1. Symantec/
  2. Security Response/
  3. Trojan.Ransomlock


Risk Level 1: Very Low

April 15, 2009
August 6, 2015 3:51:32 PM
Also Known As:
Trojan:W32/Agent.AF [F-Secure]
Infection Length:
Systems Affected:
Trojan.Ransomlock is a detection for Trojan horse programs that lock the desktop of a compromised computer making it unusable.

The threat may arrive on the compromised computer by various means, such as visiting malicious sites, by opening untrusted links or advertisement banners, or by installing software from untrusted sources.

Various functions on the compromised computer are modified, ranging from inhibiting access to the task manager to altering the master boot record (MBR) so that the operating system cannot be executed.

These programs attempt to convince the user to pay money in order to have their computer unlocked and use a variety of different techniques in order to encourage the user to pay the ransom.


This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop the threat onto a compromised computer. This drive-by-download often happens surreptitiously. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software. Ransomware is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.

The primary objective of the threat family is to make money. These programs lock the compromised computer, preventing the user from accessing their files. Once the computer has been locked, the threat displays a notice page requesting money to be paid in order for the computer to be unlocked. The amount of money requested can vary from a few dollars to several thousand dollars. Payment is usually requested by an anonymous online payment method or by texting a premium rate phone number.

It is worth noting that if the ransom is paid, there is no guarantee that the malware authors will unlock the compromised computer.

The programs often claim to be from governmental or law enforcement agencies, and tell the user that illegal or compromising material has been found on the computer.

The Trojan may be installed manually or without the user's knowledge. Once installed, the threat may execute every time the computer is started, even in safe mode. Input devices, such as the keyboard and mouse, may be disabled to prevent interaction with the compromised computer.

The message displayed by the threat can be localized depending on the user's location, with text written in the appropriate language. Depending on the variant, the Trojan may only display a message in the language spoken by its authors, or the country that was intended as the main target of the attack.

For a concise overview explaining how these threats work along with some basic advice on how to avoid them, Symantec has produced a short video.


Symantec have observed the following geographic distribution of this threat family.

Symantec have observed the following infection levels worldwide in the past seven days.

The following Symantec detections protect against this threat family:

Antivirus (Signature)

Antivirus (Heuristic)

Browser Protection
  • Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

For more information, see our blog:
The dawn of ransomwear: How ransomware could move to wearable devices

    Antivirus Protection Dates

    • Initial Rapid Release version April 15, 2009 revision 016
    • Latest Rapid Release version February 11, 2018 revision 021
    • Initial Daily Certified version April 15, 2009 revision 016
    • Latest Daily Certified version February 12, 2018 revision 002
    • Initial Weekly Certified release date April 15, 2009
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
    Writeup By: John-Paul Power

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    2016 Internet Security Threat Report, Volume 21
    • Twitter
    • Facebook
    • LinkedIn
    • Google+
    • YouTube