Ransomware

Ransomware is a malicious software that cyber criminals used to lock the files stored on the infected computer devices. These locked files are like hostage and the victims are required to follow the instructions of this malicious software and pay a ransom to unlock them.

Causes of Infection and Impact

Causes of Infection

Open suspicious emails, or attachments and hyperlinks inside

Visit websites embedded with malicious programs

Download and install software or mobile apps that are embedded with ransomware

Impact

Files inside the computing device and other connected storage devices are locked. These data would be lost unless timely backup is available.

Preventive Measures

Perform regular backups on important data and keep the backup copies disconnected from the computer

Install the latest patches for operating systems and software in use

Apply to all systems and services

Keep your anti-malware program and signatures up-to-date

Enable protection

Schedule a regular full scan to detect and guard against malware attacks

Disable or restrict all unnecessary services and functions such as Remote Desktop Service (RDP) in computer systems

Disable all unnecessary ports such as SMB ports (TCP ports 139 and 445) from Internet access

Disable macros for Microsoft Word, Excel and other office applications by default

Do not open any suspicious emails or instant messages, as well as the attachments and hyperlinks inside

Refrain from visiting suspicious websites or downloading any files from them

Install software and mobile apps from trusted sources, do not install those apps if suspicious permission rights are required

For business operations with a higher risk of exposure to malware infection such as customer enquiry emails handling, a dedicated computer with no network drives and restricted network connectivity to internal network should be used to minimise the impact of infection and the handling staff should keep alert of possible infection

Anti-malware security software

What Should I Do if Infected?

Disconnect the network cable of the computer to avoid affecting network drives and other computers

Power off the computer to stop the ransomware from encrypting more files

Jot down what have been accessed (such as programs, files, emails and websites) before discovering the issue

Report to the Hong Kong Police Force for technology crime

Recover the data from backup to a clean computing device

Reference Tools on Decryption

You may check if there is any reference tools to recover the encrypted files. Apart from the below reference tools, you could also visit the “The No More Ransom Project” and ID Ransomware(a free website that helps victims identify what ransomware may have encrypted their files) websites to check whether there is a solution available for the infected files.

Avast Free Ransomware Decryption Tools

AVG Free Ransomware Decryption

Cisco Talos TeslaCrypt Decryption Tool

Emsisoft Decrypter

Kaspersky Decryptor

Mcfee Anti-Malware Tools

Trend Micro Ransomware File Decryptor

Infographics

Extended Readings and Other Resources

Cyber Security Information Portal - Learning Centre, Beware of Malware Infection

Cyber Security Information Portal - Precious Photos Encrypted by an Email? (Chinese Version Only)

Cyber Security Information Portal - Safety Centre, Secure My Mobile Device and Computer

Fight Ransomware Campaign website

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Security Blog, Beware of Crypto Ransomware

Hong Kong Police Force - Cyber Security Campaign

Hong Kong Police Force - Ransomware Attack

InfoSec website - Common best practices to protect computers from malware infection

InfoSec website - Types of Malware and Protective Measures

SingCERT - Ransomware

“The No More Ransom Project”

US-CERT - Alert (TA16-091A) Ransomware and Recent Variants

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before download and use them.