Look out for ransomware

The Finnish Police, CERT-FI and F-Secure Corporation have collaborated to create this site in order to increase general awareness, provide advice about online crime and to prevent Internet crime-related damages.
Twitter icon Facebook icon

What is ransomware?

International criminal organizations have added online crimes to their means for gaining illegal financial profit. One recent method is to render a computer unusable by locking it with so-called ransomware.

Police-themed ransomware has been used in malware attacks for the past few years. Criminals employing this method send their victims messages that appeared to come from the authorities. They achieve this by using official police and/or government insignia in the messages.

Ransomware messages typically demand that the recipient pay a fine of 100–150 euros to have their computer unlocked. This method was first discovered in Western Europe, but has since spread around the globe.

File-encrypting ransomware

Recently, file-encrypting ransomware has been gaining popularity among criminals. File-encrypting ransomware works by encrypting the contents of the victim's hard drive and then demanding a ransom payment in exchange for the decryption key. However, payment of the ransom does not in any way guarantee the victim their files back and only works to further encourage the criminals and support their continued malicious activity. You should never pay criminals!

Usually a computer infected with ransomware can be cleaned of the infection, but the encrypted files can only be decrypted with the correct decryption key. Regular backups are therefore vital in defending against ransomware. In case of an infection it is recommended to report the crime to the relevant authorities, clean the infection from the system and restore the affected data from your backups.


One of the most prevalent ransomware families right now is CryptoWall. CryptoWall continues to be actively spread both through spam email and malicious web pages. It uses the popular RSA algorithm for encrypting a victim's files. There is currently no known way to decrypt files encrypted by CryptoWall without access to the actual decryption key.



TorrentLocker is another family of ransomware that has recently been in active use. What makes TorrentLocker somewhat special is that its authors failed to properly implement the file-encrypting functionality and therefore researchers from Finnish information security company Nixu Oy were able to crack the encryption. Files encrypted by TorrentLocker can therefore sometimes be fully decrypted.


Examples of ransomware

What can I do?

The authorities do not lock computers, nor do they demand fines or other payments via online payment services. If the payment is made, the criminal will receive the money, but the computer will remain locked. Ransomware can be removed from a computer, but it requires some skill. Here is a link to updated removal instructions by F-Secure.

If you cannot follow the instructions, please contact a professional for assistance.