Ransomware is malware that attempts to blackmail unsuspecting users. One way it can gain access is via an email attachment. The attachment will appear to be a normal image, word processing, spreadsheet file but it wil be linked to a .exe file i.e. a program. When the attachment is opened the file installs the malware program on your computer. 

It can also get in through a "backdoor" of an already infected machine, avoiding any security software. 

If your computer already has an infection, the malware that caused that infection has usually created an access point (backdoor) for other malware to slip onto your computer. This happens without you actually knowing or needing to do anything to install the program. It can also enter via security flaws in programs like Java and Adobe etc.  

Simple Ransomware






Simple Ransomware creates a portal restricting you to a single web page, until you pay the blackmail. The web page you view will often imply that some illegal activity has occurred on your computer and a fine is payable for your wrong doings. It also looks as if the fine has been imposed by some law enforcement agency.

Another variant replaces your computers master boot record with a malicious version.

To clean the infected machine you need to use a bootable CD with an antivirus scanner, this is run outside of your normal operating system and is therefore able to access the malicious files and deal with them. Once cleaned the computer will behave as normal.



Cryptolock Ransomware  


A newer variant of this malware is rather more sinister it does not lock the machine but holds all your files to ransom by encrypting them.

The malware once installed looks for specific file types using a list of over 100 file extensions and encrypts them making them unreadable without the decrypting key.

The malware generates a unique encryption key randomly every time it infects a computer using military grade algorithms, the only way to get your files restored is to use the unique decipher key generated at the same time and stored on a secret server that only the perpetrator has access to..

The malware only lets you know of its presence after all the files are encrypted and effects all connected network drives. So if your backup drive whether a physical drive or a virtual one is connected at that time, those files will also be corrupted.

The malware itself is fairly easy to remove, a real time antivirus scanner can be downloaded and used to detect and remove the ransomware.

Once the machine is cleaned the encrypted files can be removed and replaced with those from your latest backup.


Although being infected by any form of ransomware is a nasty shock it is not a virus so it cannot be transmitted outside of your local network. Neither is it a threat to your personal security, it won't capture passwords or bank details. So try not to panic. The advice given by the National Crime Agency and others is not to pay any ransom, after all the only thing you now about the perpetrators is that they are criminals. There will be the odd incident where someone has allegedly payed and has received the decrypting key but this is to persuade others to also pay rather than any sense of honouring their side of the bargain. If you have an up to date backup, the files can be restored after the malware has been removed. Although extreamly annoying it is better than having your hard drive fail, as all your programs and settings will be unaffected.

Prevention not cure 



Make sure your antivirus software is active and up to date.


(If your antivirus software has not been active download and install http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx and scan your computer).


Keep your software up to date by installing security patches as soon as possible.


Avoid opening attachments from people you do not know or trust.

Make regular backups and store them safely and don’t have backup drives on line when not in use.

Its good practice not to use an administrative account for day to day working.

Important files when completed can be filed as read only.

Having an encrypted drive on your computer to store sensitive information, is also worthwhile.




The Cryptolocker malware uses 3 locations within Windows to launch the program. These are %appdata% / %localappdata% / Recycle Bin, a small program has been developed by Foolish IT that prevents programs from using these locations. Many other Trojans use the same locations to launch, therefore installing this program offers further protection. The program is free with an option to upgrade to a premium version which provides automatic updates.


Once installed and applied it will protect all user accounts on your system.



The program can be downloaded from this location. (At the bottom of the page) use the installer version for easy use. Once installed you need to click the "apply" button.  http://www.foolishit.com/vb6-projects/cryptoprevent/


This program is additional security and NOT a substitute for the prevention measures already mentioned.