How to recover from ransomware attacks
This article provides information on what to do when attacked by ransomware, depending on how important the files are and your skills when using computers. Everyone should have the important files backed up on a regular basis. This ensures that you do not lose it all in case your computer is compromised or if ransomware protection fails.
A. If you have a recent backup and afford to lose the latest files
In this case, it is not worth risking further, hence just re-image the machine or reinstall the OS.
- Turn off the computer;
- Re-install the operating system / restore the OS image;
- Restore user files from your latest backup;
B. If you need the most recent data or do not have a backup
To follow the steps below, you need to have some computer skill: install applications, track processes, kill processes from the command line, search online and follow instructions. If you think you do not have these skills, better turn off the computer and ask for help. Otherwise, follow the steps below:
1. You need to stop the encryption process and contain the infection
At this point you realize your files are being encrypted and you cannot access them. Containment should be the first concern. This prevents the ransomware from attacking other machines or other files it can access. At the same time, it may save the files on the infected machine, if performed soon after the encryption process had started. To do this, follow the below steps:
- Disconnect network drives attached to the infected machine;
- Disconnect all file synchronization clients like OneDrive, Dropbox, etc.;
- Attempt to identify the ransomware process in Task Manager based on resource consumption/ activity;
- Else download this tool that allows monitoring file access. You can find instructions on how to use it here. Any ransomware will show top file activity when monitoring the system with this tool;
- Once the process is identified, kill it using the Task Manager (How?) or the command line (How?);
- Alternately, if you have an anti-virus solution that allows quarantining files on demand, use it to quarantine the ransomware process.
At this point you managed to stop the ransomware from encrypting more files, but the infection itself still exists. You need to make sure you clean up the machine to avoid the ransomware executing again. Easiest is to install a malware removal tool and run it. However, note that such tools may not identify the specific variant that attacked you, so they may not be able to clean it up. To further reduce the risk of the ransomware executing again, you can perform the following steps:
- Delete the image file of the process you identified as ransomware during stage 1;
- Verify that there are no unknown / suspicious entries that execute when the computer starts. This link provides information on where to look.
Once the ransomware is stopped and the PC is cleaned up, you need to find a way to recover the encrypted files. There is no guarantee the files can be recovered, but there are decryption tools for many ransomware variants, so it is worth trying.
- Find out the name of ransomware that attacked you: if there are ransom notes, search for the exact message of the ransom note; if there are no ransom notes search for the name of the process you killed;
- Such searches should point towards a ransomware variant. Note that various security vendors label ransomware and malware differently, so make sure you put down all the names you find being associated with the file name of the ransomware, the extension of the encrypted files, or the messages in the ransom notes. You will need these names for the next steps;
- Search online for tools that are able to decrypt files compromised by the specific variant (use all the names you find connected to it); Here is a good starting point for such tools;
- If you cannot find a tool that removes the specific variant, you may want to try tools that decrypt broader ransomware families that include the variant that infected your machine. If this does not work either, do not delete the encrypted files just yet. If you were attacked by a new ransomware variant, decryption tools may become available in the following period, so wait and check regularly for updates regarding the ransomware variant.
Note: there may be ransomware variants which cannot be cleaned up using the methods above, and, in that case, it is best to shutdown the computer and ask for help. Such ransomware may include the Petya family which modifies the MBR and forces a reboot in order to boot up its own code (instead of the Windows OS), etc.
How we can help
To prevent further incidents, use anti-ransomware technology able to protect files and stop ransomware automatically. Go through our advice on how to protect against ransomware.
We can help users from losing their files in the event of a ransomware attack. Our dedicated solution TEMASOFT Ranstop, is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.
What if there are no tools to decrypt or there is an attack that renders the entire OS unusable (Petya)?
In those cases, the chances to recover anything from the machine are very slim and it is best to re-image the compromised computer. For protection in such cases, you need a solution that protects the Master Boot Record and stops such attacks before they can compromise the system.
Thanks for the info, what about identifying infected machines? We had a case where ransomware was intermittently encrypting files on a shared network drive and we had issues determining the source. In the end, the employee reported the infection, but is there anything we can do to identify it quicker?
Indeed, identifying compromised machines is difficult if there is no anti-ransomware technology able to detect the attack and isolate the machine automatically. In your case, I think the best chance is to look at the logs as soon as you identify suspicious activity as you described. The Windows logs hold information about the network connections: you need to find the 4624 events with logon type 3 (network) where the user is a computername$. Initial connections are carried out via the computer accounts and like this, you can identify the source.
Hope this helps!