A newer, particularly horrible form of malware is ransomware. This kind of program, usually delivered with a Trojan (e.g. an e-mail attachment) or a browser exploit, goes through your computer's files, encrypts them (rendering them completely unrecognizable and unusable), and demands a ransom to return them to a usable state.
Ransomware generally uses asymmetric-key cryptography, which involves two keys: the public key and the private key. When you get hit by ransomware, the malicious program running on your computer connects to the bad guys' server (the command-and-control, or C&C), which generates both keys. It only sends the public key to the malware on your computer, since that's all it needs to encrypt the files. Unfortunately, the files can only be decrypted with the private key, which never even comes into your computer's memory if the ransomware is well-written. The bad guys usually state that they will give you the private key (thereby letting you decrypt your files) if you pay up, but of course you have to trust them to do so.
What you can do
The best option is to reinstall the OS (to remove every trace of malware) and restore your personal files from backups you made earlier. If you don't have backups now, this will be more challenging. Make a habit of backing up important files.
Paying up will probably let you recover your files, but please don't. Doing so supports their business model. Also, I say "probably let you recover" because I know of at least two strains that are so poorly written that they irreparably mangle your files; even the corresponding decryption program doesn't actually work.
Fortunately, there's a third option. Many ransomware developers have made mistakes that let the good security professionals develop processes that undo the damage. The process for doing that depends entirely on the strain of ransomware, and that list is constantly changing. Some wonderful people have put together a big list of ransomware variants, including the extensions applied to the locked files and the ransom note name, which can help you identify which version you have. For quite a few strains, that list also has a link to a free decryptor! Follow the appropriate instructions (links are in the Decryptor column) to recover your files. Before you begin, use the other answers to this question to make sure the ransomware program is removed from your computer.
If you can't identify what you got hit with from only the extensions and ransom note name, try searching the Internet for a few distinctive phrases from the ransom note. Spelling or grammar mistakes are usually fairly unique, and you'll likely come upon a forum thread that identifies the ransomware.
If your version isn't yet known, or doesn't have a free way to decrypt the files, don't give up hope! Security researchers are working on undoing ransomware and law enforcement is pursuing the developers. It's possible that a decryptor will eventually appear. If the ransom is time-limited, it's conceivable that your files will still be recoverable when the fix is developed. Even if not, please don't pay unless you absolutely have to. While you're waiting, make sure your computer is free of malware, again using the other answers to this question. Consider backing up the encrypted versions of your files to keep them safe until the fix comes out.
Once you recover as much as possible (and make backups of it to external media!), strongly consider installing the OS from scratch. Again, that will blow away any malware that lodged itself deep inside the system.
Additional variant-specific tips
Some ransomware-variant-specific tips that aren't yet in the big spreadsheet:
- If the decryption tool for LeChiffre doesn't work, you can recover all but the first and last 8KB of each file's data using a hex editor. Jump to address 0x2000 and copy out all but the last 0x2000 bytes. Small files will be completely wrecked, but with some fiddling you might be able to get something helpful out of larger ones.
- (others will be added as they are discovered)
Ransomware is nasty, and the sad reality is that it's not always possible to recover from it. To keep yourself safe in the future:
- Keep your operating system, web browser, and antivirus up to date
- Do not open e-mail attachments you weren't expecting, especially if you don't know the sender
- Avoid sketchy web sites (i.e. those featuring illegal or ethically dubious content)
- Make sure your account only has access to documents you personally need to work with
- Always have working backups on external media (not connected to your computer)!