Crypto-ransomware is known as malware that encrypt important files and hold them hostage until the user pays a particular amount or abides by specific instructions. The message that contains instructions on how to pay for or recover the encrypted files is called a ransom note. The ransom note is usually in the form of a .txt, .html, or .png file.
The presence of a ransom note in a machine or a network share is an indicator that there are files encrypted by a crypto-ransomware malware. Thus, a ransom note can be used as an Indicator of Compromise (IOC).
Below are related Trend Micro detections for .txt and .html ransom note file formats:
The crypto-ransomware family has the capability to encrypt files. After executing its malicious routine, some variants have been observed to delete themselves, leaving just the ransom note on the machine.
If your Trend Micro product detected just the ransom note, make sure your pattern is updated and perform a scan to look for the actual malware that dropped the ransom note. If there are no malware detected, look for possible undetected malware by running the ATTK collect tool: Using the Trend Micro Anti-Threat Toolkit to analyze malware issues and clean infections.
To know more about ransomware and the best practices to prevent this type of infection, refer to the following article: Ransomware: Trend Micro Solutions, Best Practice Configuration and Prevention.