Skip to Content

Protect Yourself against Ransomware

What’s New:

To defend against the wide outspread WannaCry ransomware attack, please take following actions immediately:

  1. Back up important data and keep the backup data disconnected from the computer;
  2. Apply the latest security patches on all Windows-based systems;
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  3. Block the SMB ports (TCP ports 139 and 445) from Internet access;
  4. Keep the anti-malware software and signatures up-to-date; and
  5. Stay vigilant of the suspicious emails and websites and avoiding clicking unknown attachments and links.

We adopt encryption technology when transmitting or saving information in the cyberspace to mitigate the risk of data leakage. However, cyber criminals apply this encryption technology to launch cyber attacks. There is much concern recently on the ransomware spreading rapidly across the globe through emails and compromised websites.

Ransomware is a malicious software that cyber criminals used to encrypt the files stored on the infected computer devices. These encrypted files are like hostage and the victims are required to follow the instructions of this malicious software and pay a ransom to decrypt them.

Security Tips to Effectively Defend Against Ransomware


  1. Back up important data frequently and keep the backup data disconnected from the computer
  2. Install the latest patches for software in use
  3. Check and keep your anti-malware program and signatures are up-to-date
  4. Schedule a regular full scan to detect and guard against malware attacks
  5. Disable or restrict all unnecessary services and functions in computer systems
  6. Do not open any suspicious emails or instant messages, as well as the attachments and hyperlinks inside
  7. Refrain from visiting suspicious websites or downloading any files from them
  1. Causes and ImpactCauses and Impact
  2. Screenshots of InfectionScreenshots of Infection
  3. Preventive MeasuresPreventive Measures
  4. What Should I Do if Infected?What Should I Do if Infected?
  5. Reference Tools on DecryptionReference Tools on Decryption
  6. VideosVideos
  7. InfographicsInfographics
  8. Promotional EventsPromotional Events
  9. Extended ReadingsExtended Readings

Causes of Infection and Impact

Causes of Infection

  • Open suspicious emails, or attachments and hyperlinks inside
  • Visit websites embedded with malicious programs
  • Download and install software or mobile apps that are embedded with ransomware

Impact

  • Files inside the computing device and other connected storage devices are encrypted. These data would be lost unless timely backup is available.

Screenshots of Ransomware Infection

The following screenshots illustrate the stages of a computer being infected by a ransomware. It should be noted that different ransomware will have different behaviour.

Step 1 of 7: Files with known extension on a computer before infected by ransomware

Step 1 of 7: Files with known extension on a computer before infected by ransomware



	Step 2 of 7: The user opens a program embedded with ransomware

Step 2 of 7: The user opens a program embedded with ransomware



Step 3 of 7: The ransomware starts to encrypt the files inside the computing device

Step 3 of 7: The ransomware starts to encrypt the files inside the computing device



Step 4 of 7: All documents, photos and media files are encrypted by ransomware

Step 4 of 7: All documents, photos and media files are encrypted by ransomware



Step 5 of 7: A text file is created telling that the files inside have been encrypted

Step 5 of 7: A text file is created telling that the files inside have been encrypted



Step 6 of 7: A graphic file is also created and informs the user of the same content

Step 6 of 7: A graphic file is also created and informs the user of the same content



Step 7 of 7: The wallpaper is changed at last

Step 7 of 7: The wallpaper is changed at last



Preventive Measures

  • Back up important data frequently and keep the backup data disconnected from the computer
  • Install the latest patches for software in use
  • Check and keep your anti-malware program and signatures are up-to-date
  • Schedule a regular full scan to detect and guard against malware attacks
  • Disable or restrict all unnecessary services and functions in computer systems
  • Do not open any suspicious emails or instant messages, as well as the attachments and hyperlinks inside
  • Refrain from visiting suspicious websites or downloading any files from them
  • Install software and mobile apps from trusted sources, do not install those apps if suspicious permission rights are required
  • For business operations with a higher risk of exposure to malware infection such as customer enquiry emails handling, a dedicated computer with no network drives and restricted network connectivity to internal network should be used to minimise the impact of infection and the handling staff should keep alert of possible infection


Anti-malware security software

What Should I Do if Infected?

  • Disconnect the network cable of the computer to avoid affecting network drives and other computers
  • Power off the computer to stop the ransomware encrypting more files
  • Jot down what have been accessed (such as programs, files, emails and websites) before discovering the issue
  • Report to the Hong Kong Police Force the criminal offence
  • Recover the data from backup to a clean computing device
  • Check if there is any reference tools to recover the encryption files.

Reference Tools on Decryption

Name of Ransomware File Extension Other Symptoms Reference Tools
Jaff .jaff
.wlu
.sVn
<NA>
777 / Democry .777 <NA>
Agent.iih Aura
Autoit
Bitman
Chimera
Cryptokluchen
Democry
Jigsaw
Mircop
Lamer
Libra
Lobzik
Pletor
Rakhni
Rotor
SIL.Lortok
_crypt
._date-time_$address@domain$.777
._date-time_$address@domain$.legion
.AES256
.AFD
.chifrator@qq_com
.btc
.coderksu@gmail_com_id20
.coderksu@gmail_com_id371
.coderksu@gmail_com_id372
.coderksu@gmail_com_id374
.coderksu@gmail_com_id375
.coderksu@gmail_com_id376
.coderksu@gmail_com_id392
.coderksu@gmail_com_id357
.coderksu@gmail_com_id356
.coderksu@gmail_com_id358
.coderksu@gmail_com_id359
.coderksu@gmail_com_id360
.cry
.crypt@india.com.random_characters
.crypto
.darkness
.dyatel@qq_com
.enc
.encrypted
.epic
.fun
.gruzin@qq_com
.gws
.helpdecrypt@ukr.net
.J
.kraken
.locked
.micro
.nalog@qq_com
.nochance
.oplata@qq_com
.oshit
.paybtcs
.paymds
.paymrss
.paymrts
.paymst
.payrms
.payransom
.porno
.pornoransom
.pizda@qq_com
.relock@qq_com
.troyancoder@qq_com
.ttt
.SecureCrypted
.xxx
hb15
<NA>
Al-Namrood .unavailable
.disappeared
Ransom note “.Read_Me.Txt” was created and asked to contact
decryptioncompany@inbox.ru
fabianwosar@inbox.ru
Alcatraz Locker .Alcatraz
Ransom note “ransomed.html” was created
AlphaCrypt 0.x <NA> Ransom notes “HELP_TO_SAVE_FILES.txt” and “HELP_TO_SAVE_FILES.bmp” were created
Apocalpse .encrypted
.Encryptedfile
.FuckYourData
.locked
.SecureCrypted
Ransom note “.How_To_Decrypt.txt”, ".Contact_Here_To_Recover_Your_Files.txt”, “.How_to_Recover_Data.txt” or “.Where_my_files.txt” was created and asked to contact
decryptionservice@mail.ru
recoveryhelp@bk.ru
decryptdata@inbox.ru
AutoLocky .Locky Ransom note “info.txt” or “info.html” was created
Autolt <Original Filename>@<Name of Email Server>_.<A Set of Random Characters> <NA>
BadBlock <No Change> Ransom note “Help Decrypt.html” was created and identify itself as “BadBlock”.
Bart .bart.zip Ransom note was created as the desktop wallpaper and stored in files named “recover.bmp” and “recover.txt”
Bitcryptor <NA> Ransomware identified itself as “Bitcryptor”
CoinVault <NA> Ransom note asked to contact coinvault@openmailbox.org
Cerber V1 .cerber Ransom notes “#DECRYPT MY FILES#.txt”, “#DECRYPT MY FILES#.html”, and “#DECRYPT MY FILES#.vbs” were created
Cryaki CRYPTENDBLACKDC <NA>
CrypBoss .crypt
.R16M01D05
Ransomware asked to contact an email address with “@dr.com”
Crypt888 / Mircop Lock.<Original Filename> Ransom note was created as the desktop wallpaper
CryptInfinite .CRINF <NA>
CryptoDefense <NA> Ransom note ”HOW_DECRYPT.txt” was created
CryptXXX V1 .crypt
.crypz
.cryp1
<5 hexadecimal characters>
<NA>
CryptXXX V2 .crypt
.crypz
.cryp1
<5 hexadecimal characters>
<NA>
CryptXXX V3 .crypt
.crypz
.cryp1
<5 hexadecimal characters>
<NA>
CrySiS .johnycryptor@hackermail.com.xtbl,
.ecovector2@aol.com.xtbl,
.systemdown@india.com.xtbl,
.Vegclass@aol.com.xtbl,
.{milarepa.lotos@aol.com}.CrySiS,
.{Greg_blood@india.com}.xtbl,
.{savepanda@india.com}.xtbl,
.{arzamass7@163.com}.xtbl
Ransom note “Decryption instructions.txt”, ” Decryptions instructions.txt” or ”README.txt” was created
DMALocker <No Change> Ransomware identified itself as “DMA Locker” with ID "DMALOCK 41:55:16:13:51:76:67:99"
DMALocker2 <No Change> Ransomware identified itself as “DMA Locker” with ID "DMALOCK 43:41:90:35:25:13:61:92"
Fabiansomware .encrypted Ransom note “.How_To_Decrypt_Your_Files.txt” was created and asked to contact "decryptioncompany@inbox.ru", "fwosar@mail.ru" or "fabianwosar@mail.ru"
FenixLocker .centrumfr@india.com!! Ransom note "CryptoLocker.txt" or "Help to decrypt.txt" was created
Gomasom .crypt The contact email address was embedded in the filenames of the locked files
Globe .ACRYPT
.blackblock
.decrypt2017
.dll555
.duhust
.exploit
.frozen
.globe
.gsupport
.GSupport[0-9]
.hnumkhotep
.kyra
.purged
.rald[0-9]
.siri-down@India.com
.xtbl
.zendrz
.zendr[0-9]
.hnyear
Ransom note "How to restore files.hta" or "Read Me Please.hta" was created
Harasom .html Ransomware identified itself was originated from ‘Spamhaus” or “the US Department of Justice”
HiddenTear .암호화됨
.34xxx
.8lock8
.bloccato
.BUGSECCCC
.CAZZO
.doomed
.flyper
.fucked
.Hollycrypt
.kratos
.krypted
.lock
.locked
.lok
.mecpt
.monstro
.razy
.saeld
.unlockIt
Ransom notes "READ_IT.txt”, “MSG_FROM_SITULA.txt” and “DECRYPT_YOUR_FILES.HTML” were created
HydraCrypt .hydracrypt
.umbrecrypt
<NA>
KeyBTC <NA> Ransom note “DECRYPT_YOUR_FILES.txt” was created and asked to contact keybtc@inbox.com
LeChiffre .LeChiffre Ransomware asked to contact decrypt.my.files@gmail.com
Legion A variant of
._23-06-2016-20-27-23_$f_tactics@aol.com$.legion
Or
.$centurion_legion@aol.com$.cbf
Ransom note was created as the desktop wallpaper
Malboro .oops Ransom note “HELP_Recover_Files_.html” was created
MarsJoke Polygot <No Change> Ransom note was created as the desktop wallpaper
MRCR / Merry X-mas .PEGS1
.MRCR1"
.RARE1
.MERRY
.RMCM1
Ransom note "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asked to contact "comodosec@yandex.ru" or "comodosecurity" via the secure mobile messenger Telegram
Nemucod .crypted Ransom note “DECRYPT.txt” was created
NMoreira .__AiraCropEncrypted!
.maktub
Ransom note “Recupere seus arquivos. Leia-me!.txt” or “How to decrypt your files.txt” was created
NoobCrypt <No Change> Ransom note “ransomed.html” was created
OzozaLocker .locked Ransom note “HOW TO DECRYPT YOU FILES.txt” was created and displayed on the screen after clicking an encrypted file
OpenToYouDecrypt .-opentoyou@india.com Ransom note “!!!.txt” was created
PClock <No Change> Ransomware identified itself as “CryptoLocker” and created a file “enc_files.txt”
Philadelphia .locked Ransom note was displayed on the screen
Radamant .rdm
.rrk
<NA>
Rannoh locked-<Original Filename>.<4 Random Characters > <NA>
Shade .7h9r
.better_call_saul
.breaking_bad
.da_vinci_code
.heisenberg.
.no_more_ransom
.windows10
.xtbl
.ytbl
<NA>
SNSLocker .RSNSLocked <NA>
Stampado .locked Ransom note was displayed on the screen
SZFLocker .szf Ransom note was displayed after clicking an encrypted file
TeslaCrypt V1 .ECC <NA>
TeslaCrypt V2 .AAA
.ABC
.CCC
.VVV
.XYZ
.ZZZ
<NA>
TeslaCrypt V3 .TTT
.XXX
.MICRO
.MP3
<NA>
TeslaCrypt V4 <No Changed> Ransom note was displayed on the screen
Wildfire Locker .wflx Ransom note was displayed on the screen
Xorbat .crypted <NA>
Xorist
Vandev
.XORIST
.EnCiPhErEd
.0JELvV
.p5tkjw
.6FKR8d
.UslJ6m
.n1wLp0
.5vypSa
.YNhlv1
Ransom note “HOW TO DECRYPT FILES.txt” and “CryptLogFile.txt” were created

Videos

INFOSEC Video – Ransomware
INFOSEC Video – Ransomware
Duration: 2:34
HKPC YouTube Channel: 加密勒索軟件襲港 電腦用戶如何自保?(Chinese only)
Duration: 3:47
The Police Public Relations Branch (PPRB) of the Hong Kong Police Force - Beware of Ransomware
Duration: 2:01

Infographics

Promotional Events

Past Events

Date Event Organiser

5

20 / 06 / 2016
中小企網絡安全研討會 勒索軟件襲港 網絡安全你要知
  • Hong Kong Productivity Council

4

31 / 05 / 2016
Build a Secure Cyberspace 2016 –
“Protecting Data from Ransomware Attacks” Seminar

  • Office of the Government Chief Information Officer (OGCIO)
  • Hong Kong Police Force (HKPF)
  • Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

3

30 / 05 / 2016
Cyber Security Conference 2016 cum Formation of Cyber Security Alliance
  • Hong Kong Information Technology Federation

2

19 / 04 / 2016
學校資訊保安講座:加密勒索軟件 ~ 防範、數據保障與解決方案
  • Association of I.T. Leaders in Education (AiTLE)

1

22 / 03 / 2016
學校資訊保安講座:加密勒索軟件 ~ 危害、影響與解決?
  • Association of I.T. Leaders in Education (AiTLE)
  • 香港小學電子教育協會

Extended Readings and Other Resources

Disclaimer: Users are also recommended to observe the Important Notices of this website and read the user agreements and privacy policies of the security software and tools before download and use them.

Back to Top