Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Know more about ransom note detection and prevention

    • Updated:
    • 25 Apr 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Crypto-ransomware is known as malware that encrypt important files and hold them hostage until the user pays a particular amount or abides by specific instructions. The message that contains instructions on how to pay for or recover the encrypted files is called a ransom note. The ransom note is usually in the form of a .txt, .html, or .png file.

The presence of a ransom note in a machine or a network share is an indicator that there are files encrypted by a crypto-ransomware malware. Thus, a ransom note can be used as an Indicator of Compromise (IOC).

Below are related Trend Micro detections for .txt and .html ransom note file formats:

  • TROJ_RANSOMNOTE
  • HTML_TESLANOTE
  • HTML_WALLNOTE
Details
Public

The crypto-ransomware family has the capability to encrypt files. After executing its malicious routine, some variants have been observed to delete themselves, leaving just the ransom note on the machine.

If your Trend Micro product detected just the ransom note, make sure your pattern is updated and perform a scan to look for the actual malware that dropped the ransom note. If there are no malware detected, look for possible undetected malware by running the ATTK collect tool: Using the Trend Micro Anti-Threat Toolkit to analyze malware issues and clean infections.

To know more about ransomware and the best practices to prevent this type of infection, refer to the following article: Ransomware: Trend Micro Solutions, Best Practice Configuration and Prevention.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1113719
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.