How to respond to a ransomware infection

Paying the ransom should be the LAST thing you do…

Ransomware

We at Graham Cluley Security News have talked a lot about how ransomware strains target users and pressure victims into paying the ransom. As part of that ongoing effort, we've discussed a number of techniques users can employ to defend against a ransomware attack.

But we haven't addressed the concerns of users dealing with an active crypto-malware infection.

It's time we remedied that.

We hope that you never experience a ransomware infection. In the event that you do, and you didn't take the essential precaution of having a secure backup to hand, here is how you should respond.

  1. Take a deep breath.

Ransomware developers would love nothing more than for you to panic. That's why they spend so much time outfitting their creations with features that are specifically designed to scare you into paying the ransom.

For instance, the first variants of Jigsaw came equipped with a counter that spelled out when the ransomware would flat-out delete some of a victim's files.

Meanwhile, Cyber.Police has built a reputation around convincing victims they've run afoul of the US intelligence community.

Cyber police

Don't give the perpetrators of such attacks the satisfaction of getting all worked up. Instead, take a deep breath and commit yourself to responding to the attack in a calm and controlled manner.

Check to see if you have a secure backup of your encrypted data that you can recover from. It's important to ensure, of course, that the backup itself hasn't been corrupted by the ransomware infection.

Having a proper backup infrastructure is the most effective way to recover from a ransomware attack - as past victims like the San Francisco metro system have discovered - but if that's not an option for you, there are still recovery steps you can explore....

  1. Remove the ransomware from your computer.

First things first: clean your computer of the active ransomware infection. You can do so by installing an anti-ransomware tool onto your computer. The solution will hopefully be able to detect the malicious program and remove it from your machine.

Unfortunately, that's not always easy to do. Some ransomware samples are configured to prevent users from installing anti-virus solutions and similar products on their computers. To circumvent such behavior, try booting your computer into Safe Mode and installing the solution. If that doesn't work, download the tool onto a clean USB stick and plug it into your infected computer.

  1. Try to find a free decryptor for your affected files.

Once you've removed the ransomware from your computer, it's time you turned your attention to recovering your files. You should begin by looking for a free decryptor online.

Chances are you aren't the first victim to be affected by a particular ransomware strain, which means security researchers might have already developed a utility for the ransomware that allows victims to regain access to their files for free. Users should start at nomoreransom.org, an initiative where security firms and organizations are working together in an effort to develop free decryption tools.

Screen shot 2017 01 02 at 1 14 43 pm

Some of No More Ransom's casualties. (Source: No More Ransom)

  1. Recover your files using your data backup strategy.

If there's no free decryption tool available for the ransomware that infected your computer, try recovering your files using your data backup strategy. Assuming you followed our data backup guide, you should have at least three working copies of data. Simply choose one of the unaffected copies, restore all your data, and delete the encrypted versions once you've verified you've successfully restored your information.

  1. Recover your files using their Shadow Volume Copies.
Volumeshadowcopy

Shadow copies (Source: Computer Performance)

Perhaps something happened to your data backups. Maybe the ransomware got to your external hard drive as well as your computer, and perhaps your cloud-based backup isn't working for one reason or another. If that's the case, you can try recovering your files by using the Shadow Volume Copy Service (VSS).

Most machines running Windows XP and up come with VSS. It's a feature that automatically takes a snapshot of every file, including those that are open, on a particular drive. Those snapshots are saved in a container known as the Shadow Volume Copy. In the event those Shadow Volume Copies are still available, you can look for the snapshots of your encrypted files and restore them using Windows or other utilities.

Click here for more information about data restoration using Shadow Volume Copies.

  1. Try to negotiate the ransom demand down.

Ransomware developers know that users can restore their files using Shadow Volume Copies. As a result, some actors have programmed their malware to delete those snapshots. If that's the case, and in the absence of any other data backups, you might decide you have no choice but to pay the ransom.

That doesn't mean you should pay the entire amount, however.

Many ransomware strains come with a live chat feature or other means by which you can contact the developers. You should take advantage of any of those methods if left with no other option and try to negotiate a lower ransom amount with the criminals.

If you can make them understand your plight, perhaps the attackers will agree to lower the price or even let you off the hook entirely.

  1. Pay the full ransom amount.

If all else fails, pay the full ransom amount and hope the computer criminals stay true to their word. It wouldn't be the first time ransomware devs stole money and didn't live up to their side of the bargain.

Conclusion

We hope this guide will help you if you ever suffer a ransomware infection. In the meantime, please make sure you focus on preventing a ransomware attack in the first place by avoiding suspicious links and email attachments, updating your system, and regularly backing up your critical data.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, ,

10 Responses

  1. George

    January 8, 2017 at 9:09 pm #

    An important step, if you have the means to take it, is making a full image copy of your drive. If no decryptor is available for that mal-ware, one might become available later and you will have the copy to work with. This succeeded for a friend of mine.

    Even if you decide to pay, making a copy gives you a second chance if something goes wrong or the mal-ware decryption is faulty.

    • Graham Cluley in reply to George.

      January 8, 2017 at 9:19 pm #

      Great advice George. Of course, making that backup image also means that if anything else you do with the drive goes badly wrong you can always get back to your original starting point.

  2. Rhys Davies

    January 8, 2017 at 9:39 pm #

    Or use a corporate anti ransomware solution such as Intercept X from Sophos – you don't have to do anything then!!

    • Graham Cluley in reply to Rhys Davies.

      January 8, 2017 at 10:04 pm #

      Thanks Rhys. It's been some years since I've run a Sophos product, but doesn't Intercept X require you to be already running it *before* you get the ransomware infection?

    • Thierry Lange in reply to Rhys Davies.

      January 9, 2017 at 12:35 pm #

      HI, Rhys
      Even if your company use Interceptor X from Sophos there is always a human risk.

  3. john

    January 8, 2017 at 11:38 pm #

    ccleaner worked best for me. the minute it showed up, i hit cntrl alt delete. then once my puter rebooted, i ran ccleaner, both registry, and full cleaner.after the second pass with ccleaner, all was fine. the trick is to catch it as it first shows up, do not hesitate.

  4. Bob

    January 9, 2017 at 1:08 am #

    I have a nice, simple solution:

    1 – I selectively sync critical folders (you can unsync st any time) with my zero-knowledge encrypted cloud. All of this is done in the background whilst you work. My files and folders are then accessible anywhere in the world and the files are fully versioned should malware/ransomware strike.

    2 – I use the Windows file history feature to backup everything to a VHDX file (BitLocker encrypted naturally). This creates a virtual drive on your system which I have auto-mount at startup. The system then backs up my files every 4 hours in the background. Once a week I drag and drop the single VHDX file onto an external drive. Within that one encrypted file is a complete backup of my files.

    If you're really worried about malware then it can't harm to either use a second cloud service independent of the first, or create a separate physical backup. Obviously with physical copies you should keep them off-site and encrypted.

  5. lee

    January 9, 2017 at 2:57 am #

    uhh… try running LINUX to begin with! and encrypt your /home directory. also back your most critical areas while in there like /home/Downloads, /home/Document. most of your stuff except for some code you write oughta be in there by default. I store these directories and any code written to a coupla hotshoe SSD's. first I verify that the source is good then I do the backup then I PHYSICALLY detach the backup via popping the thing out. I also export bookmarks on a regular basis along with hundreds of tomboy notes and personal info manager stuff that has been kept through the years.

    the idea here is prevention. if somehow ransomware can find your box reload the OS after wiping the drive. the best thing ANYBODY can do though is to be running linux. also note that linux guru's are watching their processes… anything that ought not be there we're gonna notice. yeah. why's this thing rendering so damn slow? stuff like that.

    • Bob in reply to lee.

      January 9, 2017 at 9:56 am #

      But as we've seen randomware targets Linux users too.

      The problem with Linux is that, despite it being open source, it receives very little security scrutiny. There are hundreds (maybe even thousands) of zero day vulnerabilities lurking in the code and nobody is fixing them. The odd one gets closed 15 years after being first reported; this is simply unacceptable.

      Commercial vendors like Microsoft and Apple have whole security teams paid to actively seek out and fix security problems. Linux try their best but there are so many distros, so disparate a codebase, nowhere near enough qualified people fixing things and rampant incompatibility with hardware (much better than it used to be though).

      Any security expert will tell you to steer clear of Linux if you value security. It's a hobbyists OS. If you're running a server you'll be running a minimal install that a competent sysadmin can lock down himself.

      Checking processes is all well and good but there are a number of non-fixed vulnerabilities which allow you to hide a process from TOP or equivalent. The whole thing won't be running slowly if the ransomware authors know what they're doing (which they do) by harnessing the system tools like LUKS or ecryptfs. They may even use the dedicated processor AES-NI instructions to speed things up without you knowing about it!

      The insidious problem with ransomware is that it can take hold by silently encrypting your files, including your detached backup, and then once everything is complete the system is rendered useless. Checking hash sums won't help if they've forged the outcome or (more likely) stored the encrypted file elsewhere until ready.

      Linux have continually been given the option to improve security but have refused on the basis that it'd over-complicate an already labyrinthine codebase. That and the fact Linux users think that an antivirus program is unnecessary: the whole thing is a powder keg.

      Windows interacts directly with the firmware, it uses the TPM for encryption, secure enclaves with the CPU, measured boot processes, early launch anti-malware, ASLR, critical process sandboxing, DMA attack prevention etc. There are many more examples of in-built security features in Windows. You'd be lucky to find your favourite Linux supporting even one of those security measures.

      By all means use Linux as an easily modifiable, free, open source and community OS but don't kid yourself into believing it's secure. It's not. And a false sense of security is better than no sense of security.

  6. Samatva Peace

    January 9, 2017 at 2:58 am #

    I am normally peaceful and accepting of other's opinions, but must speak out here.

    There is absolutely no justification for paying a ransom for data, even as option 6 or 7. If you haven't given enough thought to your information operations to do backups or replication, you deserve to face the consequences of your lost data. By paying the ransom you perpetuate a system of criminals that costs all of us $$$, even if we aren't directly affected by ransomware.

    This is not the same as saying if all the soldiers refused to go, there'd be no more war. In this case, everyone can actually stop paying the ransoms. Take responsibility for your stupidity or inattention so they will stop trying to attack the rest of us. Probes of my servers have shot thru the roof since so much money had been pumped into that system. I've not yet been breached, but the cost of maintaining secure servers is going up. I did have a recent RAID 10 failure/corruption, an unlikely event, but the same effect as ransomware. The same precautions saved me. Even if you delude yourself into thinking you'll never be hit by hackers, you are truly an idiot to think you'll never have a hardware or software failure.

    Have a good, secure backup plan. Practice restoring that data. Rehearse your recovery plan. Put training and policies in place to prevent idiots from installing ransomware. Fire your IT people if they aren't competent. But never, never, never pay the ransom. It should be illegal to fund such terrorism.

    'Nuff said. Go secure and backup your computers

Leave a Reply