Has Malware and Ransomware Encrypted Your Files? – Here’s What to Do

In the past few years, ransomware has popped up on the radar of business owners worldwide. News reports that indicated the infection of thousands of businesses worldwide had people very concerned about their own cybersecurity and the security posture of their business.

But what happened to that concern?

Like many things, when the news stories began to die down, the panic abated – and so did the worry that many business owners felt at the time.

The problem?

Even though the news stories – and business owner’s worries – died down, the cybercriminals have not stopped.

Crypto-Locker, Locky, Crypto Defense, CryptoWall, TeslaCrypt, Petra, Hades Locker, Cerber 3, Torrent Locker, and more are still very much active around the web.

Ransomware has been developed by criminals for nearly every operating system (Windows, OS X, Linux, Android) and device type (server, computer, tablet, laptop, smartphone).

For example, a Calgary business leader called CTECH Consulting Group just the other day. His organization had suffered a ransomware attack. Their eighteen computers and two servers were affected, and his staff could not use the files they needed because all the files were encrypted.

What to do?

First, let’s make sure that everyone reading this article knows what ransomware is.

Ransomware is malware that is often allowed entry into your computer by clicking on a spurious link in an email or going to a website that has been set up to spread the ransomware. Once infected one of two things will happen. Either you will be locked out of your PC completely (this type of ransomware is called a PC-Locker), or you will discover that your files (documents, photos, spreadsheets, databases) have been encrypted (this is called a Data-Locker type of ransomware). Your first indication that you have been infected will be a notice on your screen from the cyber-criminals telling you what has happened and demanding payment.

Now that we have described what ransomware is and what it does to your systems…

Let’s begin to examine the possible ransomware fixes.

Cybersecurity professionals are agreed that there are four basic options available to you if your systems become infected with ransomware and your files are encrypted. We will look at these options – or steps – one at a time.

In each of these recovery options, it is recommended that you run your operating system in “safe mode” with networking. In addition, you should not make any changes to the affected drive. You should be using at least two external hard drives. Download and run any tools on the external drives and attempt any decryption after copy/pasting files from the affected drive to one of the external drives.

Option #1 – Decrypt the Encrypted Files

In order to decrypt files affected by ransomware, you must first discover what ransomware has taken over your files. To do so, an online tool such as ID Ransomware by MalwareHunterTeam is utilized. The way ID Ransomware works is an encrypted file is uploaded from your affected computer and ID Ransomware determines from that sample which strain of ransomware is causing the trouble. Identifying the type of ransomware is also often possible by looking at the extension placed on the encrypted files and the .exe files of the ransomware. When uploading the encrypted file, it’s more efficient to pick a small file to upload and for ID Ransomware to examine, because the result will be the same as if you had uploaded a large file.

Once you know what ransomware has encrypted your files, you can begin looking for a decryption tool that will decrypt your files. Often, ID Ransomware has a decryption tool that it suggests for a particular strain of ransomware.

If there is no suggestion, the next step would be to google “ransomware – (family) – (name) decryption tool.” Fill in “family” and “name” with the information you have discovered about your ransomware.

It’s important to note here that you should not attempt decryption of files until after you have first removed the ransomware’s executable files. If you do not remove the .exe files first, whatever you decrypt, will be automatically be encrypted again by the ransomware.

Kaspersky has been helpful in supplying some decrypters as well at www.noransom.kaspersky.com

Option #2 – Restoring From Shadow Files

Beginning with Windows XP, the developers of windows have included an OS function allowing “shadow copies” of files. These “shadow copies” are routinely used for system restores. By using a tool called Shadow Explorer, you can restore files from the “shadow files.”

It’s important to note here that you must remove the ransomware’s executable files BEFORE attempting a shadow file restore.

Note: Some ransomware delete shadow copies. As a preventative step, disable or rename the VSSAdmin.exe service to keep ransomware from deleting the shadow copies before you are infected by ransomware.

Download the portable version of Shadow Explorer to one of the external drives you have set up for this process.

With Shadow Explorer, you will be able to choose the drive that the infected and encrypted files are in, choose a restore point from the drop-down menu, and export those files to the external drive that you are using.

Option #3 – Use a Data Recovery Tool

There are a number of things about your computer system that may affect how well data recovery tool will work – such as drive space handling, file overwriting priorities, and OS partitioning.

Decryption tools for this step can be found at EMSisoft’s decrypter.

You will want to install the decrypter on an external hard drive and copy any files you want to decrypt to an external hard drive before attempting decryption.

Follow the steps in your decrypter’s wizard. Select eh files you want to recover and restore those files to the external drive – not the affected internal drive.

Option #4 – Recover From Backups

By now, business leaders know that there are times when options #1-3 just don’t work – especially when dealing with an entirely new strain of ransomware.

While everyone else is scrambling at a frantic pace to catch up and find a fix to a new ransomware strain, the business owner that has an IT support company managing its backups can rest much more comfortably.

Why?

Because backups and IT security protocols are a company’s best defense against ransomware.

If you have backups that are properly managed, verifiable, and recoverable, then you’re a hundred miles ahead of the business owner that is crossing his fingers hoping that the files that are stored only on his computer can be decrypted.

An IT support professional can help you set up security-conscious backups BEFORE ransomware hits.

The ability to restore from backup copies of your files is the gold-standard in ransomware recovery. However, having this option does take some forethought and planning.

Do you want a professional to handle your recovery from ransomware? The CTECH Consulting Group’s cybersecurity professionals are happy to have that conversation with you.

Want to read more helpful articles? We’ve got them for you HERE!