Tim and I have been in this industry a long time, in fact, we are at the point in our careers where we have been doing this longer than some of the people we work with have been on this planet. A lot has changed over that time, but one thing has remained constant: O’Reilly books. Books like DNS and BIND and Learning Perl still sit on our bookshelves, well-worn with heavily marked-up pages. So when we found out that O’Reilly wanted to publish this book we were thrilled, then a little scared. After all, this is O’Reilly—it has to be right.

We hope this book lives up to the reputation that all of the O’Reilly authors have fostered over the last 40 years and that it will become as indispensable to our readers as other O’Reilly books have been to us.

We do want to share a couple of quick notes before you get started. The first is that unless you buy this book the day it is released and get hit by ransomware the next day, a lot of the specifics about various ransomware families mentioned will be outdated. This book is not designed to keep you updated on minute changes in ransomware behavior, instead, it is designed to be a guide for building a strategy to protect you, your family, or the organization you are defending. Use the information to understand the tactics and techniques of ransomware authors and then to take steps to prevent those techniques from being effective.

Secondly, we really want to hear from you. We hope to be able to publish multiple editions of this book until ransomware is no longer a threat. If there are things you like, and especially if there are things you don’t, please email us and let us know: and Thank you.

Conventions Used in This Book

The following typographical conventions are used in this book:


Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.

Constant width bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values or by values determined by context.


This element signifies a tip or suggestion.


This element signifies a general note.


This element indicates a warning or caution.

Using Code Examples

This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Ransomware by Allan Liska and Timothy Gallo (O’Reilly). Copyright 2017 Allan Liska and Timothy Gallo, 978-1-491-96788-1.”

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at .

O’Reilly Safari


Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals.

Members have access to thousands of books, training videos, Learning Paths, interactive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others.

For more information, please visit

How to Contact Us

Please address comments and questions concerning this book to the publisher:

  • O’Reilly Media, Inc.
  • 1005 Gravenstein Highway North
  • Sebastopol, CA 95472
  • 800-998-9938 (in the United States or Canada)
  • 707-829-0515 (international or local)
  • 707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at

To comment or ask technical questions about this book, send email to .

For more information about our books, courses, conferences, and news, see our website at

Find us on Facebook:

Follow us on Twitter:

Watch us on YouTube:


For a project like this there are simply too many people to thank by name. But there are some people that deserve special recognition. That starts with our superstar editor, Courtney Allen. Thank you for believing in this book after a couple of other publishers rejected the idea. I also want to thank our other editor, Virginia “Word Ninja” Wilson; thank you for pushing us along to make sure we stayed on schedule and for taking your katana to any obstacles that we encountered. Thanks also to Christina Edwards and Colleen Cole for making our words that much better.

I also want to thank my coauthor, Tim Gallo. This is the third book we have worked on together. I love bouncing ideas off each other, sharing thoughts on progress, and complaining when we get in the weeds. This has been a great experience and I have benefited a lot from your insight. In conjunction with Tim, I can’t thank our technical editors enough. First for catching our boneheaded mistakes, but also for asking questions that made the book better and more complete.

There are a number of people that I need to thank who provided insight to specific products. Rico at Carbon Black, Scott and Sarah at SentinelOne, Jason and Levi at Recorded Future, Sean and Roy at eSentire, and Brigette, Jeremiah, and Joe at ThreatSTOP. Thank you all for your support.

I would also like to thank the ransomware tiger team at FireEye. I really appreciate the insights and thoughts everyone provided and the pointers that everyone gave every time I asked a few dozen questions. Finally, I want to thank all of the researchers at security companies around the world for the great job everyone has done with publishing and sharing information about ransomware. Ransomware is a serious threat to everyone and the security industry has responded in the best possible way by making available as much information as possible so that everyone can work to better protect their customers. This is the security industry at its best, and I am very proud to be part of it.

Get Ransomware now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.