While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.
The owner of a plumbing and heating company opened what he thought was a safe email about a FedEx tracking number. The email turned out a ransomware scam. Thus, within a nanosecond, all of the data files were encrypted. The attached external backup drive was also encrypted.
The thieves had a message that the owner had to pay a ransom in bitcoin to get access to an encryption key, So, after, I calmed the owner down, I did the following:
A) Removed the ransomware virus using the program, Malwarebytes.
B) Recovered hidden copies of the encrypted files using ShadowExplorer.
The free version of Malwarebytes successfully removed the ransomware infection after scanning the hard drive. The recovery program, ShadowExplorer, allows you to browse Windows Shadow Volume Copies created by the Windows Vista, Windows 7, Windows 8, and Windows 10 Volume Shadow Copy Service. When these Shadow Volume Copies are created, they also create copies of changed data files on your computer. ShadowExplorer allows you to use the Shadow Volume Copies to restore files back to previous versions or even to restore a deleted file. The features of ShadowExplorer include -
1. Reveal currently available copies of files.
2. The user can browse through the available Shadow copies.
3. Allows the user to recover files and folders.
Make sure that Volume Shadow Copy is enabled under services. Here is a Youtube video, https://www.youtube.com/watch?v=VlcKJ-2mEg0 created by MalwareLess, that visually explains the use and the various recovery screens of ShadowExplorer.
So, the files were restored and the owner didn't have to pay a ransom.
For those who wish to avoid the trap of Ransomware, there are anti-ransomware utilities suchas Ransomfree by Cybereason, Anti-ransomware Tools by Trend Micro, Kapersky Anti-Ransomware Tool to name a few.