A Ransomware encrypts all data on your computer bit by bit. If you notice that such a process has started, immediately disconnect the network/Wi-Fi connection and remove external hard drives and USB sticks. In this way you can potentially still prevent the malware from being distributed to further devices.
Some Ransomware also threaten to publish your personal data, like photos or videos in the Internet, if a payment deadline is missed. However, so far, no case has become known in which such data is actually published.
Other Ransomware simulate a police or federal police message stating in which illegal content such as child sexual abuse material has allegedly been found on your device. The messages from the cyber criminals simply serve to make you pay the ransom.
money_offNever pay a ransom!
Under no circumstances should you pay a ransom to cyber criminals. This is a general recommendation from law enforcement agencies like the Federal Police, but also from all IT security experts.
Companies should always report cases of Ransomware infection to the police, as this is a criminal act in the sense of §253 StGB , German Criminal Code.
Corportate contact points:
Federal State Police NRW
The cybercrime comeptency centre of the Federal State Police Northrhine-Westphalia is available 24/7:
Single Point of Contact:
Phone: +49 211 939-4040
Public Attorney's Office Cologne:
phone: +49 221 477 4922 (24/7-Hotline for Corporations and Critical Infrastructure Providers).
Contact point for citizens: Police Department Cologne
Computer Crime: Commissariat 35, phone + 49 221 229 8355
General Computer Fraud: Commissariat 33, phone +49 221 229 8335
Computer Crime / Prevention: Commissariat Prevention/ Victim Protection, phone +49 221 229 8655,
The commissariats are available Monday to Friday from 07:30 Uhr – 16:00 Uhr.
Report a crime online: Reporting the offense online.
Never make direct contact with blackmailers without coordinating with the Police.
Check your entire network for further infections on other devices or systems, if necessary with the help of external experts.
Initially, do not make any independent attempt to remove the malware. This is the only way for the police to secure evidence and begin an enquiry.
The police experts will give you further recommendations for action.
In general, in the case of a large-scale infection in your company, you should additionally involve external experts.
bug_reportHow to remove Ransomware
There are a number of Ransomware for which IT security experts have managed to develop a decryptor which will decrypt the data, but by no means for all.
The Ransomware Gallery on botfrei.de lists the available decryptors for particular varieties of Ransomware. They include instructions on how to remove the Ransomware.
Another way of restoring your system is to restore your last backup - if this has not also been encrypted.
computerRemoval not possible
Many variants of Ransomware use complex encryptions and are considered to be "uncrackable". Every once in a while someone does manage to develop a decryptor that works, however this can take months or even years.
Users often only have the option of reinstalling their systems or restoring a back-up.
It is still a good idea to save and keep the encrypted files before reinstalling the system. If a decryptor does become available later, then they can be decrypted.
searchDiscovering the cause
In particular, the companies should research the source of infection when hit by ransomware, and check internal processes and security settings. This way any weak points can be dealt with for the future.
Companies should not neglect training and awareness-raising for staff on IT security matters.
Cyber criminals often look for the weakest link in companies, which mean this topic affects each and every member of staff.
Botfree.eu: Portal with a Ransomware Gallery
Botfrei-Forum: The Help Forum of the German Anti-Botnet Advisory Center
ID Ransomware: Alternative to Botfree's Ransomware Gallery
nomoreransom.org: Help page run by Europol and international anti-virus companies