Ransomware Removal: Recovering Your Files and Cleaning Up Infected Systems
What is Ransomware
Ransomware is malware that encrypts user data and makes it inaccessible to the victim. The attacker demands a ransom in exchange for decrypting the data. Payment is typically demanded in cryptocurrency and the costs can range between hundreds and thousands of dollars. Even if the ransom is paid, there is no guarantee that the data will be restored.
Ransomware has become more sophisticated over time, requiring more sophisticated ransomware protection methods. While the original ransomware was limited to encrypting a single endpoint, current variants have advanced distribution mechanisms. Modern ransomware encrypts its own code to make reverse engineering difficult and can use offline encryption methods, eliminating the need for communication with a command and control (C&C) center.
This is part of an extensive series of guides about data security.
Want to dive deep into EDR? Here are some resources
If there is no ransom notice, here a few quick ways to detect if your system is affected by ransomware:
Scan the system with antivirus – antivirus can detect known types of ransomware, unless ransomware has bypassed antivirus, or the attack is unknown (zero day).
Check file extensions – your operating system may hide file extensions by default. Show them, and look at your files. If common file extensions like “.docx” or “.png” have changed to random letter combinations, this indicates a ransomware infection.
Renamed files – if you find files with a different name from the original name you gave them, this can indicate ransomware has encrypted the data.
Heightened CPU/disk activity – ransomware can cause increased use of system resources. Shut down normal applications and processes and see if utilization is higher than normal.
Abnormal network communications – most types of ransomware interact with a C&C server, and you can detect this abnormal network traffic using tools like WireShark.
Encrypted files – finally, if you attempt to open a file and discover that it is encrypted, this is a clear sign of ransomware.
This is part of an extensive series of guides about data security.
Ransomware Removal: Immediate Steps
If you’ve been infected by malware, here are some quick steps you can take to remove the malware and prevent further damage:
Isolate affected systems — immediately disconnect any machines showing signs of infection from wifi and wired networks, to prevent malware from spreading on the network or communicating with command and control systems.
Identify the infection — you can use a free tool like Cyber Sheriff, provided by Europol and McAfee, to identify the type of malware you are infected with.
Report to the authorities — it is important to report your ransomware attack to the authorities to provide law enforcement agencies with more information about attacks and to help them act against attackers. In the USA you can file a report via the FBI Internet Crime Complaint Center.
Should You Pay the Ransom?
Most security experts and law enforcement authorities, including the FBI, advise not to pay the ransom in case of a ransomware attack. There are three primary reasons:
Even if you pay the ransom, there is no guarantee that cybercriminals will decrypt your data
Some types of ransomware are actually unable to decrypt the data, even if the ransom is paid
Paying the ransom encourages future ransomware attacks against your organization and others
What are the Options for Recovering from a Ransomware Attack?
First, identify what type of Ransomware has infected your systems.
This type of malware locks users out of a computer, sometimes claiming that the computer was locked by the authorities. Another variant is doxware, which threatens to share a user’s public information publicly if a ransom is not paid.
These types of Ransomware are less severe, and you can typically clean them using antivirus software.
Filecoders / encrypting ransomware
This is the more severe type of ransomware that irreversibly encrypts files on a computer. Whether you can remove this type of ransomware depends on the specific malware strain that infected your system.
You typically have three options to recover from an encrypting ransomware attack:
Decrypt your data — if a decryption tool is available for the ransomware that infected your systems, this is the best option. The No More Ransom Project offers a range of decryption tools that can help you restore access to your files. Unfortunately, not all ransomware encryption algorithms can be decrypted with available tools. These tools also don’t prevent ransomware from activating secondary malware or from deleting data.
Wipe and restore — with this option, you will lose your encrypted data. Hopefully, you have a backup available from which you can restore your files. If so, you can remove ransomware from your system by simply resetting your device to factory defaults, formatting your hard drives, or deleting your storage instances if in the cloud. Once you have ensured that all data and traces of ransomware are gone, you can restore your systems from backup.
Negotiate — negotiation is typically a last option for businesses who have no other way of restoring lost access, and is not recommended. However, if you do decide to pay the ransomware, you should know that the ransom fee is typically negotiable. You can negotiate with the attackers using the contact details on the ransomware message. The ransom is typically charged in Bitcoin. Hopefully – although there is no guarantee – after paying the ransom, attackers will allow you to decrypt your files.
Cleaning Ransomware from Your Systems
The steps required to remove filecoders/encrypting ransomware depend on whether you have backed up your files before encryption.
Cleaning Ransomware if You Have Backed Up Your Data
Follow these steps to clean a ransomware infection if you have a safe backup from which you can restore your files.
Before proceeding, verify that your backup is secure and was not also infected by ransomware.
Verify that the ransomware malware has been removed – otherwise, it will continue encrypting files after you restore from backup.
You can use one of these free tools to scan your computer and remove malware: Kaspersky, McAfee, or AVG.
Recover files from backup.
Cleaning Ransomware if You Do Not Have a Backup
Follow these steps to clean a ransomware infection if you do not have a safe backup of your files, or if backups were corrupted by the ransomware:
Identify the type of ransomware using Crypto Sheriff from the No More Ransomware project. You will need to provide the email address, Bitcoin account or web address shown in the ransomware message.
Remove the malware from your system, as explained above.
If you found a decryptor, obtain the key and use it to decrypt the files. This can take some time depending on the type of ransomware, the volume of data and the available system resources.
If there is no decryptor, contact a security professional and let them try to restore the data.
All-in-One Ransomware Protection with Cynet
Cynet 360 AutoXDR™ is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:
Pre-download—applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
Pre-execution prevention—applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
In runtime—employs behavioral analysis to identify ransomware-like behavior, and kill a process if it exhibits such behavior.
Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
Fuzzy detection—employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behavior.
Decoy files—plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in a case of ransomware. Once Cynet detects that these files are going through encryption it kills the ransomware process.
Propagation blocking—identifies the networking activity signature generated by hosts when ransomware is auto-propagating, and isolates the hosts from the network.
Learn more about how Cynet 360 AutoXDR™ can protect your organization against ransomware and other advanced threats.
See Our Additional Guides on Key Data Security Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of data security