of different ransomware “families” in that time.

Based on the number of new unique samples per day, it seems that the ransomware trend is steadily increasing.

Some ransomware families appear to have been created by amateur programmers eager to earn easy money (Radamant, LeChiffre, or Hidden-Tear derivatives, just to name a few), while others are developed by professionals and operated by cyber gangs (e.g. CryptoWall).

At present, the most active families are TeslaCrypt, CryptoWall, and Crypt0L0cker (aka TorrentLocker) with each of these families spreading in multiple ways. The most common infection methods are via exploit kits and phishing emails (as links or attachments).

We've noticed many different approaches to creating ransomware, such as the programming language used. While C, C++, C#, and Delphi are very popular among malware authors in general, we have seen ransomware created in JavaScript, Java, and even purely in Windows .bat files.

More worryingly, we have identified “Ransomware-as-a-Service” offerings that are threatening to make things much worse. These often Tor-hosted (anonymous) websites make it possible to generate custom ransomware with just a few clicks – in return for a share (5-20%) of future earnings, i.e. ransom revenue.

But it’s also the brazen attitude and apparent confidence of some ransomware authors that is disturbing. We have found the Nanlocker ransomware contains a now famous (and very unfortunate) statement that was made by a member of the FBI at a security conference.

How to protect your computers and networks against ransomware.

  1. Don’t trust any links or attachments in email – this remains the most common way that ransomware takes hold. If you weren’t expecting the email, do not open it. If unsure, always seek a second opinion from a tech savvy friend – or just delete the email.
  2. Keep your software and operating system updated. Ransomware is targeting not only Windows, but also Linux (e.g. Linux.Encoder) and even Mac.
  3. Uninstall unused or notoriously vulnerable applications – for example, if you don’t need Adobe Flash Player, remove it and any other applications you’re not using. Stick to the minimum.
  4. Use the latest protection software. AVG Internet Security is great choice because it offers multiple layers of protection – we take the ransomware threat very seriously, and our software is capable of detecting the ransomware families mentioned earlier, plus more.
  5. Backup your files regularly and don’t forget to keep your backup media disconnected from your PC. Otherwise, your backups might get encrypted as well. This also applies to cloud storage and network drives (e.g. Dropbox, Google Drive).

What if it’s too late, and your files are already being held to ransom?

  1. If your files have already been encrypted by ransomware, the most important thing is to stay calm.
  2. You should immediately contact technical support (e.g. your IT department, your AV vendor) for further assistance, if available to you.  You need to seek expert advice as early as possible.
  3. We strongly advise against paying the ransom. You've got no guarantee from the criminals that your files will be restored. And, if every ransomware victim refused to pay the ransom, this type of crime would quickly reduce in occurrence.
  4. It is quite possible that the decryption key is still located in the computer. Many ransomware families contain weaknesses in their encryption algorithm, which may lead to decrypting your files even without paying the ransom! It may take some time to spot and exploit such weaknesses, but in the meantime don’t delete your encrypted files, there may still be hope. (so call tech support).