Printer Friendly Page

Discovered: April 15, 2009
Updated: August 06, 2015 3:51:32 PM
Also Known As: Trojan:W32/Agent.AF [F-Secure]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

Trojan.Ransomlock is a detection for Trojan horse programs that lock the desktop of a compromised computer making it unusable.

The threat may arrive on the compromised computer by various means, such as visiting malicious sites, by opening untrusted links or advertisement banners, or by installing software from untrusted sources.

Various functions on the compromised computer are modified, ranging from inhibiting access to the task manager to altering the master boot record (MBR) so that the operating system cannot be executed.

These programs attempt to convince the user to pay money in order to have their computer unlocked and use a variety of different techniques in order to encourage the user to pay the ransom.


This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop the threat onto a compromised computer. This drive-by-download often happens surreptitiously. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software. Ransomware is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.

The primary objective of the threat family is to make money. These programs lock the compromised computer, preventing the user from accessing their files. Once the computer has been locked, the threat displays a notice page requesting money to be paid in order for the computer to be unlocked. The amount of money requested can vary from a few dollars to several thousand dollars. Payment is usually requested by an anonymous online payment method or by texting a premium rate phone number.

It is worth noting that if the ransom is paid, there is no guarantee that the malware authors will unlock the compromised computer.

The programs often claim to be from governmental or law enforcement agencies, and tell the user that illegal or compromising material has been found on the computer.

The Trojan may be installed manually or without the user's knowledge. Once installed, the threat may execute every time the computer is started, even in safe mode. Input devices, such as the keyboard and mouse, may be disabled to prevent interaction with the compromised computer.

The message displayed by the threat can be localized depending on the user's location, with text written in the appropriate language. Depending on the variant, the Trojan may only display a message in the language spoken by its authors, or the country that was intended as the main target of the attack.

For a concise overview explaining how these threats work along with some basic advice on how to avoid them, Symantec has produced a short video .


Symantec have observed the following geographic distribution of this threat family.

Symantec have observed the following infection levels worldwide in the past seven days.

The following Symantec detections protect against this threat family:

Antivirus (Signature)

Antivirus (Heuristic)

Browser Protection
  • Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

For more information, see our blog:
The dawn of ransomwear: How ransomware could move to wearable devices

    Antivirus Protection Dates

    • Initial Rapid Release version April 15, 2009 revision 016
    • Latest Rapid Release version November 28, 2019 revision 018
    • Initial Daily Certified version April 15, 2009 revision 016
    • Latest Daily Certified version November 04, 2019 revision 065
    • Initial Weekly Certified release date April 15, 2009

    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Technical Description

    1. Prevention and Avoidance
    1.1 User Behavior and Precautions
    1.2 Patch Operating System and Software
    2. Infection Method
    3. Variants
    3.1 Police Ransomware
    3.2 Software Warning
    3.3 Pornographic Material
    4. Functionality
    4.1 Lock Screen
    4.2 Disabling Input Devices
    4.3 Encryption
    4.4 Extortion Methods
    4.5 Mistakes
    4.6 Payment
    4.7 Network Activity
    5. Additional Information
    5.1 Evolving Business
    5.2 Crimeware Kits
    5.3 Resources

    The following actions can be taken to avoid or minimize the risk from this threat.

    1.1 User behavior and precautions
    Only visit and download software from trusted websites.

    Regularly back up the data stored on you computer. If you become infected with a version of Ransomware, you will still have access to your personal files.

    Do not click on any links or banners if you are not completely sure that they are from a trusted source. This threat is often spread by malicious links in emails, as well as advertisement banners on websites. What can look like a harmless advertisement or link can actually lead to a website where malicious software is downloaded. Hovering over a link with the mouse pointer will normally show where the link leads to. Users can also check online Web site rating services such as to see if the site is deemed safe to visit.

    Never install programs on your computer if you do not know where they come from. Be suspicious of websites that ask you to install or update software, drivers or codecs. While the website's request might be legitimate, there is no harm in doing a quick Internet search to find out if your software is really out of date. It is common, and easy, for malware authors to fake images and logos from well-known companies.

    Do not pay any money. Even if the ransom is paid, there are no guarantees the criminals behind the malware will unlock the compromised computer.

    If you are a victim of Ransomware, report it immediately to your local police and the payment processor involved. Law enforcement agencies throughout the EU and around the world work together to disrupt the activities of identity fraudsters and bring scammers to justice. The more information you give to the authorities, the more effectively they can target the most dangerous criminal organizations.

    1.2 Patch operating system and software
    Ransomware is often installed through drive-by-downloads to websites hosting exploit kits. To avoid this, users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

    This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop the threat onto a compromised computer. This drive-by-download often happens surreptitiously and is commonly associated with pornographic sites. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software. Ransomware is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.

    There are several common techniques utilized by criminals to force users into paying a ransom to have their computer unlocked. We will look at these different social engineering methods in more detail.

    3.1 Police Ransomware
    There are several forms of this threat, each using different techniques in order to succeed in claiming the demanded fee. One of the most common techniques used involves the computer displaying a screen masquerading as an official notice from the police or a government agency. This technique, known as Police Ransomware, states that illicit material has been discovered on the compromised computer and a fine must be paid in order to have it unlocked.

    3.2 Software warning
    Another technique used by Ransomware displays a notice claiming to be a warning from a legitimate software company. The message warns that the user's license is not valid and that in order to unlock the computer a new license must be paid for. The criminals behind these threats keep them updated with the current trends. The German lock screen for Trojan.Ransomlock.V fraudulently claims to be a Microsoft warning stating that the Windows license on the compromised computer has expired and that a new one can be purchased for €50, or if preferred, an upgrade to Windows 8 for €100.

    3.3 Pornographic material
    Yet another one of the methods used to coerce users into paying the ransom tries to scare or embarrass the user by stating that pornographic material or illegal/unlicensed software is present on the computer and that if a fee is not paid the material will be reported to the authorities. The difference between this method and Police Ransomware is that pornographic images may also be displayed on screen, as with Trojan.Randsom.A , in the hope that the user will be too embarrassed to seek help from a computer specialist or report to the authorities and will pay the ransom.


    4.1 Lock screen
    The Ransomlock family of threats attempt to restrict access to a compromised computer. A lock screen is then displayed demanding a monetary fee, or ransom, in order to have access restored. The lock screen or message can be displayed in several ways. One method is for the Trojan to download a country specific image, relevant to the location of the computer. The screen is tailored to the user's geographical location. Using the compromised computer's IP address, the threat retrieves a localized image to be displayed. A lock screen with the country specific police force logo is displayed as well as a message in the appropriate language.

    Another method is for the threat to change the desktop image, and another is for the Trojan to display a persistent inline advertisement on every Web page the user visits.

    4.2 Disabling input devices
    Some variants, such as Trojan.Ransomlock.D and Trojan.Ransomlock.F , lock the compromised computer and then disables the keyboard and mouse. The keyboard's number pad remains functioning in order for the unlock code to be entered.

    4.3 Encryption
    The Ransomlock family of threats belong to the wider category of Ransomware. This type of malware ranges in severity from malicious programs that lie about taking the user's files hostage, in the hope that they will pay a small fee, to programs that encrypt the user's files using military grade encryption and ask for thousands of dollars in order to decrypt them. Earlier examples of Ransomware used symmetric encryption, storing the encryption key within the malware code itself. Modern encrypting Ransomware has become more advanced in its methods and uses asymmetric 1024 bit encryption, which is virtually impossible to break.

    4.4 Social engineering methods
    The message used by Ransomware may state that the computer has been used to access websites that contain illicit content, such as pornography, and a fine must be paid to have the computer unlocked. In some instances, a time limit is given for the user to pay the ransom. If the payment is not made within that time the message may state that the user will be arrested or that legal proceedings will be initiated, or that the evidence will be passed on to the authorities.

    The message will typically include the following elements:

    • Citation of various laws
    • A statement of what the user is accused of having done
    • What has happened to the user's computer
    • The amount of the fine/ransom
    • A time limit for payment and the consequences if this is not met
    • Details on how to pay

    These elements combine to present a strong call to action to the user.

    Display of embarrassing content
    Another method used to coerce the user into paying the ransom is to display pornographic images on the compromised computer's screen. This is in the hope that the user will be too embarrassed to approach anyone for help and will pay the ransom in order to unlock the computer and have the graphic images removed.

    Audio output

    Other variations, such as Trojan.Ransomlock.Y , download an MP3 file that is played continuously, audibly warning the user that their computer has been locked.

    Image capture

    Ransomware threats, like Trojan.Ransomlock.G for example, sometimes use the webcam of the compromised computer to take still images of the user. These images are displayed alongside the ransom message and are used as another means of coercion by threatening their use as evidence in the impeding, and fictional, court case against the user if they decide not to pay the fee.

    4.5 Implementation errors

    A close look at the details of the lock screens can sometimes reveal inconsistencies such as the Irish lock screen for Trojan.Ransomlock.Q , which displays a message in Irish Gaelic, historically the national language but now only spoken by a very small percentage of the population.

    4.6 Payment

    Payment is requested by online electronic cash payment systems. These legitimate companies offer a method to pay for online transactions without using a credit card or providing any personal details. A payment voucher is purchased for cash. The voucher has a number printed on it and this number is then given to a vendor (or malware author in this case) for goods or services. Once the number is received it can be exchanged for cash. This is ideal for the criminals behind Ransomware as it is difficult for the transaction to be traced back to them. A less common form of payment is by the user sending a premium rate text messages containing a code given to them. Another code is then apparently returned to the user, enabling the compromised computer to be unlocked.

    4.7 Network Activity
    The Trojan may attempt to contact the following URL to determine the geographical location of the computer:

    The threat may perform the following network activities.

    The threat may download other malware in order to steal information from the compromised computer.

    The Trojan may also connect to one of the following URLs to retrieve the image used for the lock screen/ransom message:
    • [http://][RANDOM]/pictu[REMOVED]
    • [http://][REMOVED]
    • [http://][REMOVED]

    The Trojan may attempt to connect to one of the following remote locations in order to download commands from a malicious server:
    • [http://][REMOVED]
    • [http://][REMOVED]
    • [http://][REMOVED]

    It may also steal information from the computer and upload it to the following remote locations:
    • [http://]
    • [http://]
    • [http://]
    • [http://]
    • [http://]


    5.1 Evolving business

    Fake antivirus (FakeAV ) is malware that intentionally misrepresents the security status of a computer and then attempts to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. This type of malware was very profitable for the groups of criminals operating the scams. FakeAV has been circulating for several years and has become less effective due to people becoming aware of it. Law enforcement agencies have cracked down on the FakeAV industry and this has made it difficult for the criminals to continue to make the same kind of profit as before. This is a possible reason for the increase and global spread of Ransomware. The criminals has shifted their business towards this new type of malware scam.

    Compared to FakeAV, Ransomware is more direct and with a strong call to action to solicit a response from the user. Whereas a warning about fake viruses infecting a computer can be ignored, a locked computer is more difficult to put to one side.

    5.2 Crimeware kits
    Ransomware is now a truly international problem. This type of malware is used for large money making businesses. It is relatively easy for criminals to begin using Ransomware by purchasing Crimeware kits. These kits are bundled software packages that are sold on underground online forums and include everything needed to create and administer a specific type of malware. Ransomware crimeware kits are available and contribute to the continued spread of this type of malware. The kits advertise their features and even offer technical support.

    5.3 Resources
    For more information relating to this threat family, please see the following resources:


    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    • For further information on the terms used in this document, please refer to the Security Response glossary.


    Before proceeding further, we advise that you run a full system scan on the compromised computer with the latest antivirus definitions (perform a LiveUpdate). If that does not resolve the problem or your computer is completely inaccessible as a result of ransomware, we suggest that you try the options available below.

    If you are a Norton product user, we recommend that you try the following resources to completely remove deeply embedded or difficult to remove ransomware.

    Part 1: Create and reboot the computer using a Norton Bootable Recovery Tool (NBRT) disk
    Norton Bootable Recovery Tool will allow you to boot into a completely isolated environment from your Windows operating system and carry out advanced removal scans to remediate your computer. If your computer is completely inaccessible as a result of ransomware, the first and second steps (NBRT disk creation) can be carried out from a separate computer.


    1. Download the Norton Bootable Recovery Tool installation wizard online at and follow the download and installation instructions on the website.

    2. Once installed and the Norton Bootable Recovery Tool wizard starts, you will be presented with a number of options for how to create a customized NBRT tool. We recommend that you select Create on CD/DVD media and proceed with creating an NBRT bootable CD.

      Figure 1. Norton Bootable Recovery Tool installation wizard

    3. After your NBRT CD/DVD creation is complete, remove it from the computer (if a separate computer is used to create the disk) and insert it into the computer compromised by ransomware. Restart the computer and boot from the disk.
      Note: You may need to enable the CDROM as bootable in your system BIOS settings.

    4. The NBRT disk will load a separate environment isolated from your compromised Windows computer. Once loading has completed, it will ask for a Norton product key. Insert the product key and select Norton Advanced Recovery Scan.

      Figure 2.
      Norton Bootable Recovery Tool menu

    5. Click Start Scan and an advanced recovery scan will begin.
      Note: All session scan information will be saved to your computer’s hard drive if you need to undo any scan operations.

    6. Once the scan is completed, check to see if any ransomware is detected. Click Continue to fix all security threats that are detected.

    After the scan, the status of all security threats should be Resolved . If status is Repair Failed or the scan does not detect any ransomware infections, then proceed to Part 2. If status is Resolved , then proceed to Part 3.

    Part 2: Force reboot into Norton Power Eraser using Norton Bootable Recovery Tool disk
    Please ensure you have followed the preceding steps in Part 1 before proceeding.

    1. Once again, boot into Norton Bootable Recovery Tool and enter your product key.

    2. Select Norton Power Eraser Recovery Scan from the Norton Bootable Recovery Tool menu.
      Note: If Norton Power Eraser Recovery Scan is not selectable from the main menu, this may be a result of your computer’s network card driver.

    3. Once initialized, Norton Power Eraser will download the latest version of the removal tool along with the latest antivirus definitions. After Norton Power Eraser has initialized, click Scan for Risks.

    4. Choose the appropriate operating system to scan from the list and then the Norton Power Eraser scan will begin.

    5. After the scan completes, click Fix to repair all the detected issues.

    6. Exit the tool and boot into the Windows operating system.
    If your system is still locked or the repair fails, please contact Norton Support for further assistance.

    Part 3: Scan using installed product post remediation
    At this stage, it is important to carry out a full system scan using the latest antivirus definitions to ensure that no threat artifacts remain on the computer and that the computer is fully cleaned.

    1. Start your Windows operating system as normal.

    2. Go to the Norton product installed on the computer and perform a LiveUpdate to ensure that your computer is protected against the latest variants of the ransomware.

    3. Perform a full system scan on your computer.

    Writeup By: John-Paul Power