Ransomware

The term 'ransomware' is a combination of the English words “ransom” and “malware”. This type of malware encrypts data of users, thus making the data inaccessible to them. The attackers then promise to release the data for a ransom payment. Similar terms in German are “Erpressungstrojaner” (blackmail trojan), “Verschlüsselungstrojaner” (encryption trojan) or “Kryptotrojaner” (crypto trojan).

How does ransomware gain access to a computer?

Ransomware is often hidden in e-mail attachments, usually in Word or Excel documents or in compressed files (ZIP). These ZIP files can also be encoded with a password. As soon as they are unzipped using the password, the malware they contain can become active on your device. Ransomware can also be hidden in downloads from websites or can gain access through security gaps in the device software.

How can I protect my device?

 Note

The IT services of the ZID are operated professionally and are permanently monitored to block attacks and to close potential security gaps. For this purpose, the ZID uses a wide range of technical measures in its network infrastructure, on the ZID servers and at the level of IT services. These measures are tailored to the attack vectors and the respective damaging and spreading mechanisms of the malware. For further information, please read the interview with the Head of the IT Security team at the ZID, Alexander Talos-Zens.


Most successful attacks occur on personal user devices that are not managed by the ZID. Therefore, it is all the more important that users adjust their behaviour to protect their devices against ransomware. This includes technical measures, such as guaranteeing the basic security of the device, as well as other important aspects that should be taken into account in the everyday use of the device, especially a healthy scepticism when reading e-mails.

Basic protection through technical measures on the computer and laptop

  • Always keep your operating system, browser, e-mail program and Office Suite up to date. If necessary, you can also enable automatic updates.
  • Update your virus scanner regularly and check any notifications sent by the system regarding the virus scanner.
  • Do not disable the firewall that came with your operating system.

Tips on reading e-mails safely

  • Is it plausible that I received this e-mail? If you placed an order a few minutes ago, it makes sense that you got a confirmation of your order by e-mail.
  • Does the e-mail seem urgent? In fraudulent e-mails, you are often urged to act quickly. Take the time to scrutinise the e-mail thoroughly before taking any action.
  • Is the sender’s e-mail address plausible? Check whether the e-mail address corresponds to the name of the sender. Even if it is possible to forge the sender address, most impostors do not bother to take the trouble of doing so.
  • Did I explicitly request an e-mail attachment? Malware is often hidden in attachments. Therefore, be cautious if you receive an attachment that you did not request. 
  • Is the content of the e-mail stylistically suspicious? If a personal form of address is missing, the text contains many spelling and grammatical errors and umlauts or special characters are not displayed correctly, this might indicate a fraudulent e-mail.
  • Are the target addresses of links or buttons plausible? Move your cursor over the link in the e-mail without clicking it. A tooltip window will appear. Check whether the link would open a website that corresponds to the sender or the context of the e-mail.
  • Activate the spam filter of the provider of your e-mail address or e-mail programme. This allows you to block the majority of unwanted and malicious e-mails (spam, phishing, scamming attempts). There is a central spam filter for your University of Vienna e-mail address.
  • If you have a correctly configured spam filter and still receive an e-mail that potentially contains malware, please follow the recommendations on the web page Dealing with fraudulent e-mails.
  • Further information about this topic is available on the ZID website at IT security – Tips for users – E-mail

Tips for working safely on your computer every day

  • Make sure that you only install software from trustworthy sources.
  • Always be cautious when you are asked to activate macros or any active content after opening an Office document. Make sure that you know the sender and the content of documents you receive and that both are trustworthy. Be cautious in general when opening any programs, documents, images or links you receive.
  • Sometimes, you have to open Office documents with unknown content or from unknown people. You can, for example, increase security by opening these documents using LibreOffice, a free of charge program. LibreOffice cannot run VBA macros in Microsoft Office documents, and, hence, cannot run any malware hidden in the documents.
  • Back up your data regularly.  Remember to disconnect the backup medium (flash drive or external hard disk) physically from your computer after the backup. This way, you can reliably protect your backup against malware. If necessary, you can also store your data on the online storage space of ZID: We back up the online storage space regularly.

How to detect a ransomware infection

As soon as ransomware has completed encrypting the data on a device, usually a ransom demand pops up. Detecting ransomware before that is often difficult. However, some conspicuous issues can help you detect an infection before your data have been fully encrypted.

  • Your operating system and/or antivirus software give a warning.
  • The device suddenly and permanently runs slow for no apparent reason.
  • The fan of your device is active unusually long and intensively (noise level) with no relation to your use of the device.
  • Unusual files and/or file endings of those files that you frequently use.

What to do when you detect conspicuous activites

Take immediate action to prevent considerable damage.

  • Disconnect your computer from the network.
  • Shut down your computer completely as fast as possible and keep it turned off. Do NOT use the standby mode.
  • As with any infection with malware, we strongly recommend changing all passwords that you use on the device. Please change your passwords using another, safe device.
  • If possible, check the device or perform data recovery using an external boot medium, such as the Desinfec't Boot medium (free of charge for IT representatives), with appropriate professional support.
  • To ensure the safe removal of the malware, we recommend resetting the device to the default factory settings or setting up your computer from scratch after backing up your data.
  • If you have further questions, please contact your IT representative, the ZID Helpdesk, the IT Security team of the ZID or other qualified persons of trust.