Ransomware is currently the most popular technique for hackers to make decent money quite easily. It is a type of malware that, when launched, blocks the user from accessing all data (most often by encrypting the data), and then demands money to decrypt it.
Payments The vast majority of ransomware requires anonymous bitcoin (BTC). Prices for decryption range from 0.1 BTC to ~ BTC.
Ransomware most often gets into the OS through a human error - an e-mail attachment, a seemingly secure application, clicking on a security warning, etc. However, it can also get into the OS through a bug in leaky network software such as Flash or Java,
For these reasons, ransomware poses a huge risk to individuals and companies. Ransomware infection is not uncommon and it's not a shame - it can happen to anyone (I have also devalued a lot of my data with my mistake, but it should be noted that he immediately restored everything from backup).
It is strongly recommended not to pay anything , as this encourages the authors to continue their activities. Unfortunately, sometimes this is the only way to get your valuable data back. The public often thinks that ransomware is no problem, that you only need to search the Internet for a while and find a decrypter (an application that allows you to decrypt files for free) for a given type of ransomware. This is not entirely true.
At present, we record approx. 450 different ransomware families (I count only those properly documented). Decrypters are currently available approx. for a quarter of families. This gives us a 3: 1 theoretical probability that you will not currently recover encrypted data. In practice, of course, the number is different, but it will certainly not be much better - the most common families of ransomware are often not decryptable.
Below we will discuss how to correctly identify the ransomware family, find out if there is a decrypter for it - if so, how to recover the data. Then we'll talk about how to get rid of ransomware.
Before we begin, we should mention one more thing. Some families of ransomware display countdowns in their display window and threaten to gradually delete data (here is an example ). In this case, it is recommended to turn off the PC quickly and not to turn it on again!
Step # 1: Identify the ransomware
First, it is logically necessary to identify the ransomware so that we know what to do next. To reliably identify ransomware, we can use a sample of the malware itself, or a sample of encrypted files and an instruction file left by the ransomware.
Your task is therefore to provide a sample for reliable identification using one of the variants. The second variant is simpler and faster, but for the sake of interest we will also mention the first, which is of course more accurate, but not recommended for ordinary users. It should be mentioned that in most cases the second option will suffice.
Identification using a ransomware sample (not recommended):
You can usually find a sample ransomware in % appdata% , % localappdata%, and % temp% . If you do not know how to get to these locations, press the key. shortcut 
+ R , then enter the desired path in the text box (eg% appdata%) and press Enter .
You can also view running processes in Task Manager, identify running ransomware, right-click it, and open the process location. In both cases, copy the application to the Desktop .
After securing the ransomware sample, analyze it with the VirusTotal web service .
- Visit VirusTotal .
- Click the Upload and check file button and select the desired ransomware sample.
- If more than 24 hours have elapsed since the last scan, click the three dots in the upper right corner to expand the menu and select Analyze again .
- When the analysis is complete, you will see the results.
- Here you can see how the ransomware detects different AVs. You can also find important information in the comments.
So now we know what it is. This makes it easy to trace the decrypter - if it exists. If not, we are unlucky at the moment.
Identification using an encrypted file and decryption instructions (recommended):
As mentioned above, due to analyst Michael Gillespie group MalwareHunterTeam this method is very easy, because create and maintain an online service that is able to determine which type of ransomware you have been infected. However, it is necessary to provide a sample encrypted file and a TXT file with instructions.
If you can use the OS normally and the ransomware does not show a countdown, you can easily connect a USB disk to the PC (empty, of course, otherwise you risk encrypting its contents) and simply drag the required files from the Desktop to the disk. The risk of transmitting the infection to the flash drive and subsequent infection of another OS is negligible.
If the OS cannot be used or the ransomware shows a countdown and there is a risk of gradual deletion of data, or if you just want to be sure, it is recommended to shut down the OS quickly in the first place . Then download the live linux ISO (eg Fedora ), create a bootable USB drive and boot from it on the infected PC.
If you can, copy all your encrypted data to another storage. You would most likely need to do this step later. If you do not currently have enough media with you, copy only any two encrypted files and an instruction file (usually something like HELP_DECRYPT.TXT , usually on the Desktop, or in Documents). Then move the files to a PC with Internet access and we can find out what ransomware the data is encrypted.
- Open two copies (in two panels) of the Ransomware ID page .
- First, upload one of the encrypted files in the first panel and wait for the result.
- Move to the second panel, where you upload the decryption instruction file and wait for the result.
- Compare the results in both panels and you should get a clear result. The Ransomware ID will also tell you if the ransomware can be decrypted for free.
Step # 2: Data Recovery
In the previous step, you learned what type of ransomware you were infected with and whether it was decryptable.
If it is not decryptable, you have the following options:
- restore data from backup
- put off encrypted data and hope that a decryptor will appear in the future (not very likely)
- pay a ransomware to ransomware authors (please don't do this if possible, thus supporting ransomware authors and thus devaluing the work of all malwarefighters)
If it is decryptable, you just need to move the data to another PC and decrypt it from there using a decrypter. You will usually find detailed instructions for decrypters on their website. It is usually necessary to have both encrypted and unencrypted versions of the file. Emsisoft and Demonslay335 are responsible for most of the decrypters , as well as Kaspersky, Trend Micro, AVG, Avast ...
The ID Ransomware service is able to direct you to the decrypter. If that fails, you can use Google or ask here.
Step # 3: Remove the ransomware
Since some ransomware families are able to do with the OS, I do not recommend cleaning. On the contrary, I recommend transferring all important data from the entire physical disk with the infected OS to external media. Then clean the entire disk and install a clean installation of Windows.
Instructions for clean installation + disk cleaning (DISKPART part in the instructions) can be found here:
Step # 4: Prevention
Backup, backup, backup.
If you want to know how to effectively defend against ransomware, take a moment to read the entire Security Guide .
2 Comments
very important post..i like it
ReplyDeletethank you
Delete