How To Hunt Down and Kill Ransomware
A useful guide from Microsoft's Mark Russinovich.
Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient way to clean the system is to pay for the full version of the scareware software that graciously brought the infection to their attention. I wrote about it back in 2006 in my The Antispyware Conspiracy blog post, and the fake antimalware of today doesnít look much different than it did back then, often delivered as kits that franchisees can skin with their own logos and themes. Thereís even one labeled Sysinternals Antivirus: http://i.imgur.com/527i1.png
A change thatís been occurring in the scareware industry over the last few years is that most scareware today also classifies as ransomware. The examples in my 2006 blog post merely nagged you that your system was infected, but otherwise let you continue to use the computer. Todayís scareware at the minimum prevents you from running security and diagnostic software, and often prevents you from executing any software at all. Without advanced malware cleaning skills, a system infected with ransomware is usable only to give into the blackmailerís demands to pay.
In this blog post I describe how different variants of ransomware lock the user out of their computer, how they persist across reboots, and how you can use Sysinternals Autoruns to hunt down and kill most current ransomware variants off an infected system.