Ransomware and encryption Trojans infect computers and smartphones and encrypt all data. They also spread to external hard drives and further devices in the network and also target possible backups. The decryption of the data is only possible with special software which you will receive after payment of a ransom to the cyber criminals.

Stay calm

A Ransomware encrypts all data on your computer bit by bit. If you notice that such a process has started, immediately disconnect the network/Wi-Fi connection and remove external hard drives and USB sticks. In this way you can potentially still prevent the malware from being distributed to further devices. 

Some Ransomware also threaten to publish your personal data, like photos or videos in the Internet, if a payment deadline is missed. However, so far, no case has become known in which such data is actually published. 

Other Ransomware simulate a police or federal police message stating in which illegal content such as child sexual abuse material has allegedly been found on your device. This does not apply either. The messages from the cyber criminals simply serve to make you pay the ransom.

Never pay a ransom!

Under no circumstances should you pay a ransom to cyber criminals. This is a general recommendation from law enforcement agencies like the Federal Police, but also from all IT security experts. 
Companies should always report cases of Ransomware infection to the police, as this is a criminal act in the sense of §253 StGB, German Criminal Code. 

Should you be blackmailed as a company:

Landeskriminalamt NRW
The NRW Landeskriminalamt’s Single Point of Contact for Cybercrime is available around the clock: 
Single Point of Contact 
Email: cybercrime.lka@polizei.nrw.de 
Telephone: +49 211 939-4040 

Cologne Public Prosecutor’s Office:
ZAC NRW, which is headed by Senior Public Prosecutor Markus Hartmann, also investigates itself and performs some special functions within the judiciary in North Rhine-Westphalia 
Email: zac@sta-koeln.nrw.de 
Telephone: +49 221 477 4922 (24/7-Hotline for enterprises and critical infrastructures).  

Should you be blackmailed as a private individual:
Competent specialized commissariats for Cologne: 
Computerkriminalität: Kriminalkommissariat 35, Telephone + 49 221 229 8355 
Allgemeiner Computerbetrug: Kriminalkommissariat 33, Telephone +49 221 229 8335 
Computerkriminalität Prävention: Kriminalkommissariat Prävention/Opferschutz, Telephone +49 221 229 8655, 
Email: poststelle.koeln@polizei.nrw.de  
The services are available weekdays between 07:30 – 16:00. 
Alternatively, you can file an criminal complaint online with the police. 

Never make direct contact with blackmailers without coordinating with the Landeskriminalamt.

How to remove Ransomware

There are a number of Ransomware for which IT security experts have managed to develop a decryptor which will decrypt the data, but by no means for all. 

The Ransomware Gallery on botfrei.de lists the available decryptors for particular varieties of Ransomware. They include instructions on how to remove the Ransomware. They include instructions on how to remove the Ransomware. 

Another way of restoring your system is to restore your last  backup – if this has not also been encrypted.

Removal not possible

Many variants of Ransomware use complex encryptions and are considered to be “uncrackable”. Every once in a while someone does manage to develop a decryptor that works. However, this can take months or even years. 

Users often only have the option of reinstalling their systems or restoring a back-up. 
It is still a good idea to save and keep the encrypted files before reinstalling the system. If a decryptor does become available later, then they can be decrypted.