Ransomware clean up
Hi,
I have a friend who was hit with Ramsonware malware and all his folders are locked, every time he tries to open a file will get a pop up window that he has to pay 400 bitcoins and that his computer has been encrypted.
He tried to download from the internet ransomware removal tools and He can not install them.
Does he need to reinstall the whole OS or it will need just to clean up the computer?
How can he go about not been able to install Ransomware removel tools?
Please advise
Hopefully he has a good backup of all the data that was hit from the ransomware. Law Enforcement should be notified that a computer crime has occurred. Even if they cannot help you do the work of recovery.
Remove the computer from Internet connection. He should begin to backup all data on every other machine he manages and cannot afford to lose the data. Make sure they're safely stored. Begin monitoring, patching for the signs of the ransomware.
If he does data backups , the key here is to reformat the machines and reinstall OS, applications. It is then, he can restore the backup data back to the machine. He should put back into production ONLY AFTER he understands the ransomware's point of entry and what it attacked and how to fully patch his machine before doing so. If not the risk of that same ransomware is just as likely to reoccur. Remove the machine from the internet while recovering try to find patched solutions and sneaker net them to the machine
This only works with a good backup. If he doesn't happen to have that and needs that data. He will pay some or all of the ransom to get the data restored that is your only choice with the value of the data and the time you have if you do not have backups.. The double edged sword of ransomware is based on how well you've prepared for Disaster Recovery. If you've prepared for it, the ransomware helps you since they are the only ones who have the key and they encrypt with like a 4096 bit encryption. It means they have the key to a lockbox they'll no longer have access too and at the same time, anyone who tries to steal the data will have to deal with the 4096 bit encryption. But, if you don't have the backups, you must depend on the attacker's sense of doing business with his targets.
Thanks for your advice. It was very helpful. He has some of his data but the problem was he had expired antivirus for a year and no malwarebytes updated.
I will advice him to reinstall everything.
Thanks
Thanks for the very comprehensive response on this. I was wondering if you could point out to where I could get stats on how often people get affected by ransomware. Also your point below on paying the attacker suggests that sometimes conversations take place with the attackers to negotiate a release rate. I did not realise that this happens hence why I was keen to look at some stats but thanks for the detailed reply.
@Ronnie-Wong said in Ransomware clean up:
- This only works with a good backup. If he doesn't happen to have that and needs that data. He will pay some or all of the ransom to get the data restored that is your only choice with the value of the data and the time you have if you do not have backups.. The double edged sword of ransomware is based on how well you've prepared for Disaster Recovery. If you've prepared for it, the ransomware helps you since they are the only ones who have the key and they encrypt with like a 4096 bit encryption. It means they have the key to a lockbox they'll no longer have access too and at the same time, anyone who tries to steal the data will have to deal with the 4096 bit encryption. But, if you don't have the backups, you must depend on the attacker's sense of doing business with his targets.
You can find some stats here: https://blog.malwarebytes.com/cybercrime/2016/06/ransomware-dominates-the-threat-landscape/
I think my wording then misled in a unintended way. When I said pay all or some of the ransom. You may find out that after paying they may tell you it's not enough and demand more. So in a sense you have paid some of the ransom, when the real amount they wanted wasn't revealed until you paid the first portion. The attacker has to weigh carefully here. If he keeps doing this and word gets out. People will stop even trying to pay and fight. Now income is lost. But if he does what he says, he's likely to get a higher return rather than a fight from his targets.
I really don't encourage the pay of the ransom but it's also not my data that is at risk. Paying them encourages them to continue after you but that is why you must understand the how it got in and how to fix your security hole. You can afford not to pay if you have good backup and can restore the backup after you fix your security vulnerability. But not so much if you don't have a good backup of your data and it's your only extant data and you need the data back. Payment is not a great option but it maybe your only option. I would notify law enforcement of the computer crime though.
With no additional posts, I'm marking this topic as solved. ~RW
