How to respond to a ransomware infection

Paying the ransom should be the LAST thing you do…

David bisson
David Bisson
@
@DMBisson

Ransomware

We at Graham Cluley Security News have talked a lot about how ransomware strains target users and pressure victims into paying the ransom. As part of that ongoing effort, we’ve discussed a number of techniques users can employ to defend against a ransomware attack.

But we haven’t addressed the concerns of users dealing with an active crypto-malware infection.

It’s time we remedied that.

Sign up to our free newsletter.
Security news, advice, and tips.

We hope that you never experience a ransomware infection. In the event that you do, and you didn’t take the essential precaution of having a secure backup to hand, here is how you should respond.

  1. Take a deep breath.

Ransomware developers would love nothing more than for you to panic. That’s why they spend so much time outfitting their creations with features that are specifically designed to scare you into paying the ransom.

For instance, the first variants of Jigsaw came equipped with a counter that spelled out when the ransomware would flat-out delete some of a victim’s files.

Meanwhile, Cyber.Police has built a reputation around convincing victims they’ve run afoul of the US intelligence community.

Cyber police

Don’t give the perpetrators of such attacks the satisfaction of getting all worked up. Instead, take a deep breath and commit yourself to responding to the attack in a calm and controlled manner.

Check to see if you have a secure backup of your encrypted data that you can recover from. It’s important to ensure, of course, that the backup itself hasn’t been corrupted by the ransomware infection.

Having a proper backup infrastructure is the most effective way to recover from a ransomware attack – as past victims like the San Francisco metro system have discovered – but if that’s not an option for you, there are still recovery steps you can explore….

  1. Remove the ransomware from your computer.

First things first: clean your computer of the active ransomware infection. You can do so by installing an anti-ransomware tool onto your computer. The solution will hopefully be able to detect the malicious program and remove it from your machine.

Unfortunately, that’s not always easy to do. Some ransomware samples are configured to prevent users from installing anti-virus solutions and similar products on their computers. To circumvent such behavior, try booting your computer into Safe Mode and installing the solution. If that doesn’t work, download the tool onto a clean USB stick and plug it into your infected computer.

  1. Try to find a free decryptor for your affected files.

Once you’ve removed the ransomware from your computer, it’s time you turned your attention to recovering your files. You should begin by looking for a free decryptor online.

Chances are you aren’t the first victim to be affected by a particular ransomware strain, which means security researchers might have already developed a utility for the ransomware that allows victims to regain access to their files for free. Users should start at nomoreransom.org, an initiative where security firms and organizations are working together in an effort to develop free decryption tools.

Screen shot 2017 01 02 at 1 14 43 pm
Some of No More Ransom’s casualties. (Source: No More Ransom)
  1. Recover your files using your data backup strategy.

If there’s no free decryption tool available for the ransomware that infected your computer, try recovering your files using your data backup strategy. Assuming you followed our data backup guide, you should have at least three working copies of data. Simply choose one of the unaffected copies, restore all your data, and delete the encrypted versions once you’ve verified you’ve successfully restored your information.

  1. Recover your files using their Shadow Volume Copies.
Volumeshadowcopy
Shadow copies (Source: Computer Performance)

Perhaps something happened to your data backups. Maybe the ransomware got to your external hard drive as well as your computer, and perhaps your cloud-based backup isn’t working for one reason or another. If that’s the case, you can try recovering your files by using the Shadow Volume Copy Service (VSS).

Most machines running Windows XP and up come with VSS. It’s a feature that automatically takes a snapshot of every file, including those that are open, on a particular drive. Those snapshots are saved in a container known as the Shadow Volume Copy. In the event those Shadow Volume Copies are still available, you can look for the snapshots of your encrypted files and restore them using Windows or other utilities.

Click here for more information about data restoration using Shadow Volume Copies.

  1. Try to negotiate the ransom demand down.

Ransomware developers know that users can restore their files using Shadow Volume Copies. As a result, some actors have programmed their malware to delete those snapshots. If that’s the case, and in the absence of any other data backups, you might decide you have no choice but to pay the ransom.

That doesn’t mean you should pay the entire amount, however.

Many ransomware strains come with a live chat feature or other means by which you can contact the developers. You should take advantage of any of those methods if left with no other option and try to negotiate a lower ransom amount with the criminals.

If you can make them understand your plight, perhaps the attackers will agree to lower the price or even let you off the hook entirely.

  1. Pay the full ransom amount.

If all else fails, pay the full ransom amount and hope the computer criminals stay true to their word. It wouldn’t be the first time ransomware devs stole money and didn’t live up to their side of the bargain.

Conclusion

We hope this guide will help you if you ever suffer a ransomware infection. In the meantime, please make sure you focus on preventing a ransomware attack in the first place by avoiding suspicious links and email attachments, updating your system, and regularly backing up your critical data.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

13 comments on “How to respond to a ransomware infection”

  1. George

    An important step, if you have the means to take it, is making a full image copy of your drive. If no decryptor is available for that mal-ware, one might become available later and you will have the copy to work with. This succeeded for a friend of mine.

    Even if you decide to pay, making a copy gives you a second chance if something goes wrong or the mal-ware decryption is faulty.

    1. Graham CluleyGraham Cluley · in reply to George

      Great advice George. Of course, making that backup image also means that if anything else you do with the drive goes badly wrong you can always get back to your original starting point.

  2. Rhys Davies

    Or use a corporate anti ransomware solution such as Intercept X from Sophos – you don't have to do anything then!!

    1. Graham CluleyGraham Cluley · in reply to Rhys Davies

      Thanks Rhys. It's been some years since I've run a Sophos product, but doesn't Intercept X require you to be already running it *before* you get the ransomware infection?

    2. Thierry Lange · in reply to Rhys Davies

      HI, Rhys
      Even if your company use Interceptor X from Sophos there is always a human risk.

  3. john

    ccleaner worked best for me. the minute it showed up, i hit cntrl alt delete. then once my puter rebooted, i ran ccleaner, both registry, and full cleaner.after the second pass with ccleaner, all was fine. the trick is to catch it as it first shows up, do not hesitate.

  4. Bob

    I have a nice, simple solution:

    1 – I selectively sync critical folders (you can unsync st any time) with my zero-knowledge encrypted cloud. All of this is done in the background whilst you work. My files and folders are then accessible anywhere in the world and the files are fully versioned should malware/ransomware strike.

    2 – I use the Windows file history feature to backup everything to a VHDX file (BitLocker encrypted naturally). This creates a virtual drive on your system which I have auto-mount at startup. The system then backs up my files every 4 hours in the background. Once a week I drag and drop the single VHDX file onto an external drive. Within that one encrypted file is a complete backup of my files.

    If you're really worried about malware then it can't harm to either use a second cloud service independent of the first, or create a separate physical backup. Obviously with physical copies you should keep them off-site and encrypted.

  5. lee

    uhh… try running LINUX to begin with! and encrypt your /home directory. also back your most critical areas while in there like /home/Downloads, /home/Document. most of your stuff except for some code you write oughta be in there by default. I store these directories and any code written to a coupla hotshoe SSD's. first I verify that the source is good then I do the backup then I PHYSICALLY detach the backup via popping the thing out. I also export bookmarks on a regular basis along with hundreds of tomboy notes and personal info manager stuff that has been kept through the years.

    the idea here is prevention. if somehow ransomware can find your box reload the OS after wiping the drive. the best thing ANYBODY can do though is to be running linux. also note that linux guru's are watching their processes… anything that ought not be there we're gonna notice. yeah. why's this thing rendering so damn slow? stuff like that.

    1. Bob · in reply to lee

      But as we've seen randomware targets Linux users too.

      The problem with Linux is that, despite it being open source, it receives very little security scrutiny. There are hundreds (maybe even thousands) of zero day vulnerabilities lurking in the code and nobody is fixing them. The odd one gets closed 15 years after being first reported; this is simply unacceptable.

      Commercial vendors like Microsoft and Apple have whole security teams paid to actively seek out and fix security problems. Linux try their best but there are so many distros, so disparate a codebase, nowhere near enough qualified people fixing things and rampant incompatibility with hardware (much better than it used to be though).

      Any security expert will tell you to steer clear of Linux if you value security. It's a hobbyists OS. If you're running a server you'll be running a minimal install that a competent sysadmin can lock down himself.

      Checking processes is all well and good but there are a number of non-fixed vulnerabilities which allow you to hide a process from TOP or equivalent. The whole thing won't be running slowly if the ransomware authors know what they're doing (which they do) by harnessing the system tools like LUKS or ecryptfs. They may even use the dedicated processor AES-NI instructions to speed things up without you knowing about it!

      The insidious problem with ransomware is that it can take hold by silently encrypting your files, including your detached backup, and then once everything is complete the system is rendered useless. Checking hash sums won't help if they've forged the outcome or (more likely) stored the encrypted file elsewhere until ready.

      Linux have continually been given the option to improve security but have refused on the basis that it'd over-complicate an already labyrinthine codebase. That and the fact Linux users think that an antivirus program is unnecessary: the whole thing is a powder keg.

      Windows interacts directly with the firmware, it uses the TPM for encryption, secure enclaves with the CPU, measured boot processes, early launch anti-malware, ASLR, critical process sandboxing, DMA attack prevention etc. There are many more examples of in-built security features in Windows. You'd be lucky to find your favourite Linux supporting even one of those security measures.

      By all means use Linux as an easily modifiable, free, open source and community OS but don't kid yourself into believing it's secure. It's not. And a false sense of security is better than no sense of security.

      1. Adrian Midgley · in reply to Bob

        Hmm. I am not convinced all you say is true.
        BSD you think?

  6. Samatva Peace

    I am normally peaceful and accepting of other's opinions, but must speak out here.

    There is absolutely no justification for paying a ransom for data, even as option 6 or 7. If you haven't given enough thought to your information operations to do backups or replication, you deserve to face the consequences of your lost data. By paying the ransom you perpetuate a system of criminals that costs all of us $$$, even if we aren't directly affected by ransomware.

    This is not the same as saying if all the soldiers refused to go, there'd be no more war. In this case, everyone can actually stop paying the ransoms. Take responsibility for your stupidity or inattention so they will stop trying to attack the rest of us. Probes of my servers have shot thru the roof since so much money had been pumped into that system. I've not yet been breached, but the cost of maintaining secure servers is going up. I did have a recent RAID 10 failure/corruption, an unlikely event, but the same effect as ransomware. The same precautions saved me. Even if you delude yourself into thinking you'll never be hit by hackers, you are truly an idiot to think you'll never have a hardware or software failure.

    Have a good, secure backup plan. Practice restoring that data. Rehearse your recovery plan. Put training and policies in place to prevent idiots from installing ransomware. Fire your IT people if they aren't competent. But never, never, never pay the ransom. It should be illegal to fund such terrorism.

    'Nuff said. Go secure and backup your computers

    1. Adrian Midgley · in reply to Samatva Peace

      You confuse your desires and interests – even those of the wider community – with justification or interest for someone (whose data is) held to ransom by criminals.

      The two are not the same so your first assertion is false, so your argument is unlikely to stand.

      And this is criminal action, not terrorism. Keep the language useful please.

  7. Rajas

    Can anybody tell me if i can copy unaffected/non-encrypted files from ransomware affected system?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.