Ransomware and encryption Trojans infect computers and smartphones and encrypt all data. They also spread to external hard drives and further devices in the network and also target possible backups. The decryption of the data is only possible with special software which you will receive after payment of a ransom to the cyber criminals.
Stay calm
A Ransomware encrypts all data on your computer bit by bit. If you notice that such a process has started, immediately disconnect the network/Wi-Fi connection and remove external hard drives and USB sticks. In this way you can potentially still prevent the malware from being distributed to further devices.
Some Ransomware also threaten to publish your personal data, like photos or videos in the Internet, if a payment deadline is missed. However, so far, no case has become known in which such data is actually published.
Other Ransomware simulate a police or federal police message stating in which illegal content such as child sexual abuse material has allegedly been found on your device. This does not apply either. The messages from the cyber criminals simply serve to make you pay the ransom.
Never pay a ransom!
Under no circumstances should you pay a ransom to cyber criminals. This is a general recommendation from law enforcement agencies like the Federal Police, but also from all IT security experts.
Companies should always report cases of Ransomware infection to the police, as this is a criminal act in the sense of §253 StGB, German Criminal Code.
Should you be blackmailed as a company:
Landeskriminalamt NRW
The NRW Landeskriminalamt’s Single Point of Contact for Cybercrime is available around the clock:
Single Point of Contact
Email: cybercrime.lka@polizei.nrw.de
Telephone: +49 211 939-4040
Cologne Public Prosecutor’s Office:
ZAC NRW, which is headed by Senior Public Prosecutor Markus Hartmann, also investigates itself and performs some special functions within the judiciary in North Rhine-Westphalia
Email: zac@sta-koeln.nrw.de
Telephone: +49 221 477 4922 (24/7-Hotline for enterprises and critical infrastructures).
Should you be blackmailed as a private individual:
Competent specialized commissariats for Cologne:
Computerkriminalität: Kriminalkommissariat 35, Telephone + 49 221 229 8355
Allgemeiner Computerbetrug: Kriminalkommissariat 33, Telephone +49 221 229 8335
Computerkriminalität Prävention: Kriminalkommissariat Prävention/Opferschutz, Telephone +49 221 229 8655,
Email: poststelle.koeln@polizei.nrw.de
The services are available weekdays between 07:30 – 16:00.
Alternatively, you can file an criminal complaint online with the police.
Never make direct contact with blackmailers without coordinating with the Landeskriminalamt.
Ascertain damage
Check your entire network for further infections on other devices or systems, if necessary with the help of external experts.
Initially, do not make any independent attempt to remove the malware. Only in this way is it possible for the police to secure evidence and initiate investigations.
The police experts will give you further recommendations for action.
In general, in the case of a large-scale infection in your company, you should additionally involve external experts.
How to remove Ransomware
There are a number of Ransomware for which IT security experts have managed to develop a decryptor which will decrypt the data, but by no means for all.
The Ransomware Gallery on botfrei.de lists the available decryptors for particular varieties of Ransomware. They include instructions on how to remove the Ransomware. They include instructions on how to remove the Ransomware.
Another way of restoring your system is to restore your last backup – if this has not also been encrypted.
Removal not possible
Many variants of Ransomware use complex encryptions and are considered to be “uncrackable”. Every once in a while someone does manage to develop a decryptor that works. However, this can take months or even years.
Users often only have the option of reinstalling their systems or restoring a back-up.
It is still a good idea to save and keep the encrypted files before reinstalling the system. If a decryptor does become available later, then they can be decrypted.
Discovering the cause
In particular, the companies should research the source of infection when hit by ransomware, and check internal processes and security settings. This way any weak points can be dealt with for the future.
Companies should not neglect training and awareness-raising for staff on IT security matters.
Cyber criminals often look for the weakest link in companies, which mean this topic affects each and every member of staff.
Related links
Botfree.eu: Portal with a Ransomware Gallery
Botfrei-Forum: The Help Forum of the German Anti-Botnet Advisory Center
BSI for Citizens: Information from the BSI on Ramsomware
Heise.de: Thematic website on Ransomware at Heise
ID Ransomware: Alternative to Botfree’s Ransomware Gallery
nomoreransom.org: Help page run by Europol and international anti-virus companies AV companies