Ramsey Ransomware

The Ramsey Ransomware is a variant of the Jigsaw Ransomware, a well-known ransomware Trojan that is characterized by its pop culture references in its ransom notes. The Ramsey Ransomware variant is based in Turkey, uses a ransom message written in Turkish, and is associated with attacks centered on this region. However, the Internet has no borders, and it's possible for the Ramsey Ransomware infections to pop up anywhere around the world. There is little to differentiate the Ramsey Ransomware from the Jigsaw Ransomware and numerous other ransomware Trojans. The Ramsey Ransomware receives its name because the executable file with which it operates is named 'Ramsey_Ransomware.exe.'

The Ransom Message of the Ramsey Ransomware is Identical to the One Displayed by Jigsaw

The Ramsey Ransomware attack is typical of these threats: the Ramsey Ransomware encrypts the victim's files using a strong encryption method and then demands that the victim pays a ransom to recover the affected files. The Ramsey Ransomware will scan the infected computer for certain files, targeting the files generated by the user such as documents created using Microsoft Office, Adobe Photoshop, or other popular software, as well as media files such as music, videos and images. The Ramsey Ransomware will use a strong encryption algorithm to encrypt the victim's files in the background, taking somewhere between half and hour and several hours, depending on the volume of data being encrypted. After encrypting the victim's files, the Ramsey Ransomware displays a ransom message, identical to the message used by the Jigsaw Ransomware Trojan. The main difference is that the Ramsey Ransomware provides the victim with 72 hours to pay and the amount of the ransom extracted, which is equivalent to 88 Turkish Lira or $25 USD to be paid in BitCoins to the con artists' BitCoin wallet.

How the Ramsey Ransomware Encrypts the Victim’s Files and Demands Its Ransom

The files encrypted by the Ramsey Ransomware attack will be renamed, with the file extension '.ram' added to the end of each file's name. Once the Ramsey Ransomware has encrypted a file, the file will no longer be recoverable. However, it is not a recommended action to contact the people responsible for the Ramsey Ransomware attack. These people will seldom cooperate and, furthermore, paying the Ramsey Ransomware ransom allows the con artists to continue developing these ransomware attacks. Unfortunately, apart from encrypting the victim's files, the Ramsey Ransomware also will interfere with other recovery options. Although some ransomware variants neglect to do so, the Ramsey Ransomware does delete the Shadow Volume Copies of the encrypted data, which in some cases could be used to recover the encrypted files. The Ramsey Ransomware also disables the System Restore and interferes with the victim's security software.

Protecting Your Data from Attacks Like the Ramsey Ransomware

The best way to ensure that attacks like the Ramsey Ransomware do not have a lasting effect is to have file backups. If a computer user can restore the encrypted files from the backup, then the entire attack method used by the Ramsey Ransomware and other ransomware Trojans becomes negated. In fact, if enough people had backup copies of their files on an external device or the cloud, it is reasonable to think that attacks like the Ramsey Ransomware would disappear completely since encrypting the victims' data would no longer be a viable attack strategy for threat developers.

Apart from backup copies, traditional threat prevention methods also are important when dealing with these threats. However, an up-to-date security program can intercept the Ramsey Ransomware infection before the victim's files are encrypted. Since the Ramsey Ransomware may be delivered using spam email messages, an anti-spam filter and learning how to handle this content safely also are important parts of protecting your data.