I've been hit by Ransomware - now what?

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Let's start off with assumption that you are in the midst of determining what to do since you have contracted a dreaded ransomware variant.  If you would like to investigate various different variants, there are plenty of places to go, check out my variants webpage and the nomoreransome.org webpage for a start.

There are lists of various decryptors throughout the web, one of the best lists is located here (again the No More Ransom Project page).  There is also a shorter list on my website here.

What should you do first? 
First Response
In order to protect the rest of your network, and/or any connected backup or shared drives, you should immediately disconnect from both wireless and wired networks.  Once you have done that do NOT attempt to remove the ransomware (once the removal process has begun it may be more difficult, if it is possible at all, to recover your files).  Next you should completely shutdown your computer. 

Scenario 1 - Recovery
The easiest way to recover from such an attack is to restore from an unaffected backup.  You will need to determine if you have either an unaffected local backup (one that was NOT connected to your computer or the internet when you became infected) or a versioning backup in the cloud.  If you have a tested recent backup:
  1. Clone the infected hard drive (use your favorite cloning software or Casper - video -or Paragon) or make a complete backup of it (not as good) using something like DriveImageXML.  Here are a few videos I made which illustrate installation and use of various backup utilities.  Some videos may be a little out of date, but they depict the basic procedures.
    1. Native Backup on Windows 7
    2. Backup with DriveImageXML
    3. CrashPlan
    4. SpiderOak
  2. Either:
    • Use a third drive to restore your system (Depending on how many drives you have available to you)
    • Completely erase the clone of the hard drive that was infected.  
      But, you may ask, "Why am I making a clone and then erasing it?"  The answer is that you want to perform this AS IF this was your original drive.  It is, IMHO, the only way to be completely sure that you are performing the exact same tasks.  If it was attached to your computer in ANY way when it became infected with ransomware, the SSD will need to be "nuked" using the tools indicated below. I suggest using a utility like Darik's Boot 'N Nuke (DBAN) (use the autonuke command to start a DOD [Department of Defense] wipe of your disk drive)
  3. Restore from your uncompromised backup.
That is the procedure if, and only if, you have a recent tested backup.  Pretty much the same procedure as above holds true if you use versioning backups, like CrashPlan

If you are using versioning backup software, go back to a time when you are sure that you were not infected and do a restore.  If this is not a bare-metal restore, make sure to use a tool like DBAN (above) and then reinstalling the system BEFORE doing the restore. 

NOTE: Code42's Crashplan is FREE for local backup (to an external drive or another computer) the only cost is if you purchase cloud space.  Check out this page for pricing.  The unlimited storage is relatively inexpensive, and certainly less than you would pay if you needed to ransom back your data/files. 

What if you have a recent untested backup, an older backup, or no backup?  There is still hope,although much less and you need to learn about backups.   So let's start with the scenario where you have a recent untested backup.

An untested backup is similar to not having a backup, although not the same.  If you haven't tested your backups by trying to restore them at least partially, then you do not really have a backup strategy.  Part of every backup strategy should be testing of the backups in some way.  So in order to ascertain the validity of your untested backup, we first need to do a test restore.  Restore a directory to a new drive and make sure you can use the restored files.  If this works, you now have a tested backup.  You can now use this backup to restore files or the whole operating system to your infected system.

Scenario 2 - an older backup
You realize now that your backup routine was not as robust as you thought it was.  The most recent backup you can find is more than a week old.  You know if you use this backup, assuming it is usable - see above paragraph for testing untested backups, you will lose precious work.  You have 2 choices in this case, use the backup and lose the one week's worth of work, or don't use the backup and lose everything - your call.

Scenario 3 - no backup
If this is the case, you may feel like you have no choice but to pay the extortionist criminals who are holding your files/computer/mobile device hostage.  Some places and individuals have paid.  The result has been mixed.  

I cannot stress enough that you are dealing with criminals, so don't trust anything.  If you feel the need to pay, look back to my previous sentence - remember they are criminals and are likely to act that way.  But you may say, "I need my data back.  What else can I do?" Again, if you feel comfortable dealing with criminals, you may feel this is the only option.  If you pay, you are encouraging the ransomware industry to grow and encouraging the specifc criminal element you are dealing with to strike again.  Morally this is at best unsound.  Even if you do pay (DON'T), it is unlikely that you will receive a working decryption key.

Then there is always the possibility that your documents were copied and the criminals you so nicely paid off will come back for more money or threaten to put your sensitive documents on the internet (doxware).  

You can probably tell I am against paying the perpetrators of these scams. As a matter of fact, although ransomware is always a criminal activity, in some states like Wyoming and California, ransomware is a crime in the penal code. 

So what can you do?  Sometimes it is as simple as using an established decryptor - check nomoreransom.org for the best list.  If a decryptor for your variant of ransomware is NOT listed, your only real choice, other than taking your chances and paying the criminals who did this to you in the first place, is to completely wipe your computer and reinstall.  The only way you can trust your computer again is this route.

What Next? (or how can I protect myself in the future)
I always have to mention tools that you would probably consider "closing the barn door after the cow is gone" tools, but they may save you from having to deal with this ever again.  So what is really effective?  There are few if any tools that will prevent a targeted attack, but there are a few that will discourage anyone from trying and give you the feeling that you are actually doing something to prevent a future occurrence. 

First and foremost, initiate a good backup strategy.  Remember your backup strategy should include a testing phase, where you attempt to restore at least one directory to make sure your backup is a good one.  Use one of the tools mentioned above to do continuous cloning of your disk drive.  If you have more than 50k points on Experts Exchange or qualify in another way you can get the Paragon software for free (see this page). 

IMPORTANT: There are two ways you can protect yourself, by far the best way, in my opinion, is to never have your clone or backup drive continually connected to your computer.  The second way is to use a standard account for all work and an administrative account for backups only (thanks  user McKnife for this suggestion).  With the first option, the best way to achieve this is to have 2 drives which you switch out often.  One drive is connected and backing up or cloning, while the other drive is NOT connected in any way.  This goes for MAC or PC.  In this way your backup or clone drive will NOT get encrypted as well, or only one of the two will.  If you choose the second option, using a different account, know that some ransomware can elevate it's privileges, giving a standard account administrative privileges, but this is the less expensive route to go.  Be sure you have established a separate administrative account and use it only for backup and do not use an administrative account for daily use.  There are several sources you should investigate before using this method, like this article by McKnife and these pages about the Principle of Least Privilege (POLP) 1,2,3  if you are going to use the method of establishing alternative accounts.

Some preventative measures:
I am not going to cover the full preventative landscape here, but feel free to read my other article, which is part of my course on ransomware - free for members with 50k points or more, on preventative measures.

If you would like to learn more about ransomware, feel free to browse my articles on the topic, take my course, or read this FAQ by user btan.

If you found this article useful, please vote it helpful below.
Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (1)

Thomas Zucker-ScharffSenior Data Analyst


@McKnife - Thanks I'll include it.  Is it okay if I give attribution to you?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.