Ransomware: protect yourself or pay

Cyren offers ransomware protection from cyber attacks through powerful cloud-based email security services.

What is ransomware?

Ransomware is a cyber attack that encrypts your files until you pay.


Ransomware such as CryptoLocker, CryptoWall, and Locky targets your business with cyber attacks that leverage both email and the web to fool your employees and penetrate your defenses.


These attacks encrypt all the files on a victim's computer and connected network drives.


Once infected, you can either pay the ransom to regain access to your files, or give up all your precious data.

Stay up to date with the latest in cybersecurity from Cyren

Understand the impact of ransomware on a business in this in-depth report, which also include a detailed look at the notorious Locky virus, as well as ransomware-as-a-service trends.

Download report

Learn how ransomware is using email and the web to fool employees and penetrate systems. Understand how attacks happen and what you can do to protect your business.

Watch webinar

Understand the impact of fileless ransomware has on businesses, as Arna Magnusardottir, Senior Malware Researcher at Cyren, explores the topic and strategies for defense for IT and security managers.

Watch webinar

How does ransomware work?

Malware delivery

You download malware from a spam email or a malicious URL.

Ransomware download

The malware downloads a ransomware executable to your computer.


The ransomware encrypts your files.

Ransom notice

You are given a ransomware notice with a deadline.


You are required to pay with Bitcoin.


The attacker provides a decryption key.

Ransomware can encrypt your files in less than 60 seconds. Decrypting the files without the key is virtually impossible.

The evolving ransomware threat

New families and variants of ransomware are emerging all the time.

Evolving ransomware threat inforgraphic 2012-2013 Evolving ransomware threat inforgraphic 2014-2015 Evolving ransomware threat inforgraphic 2016

How can you prepare for ransomware? Get insights from Cyren's cyber threat report.

What does ransomware look like?

An example of Locky ransomware


Locky Email Sample email from invoice-themed Locky ransomware campaign. The goal is to get the victim to download and open the attachment.


Locky Ransom Message Once executed, Locky encrypts the files on the victim's computer, renaming them with the extension ".locky". It then changes the victim's Windows wallpaper, posting a ransom note with instructions to pay and decrypt the victim's files.

Ransomware case study: Hollywood Presbyterian Medical Center

Hollywood Presbyterian Medical Center (HPMC) is a general medical and surgical hospital in Los Angeles. On February 5, 2016, the hospital was hit by a Locky ransomware attack that locked access to certain computer systems and patient files. Although patient care was not compromised, patients were diverted to other hospitals and the hospital's network was down for over a week. Ultimately, the hospital paid 40 Bitcoin (about $17,000) to get the decryption keys and regain access to their files.

Hollywood Presbyterian Medical Center exterior

Ransomware case study: The cost of CryptoLocker ransomware

Here's what happened at one company when it was hit with a CryptoLocker attack.


  • 1,487 CryptoLocker attack emails received
  • 125 CryptoLocker emails evade security, received by employees
  • 10 Employees open email and download CryptoLocker


  • 10 Employee accounts locked, computers re-imaged
  • 7,446 Files restored from backup
  • 22 IT staff engaged (252 hours)
  • 4 Executive briefings (50 management hours)



Nine tips to avoid being a ransomware victim

By the time you receive an alert that a ransomware infection has occurred, it is already too late. The only way to stop a potential ransomware infection is to prevent it from ever happening in the first place.


  • #1 Email security gateway
    • Majority of cyber attacks start in email
    • Stop malware before it reaches your users
  • #2 Web security gateway
    • Stop malware downloads, malicious URLs
    • Stop C&C communications, data exfiltration
  • #3 Cloud sandboxing
    • Identify and stop never-before-seen malware
  • #4 Endpoint security with active/behavioral monitoring
    • Ransomware evolves quickly
    • Augment traditional AV with next-generation detection


  • #5 Backup regularly and keep a copy off-site
    • Test that your backups can be restored
  • #6 Train your users
    • Social engineering training - don't click that suspicious link!
  • #7 Turn off network shares
    • Avoid mapping network drives with large file repositories.
  • #8 Patch early, patch often
    • Outdated operating systems, browsers, and plugins are major vectors for malware infections
  • #9 Turn off admin rights for your users
    • Some ransomware leverages admin privileges

What to do with a ransomware infection and no data backup

If your data is backed up, simply reimage your computer from your backup data. But if you don't have a backup...

Remove the ransomware

Make sure you remove the malware from your system first; otherwise, it will repeatedly lock your system or re-encrypt your files even after you've paid the ransom. Check out well-known endpoint security solutions for removal tools.

Try to decrypt

Cracking ransomware file encryption is a long shot. The most sophisticated ransomware uses state-of-the-art RSA-2048 bit keys to encrypt your files, which are virtually uncrackable. However, older ransomware variants may not have the same bulletproof protection and researches have cracked a number of these - google "ransomware decryption".

Pay the ransom

If you can't decrypt your files, the only way to get your data back is to pay the ransom. And even if you pay, there's no guarantee that you'll get your data back. Follow the directions provided by the ransom note directing you how to pay. Some hackers even provide technical support for this step.

Say goodbye to your data

If you have not been able to retrieve your data by decryption or paying the ransom, then your data is permanently gone. You should re-image your computer so that you can use it going forward.

And make sure to backup your computer regularly once you start to use it again.

See Cyren in action.

Request a demo