1. Do not open attachments in emails from unknown senders

In most cases, ransomware that encrypts your files is distributed via email attachments. Cybercriminals aim to persuade you to open the attachment, which is why they title the emails as though they contained important information such as a court order, notice of intended prosecution, late fee notice or something similar. 

Not only .exe files can be harmful. Kaspersky Lab experts have confirmed cases of malicious .doc and .pdf files.

2. Keep your operating system, anti-virus software and other applications up-to-date

Update your anti-virus software on a regular basis. When you update the anti-virus databases, product components are also updated, while existing features are improved and new ones added. Also, install updates for your operating system, as well as for any other applications you use.

3. Regularly back up your files to the cloud or an external drive

Store your backup files somewhere other than your computer, such as on an external drive or in a cloud repository. You should also encrypt them. This way, your files will not only be safe in the case of a ransomware infection, but also if your PC itself breaks down.

4. Configure access to shared network folders

If you use shared network folders, we recommend that you create a separate network folder for each user. Only the owner of the folder should have writing permissions. This will prevent all the network folders from being encrypted if one PC gets infected.

First introduced in Vista, Microsoft Windows includes a System Protection tool on all disks that backs up files and folders while archiving or creating a system restore point. By default, it is only enabled for the system partition. We recommend you to enable System Protection for all partitions.

To reduce the risk of your data being infected by ransomware, configure the settings of the following products:

• Kaspersky Internet Security 2018
• Kaspersky Total Security 2018
• Kaspersky Anti-Virus 2018
• Kaspersky Endpoint Security 10 for Windows.

1. Disable the automatic deletion of detected malicious files

If you have an anti-virus product installed on your computer, do the following:

1. Disable the automatic deletion of detected malicious files.
2. Set the action Move to Quarantine. To do so, see the instructions for your Kaspersky Lab product:
3. • Kaspersky Internet Security 2018 / 2017 / 2016 / 2015 
     
   • Kaspersky Anti-Virus 2018 / 2017 / 2016 / 2015 
     
   • Kaspersky Total Security 2018 / 2017 / 2016 / 2015 
   • Kaspersky Endpoint Security 10 for Windows
   • Kaspersky Anti-Virus 6.0 R2 for Windows Workstations

2. Remove the virus

If you don’t already have an anti-virus product installed on your computer, run a full scan of your PC using a free tool such as Kaspersky Free or Kaspersky Rescue Disk. 

3. Send suspicious files for analysis

If you have discovered a suspicious file that might have infected your computer or encrypted your files, you can send a request to to the Virus Lab:

• Via Kaspersky VirusDesk
• Via My Kaspersky Attach the suspicious file to your request and write in the description section “possible ransomware”.
• To newvirus@kaspersky.com. Pack the file into an archive with the password “infected”, using WinRAR. When setting the password, select the checkbox Encrypt file names.

4. Create copies of the encrypted files

5. Try to restore the files

You can try to restore the files from previous versions. Follow the instructions on the Microsoft website. 

6. Use a utility to automatically decrypt files

• RectorDecryptor
• XoristDecryptor
• RakhniDecryptor

• APPDATA 

Windows NT/2000/XP:  

Disk:\Documents and Settings\%UserName%\Application Data\
%USERPROFILE%\Local Settings\Application Data

Windows Vista/7/8:

Disk:\Users\%UserName%\AppData\Roaming\
%USERPROFILE%\AppData\Local 

• TEMP (temporary catalog) 

%TEMP%\???????.tmp\      (example: temp\vum35a5.tmp)
%TEMP%\???????.tmp\??\   (example: temp\7ze5418.tmp\mp)
%TEMP%\???????\          (example: temp\pcrdd27)
%WINDIR%\Temp  
 

• Internet Explorer temporary files folder 

Windows NT/2000/XP: %USERPROFILE%\Local Settings\Temporary Internet Files\ 

Windows Vista/7/8:

%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\ 
..\temporary internet files\content.ie5\ 
..\temporary internet files\content.ie5\????????\ (? -- a-z, 0-9)       

• Desktop 

%UserProfile%\Desktop\

• Recycle bin 

Disk:\Recycler\             
Disk:\$Recycle.Bin\  
Disk:\$Recycle.Bin\s-1-5-21-??????????-??????????-??????????-1000   (? -- 0-9)   
 

• System directory

%WinDir%                                                      
%SystemRoot%\system32\

• User's document folder 

%USERPROFILE%\My Documents\
%USERPROFILE%\My Documents\Downloads

• Browser download folder 

%USERPROFILE%\Downloads  

• Startup folder 

%USERPROFILE%\Start Menu\Programs\Startup