Data on the computer is encrypted and no longer available.
Encryption Trojans (also known as blackmail Trojans, extortion Trojans, encryption malware or ransomware) are a specific family of malware that encrypts files on a victim's computer and connected network drives, rendering them unusable by the victim. Ransomware attacks are steadily increasing. Common gateways for ransomware are poorly secured systems and emails containing attachments.
Encryption Trojans can cause considerable damage, especially if data backups are also affected. In the event of such an incident, remain calm and take a rational approach.
The main aim of a post-incident clean-up is to find the infection route in order to prevent a new infection. Reinstall the affected systems and restore data using existing backups. If the necessary expertise is not available in your company/authority, seek support from a specialised company.
Specific measures
Preventive measures
Effects and risks
Further Information
Technical measures
- Disconnect all internet connections (web, email, remote access and site-to-site VPNs);
- Check any backups and protect them immediately. Backups should be physically disconnected from the infected network as quickly as possible (i.e. taken offline);
- Report the incident to the cantonal police; you can search for the nearest police station responsible for your location via the Suisse ePolice portal;
- If you do not have the necessary expertise, you should contact an external security service provider (Security Incident Response Service) who can support you in dealing with the incident and carrying out the appropriate analysis;
- The NCSC generally advises against paying a ransom. The NCSC also strongly recommends that you do not contact the perpetrator, but discuss and agree the next steps with the police.
Organisational measures
- Communication/media: Clarify the extent to which public communication makes sense. In general, the NCSC recommends that you proactively communicate about the incident in order to avoid rumours and have some control over media reporting. Information should be transparent and reflect the current state of knowledge;
- Information leaks: There is a risk that the perpetrators have stolen information about the company and are threatening to release it, or have already done so. You should be prepared for this scenario;
- If customer data has been stolen, the NCSC strongly recommends being proactive and informing the customers concerned;
- Under Article 24 of the new Federal Act on Data Protection (FADP), which came into force on 1 September 2023, data security breaches must now be reported to the FDPIC if the individuals affected by the data leak are exposed to a high risk to their privacy or fundamental rights. The provision applies to private individuals, businesses and federal bodies. Reports to the FDPIC must be submitted as soon as possible. You can find the report form here: https://databreach.edoeb.admin.ch/report
- If personal data is affected, and depending on where the company is located, there may also be a need to comply with the European Union's General Data Protection Regulation (GDPR);
You will find further information on our website:
Companies: Ransomware - What next?
Authorities: Ransomware - What next?
- Back up your data regularly. Backups should be stored offline, i.e. on external media such as an external hard drive. Make sure that the media on which the backup is stored is disconnected from the computer when the backup is complete, otherwise the data on the backup media could be encrypted and rendered unusable in the event of a ransomware attack;
- Ransomware is often surreptitiously installed through unpatched vulnerabilities. Install updates for all installed software programmes and hardware devices as soon as they become available. Major software providers such as Microsoft and Adobe offer automatic updates. Activate this function whenever possible;
- Train your employees on how to handle emails:
Handling emails securely. - You can further protect your IT infrastructure from malware (such as ransomware) by using Windows AppLocker. Windows AppLocker allows you to define which programmes are allowed to run on computers in your company/authority;
- Block the receipt of malicious email attachments on your email gateway. A more detailed and updated list can be found at:
List of blocked file types; - Ensure that such malicious email attachments are also blocked if they are sent to recipients within your company/authority in archive files such as ZIP, RAR or in encrypted archive files (e.g. in a password-protected ZIP);
- In addition, all email attachments that contain macros (e.g. Word, Excel or PowerPoint attachments that contain macros) should be blocked.
- Rendering data unusable on the computer
- Financial loss in the event of payment of the ransom
- Existential threat to companies/authorities if the backup was also encrypted.
- You will find further information on our website:
Companies: Encryption Malware - What next?
Authorities: Encryption Malware - What next?
Last modification 09.12.2021
