There seems to be a general consensus that if you've been hit with a Ransomware Virus, especially if by a newly discovered strain of ransomware, and do not have a reliable and unaffected backup to restore from, that all hope is lost.  

This is not necessarily the case!

Whilst it's true that Ransomware is one of the most difficult "destructive infections" to recover from, recovery should never be considered impossible.

Advising those seeking help that they should just accept defeat and wipe all chances of recovering their data is bad advice. This is a point that has been proven time and time again, particularly with past Ransomware strains that were once considered hopeless, yet have now had decryption recovery tools developed to restore data.

If you have been hit by a Ransomware Virus and don't have a backup - do not accept advice that you should just cut your losses, format your hard drive and admit defeat. That's just letting the criminals win.

The first thing you should do (after deactivating the virus) is make a Full Image Backup of your affected hard drive using an imaging backup tool like Acronis, Macrium Reflect or similar so as to have a copy of all files that were encrypted.  Safely store that backup away for future recovery attempts, or to restore from if a recovery attempt goes belly up.

Once backed up, Wipe and Start fresh if desired to get back to a working system again, but at least you will always have a backup to go back to in order to try decryption recovery tools that may be made available in the future.
3
LVL 33

Expert Comment

by:Thomas Zucker-Scharff
Andrew,

That is basically the same advice that has been given.  It comes down to a very simple piece of logic.  If your system has been hit by almost any malware, unless you are highly proficient at spotting what is going on and can monitor your system's traffic easily, there is absolutely no way of truly knowing that the previously affected system has not been compromised in some other way.  Detecting that a keylogger has been put on the machine is no easy task!  The only truly safe way to know that such a computer is as safe as it was prior to the infection is by doing a complete reinstall.  

Having a backup of the encrypted files is all well and good, but is it really useful?  By the time a decryptor is found, you have gone on and made changes, installed new software, etc., and don't wish to go back.  There is also a good chance you could accidentally get reinfected when you forget that the particular backup you just tried to recover is the one that was encrypted with ransomware, not some other backup or blank disk.
1
LVL 30

Author Comment

by:Andrew Leniart
Hi Thomas,
That is basically the same advice that has been given.

I must disagree with that. I've recently been involved in a couple of questions where askers, who's clients were hit by a Ransomware encryption, were being advised by experts to just accept the fact that their data is lost and to start over because they didn't have a good backup to fall back on. This without even pointing the asker to well known resources on the web which could possibly get them out of trouble. I can't object to that sort of advice strongly enough and it is what motivated me to make this post in the first place.

The only truly safe way to know that such a computer is as safe as it was prior to the infection is by doing a complete reinstall

I take your point about being careful to ensure all malware is off a machine and agree with the idea of exercising caution. But that can apply for any sort of infection, not just a ransomware hit.

Any known key logger would be hard pressed to get past the Antivirus and Anti Malware protection available today though. If one is to question the competency of research labs like Kaspersky and others, who release detailed information about how a discovered and recognizable virus will affect an infected system, then why not advise doing a complete reinstall whenever "any" malware has been detected on a computer?

What is the point of virus removal at all?  Can anyone really be sure a key logger hasn't also sneaked it's way in if a scan reveals a known Trojan of some type? I try to stay up to date with the latest research and developments and act / advise people accordingly. There are never any certainties, but there must be a certain level of trust in the protective tools one is using or the only answer to be truly safe may as well be to just power down our computers and go back to sending letters with postage stamps.. and even that's not without its own dangers :)

Having a backup of the encrypted files is all well and good, but is it really useful?  By the time a decryptor is found, you have gone on and made changes, installed new software, etc., and don't wish to go back.

How would you argue that point with a business that places importance on their historical data like past sales / trends and so on? Lost forever? Or perhaps still useful in a few months time? Historical data by its very nature doesn't change. Neither do purchased songs, graphics that might be lost to an encryption. Such things are always worth retrieving. I'm not saying that one should revert an entire operating system back just because a decryption tool is realised in a few months time, but the ability to restore data is never a bad thing. A backup can be quite easily restored to a Virtual Machine for recovery attempts, or simply a spare computer box laying around.  Storage these days is cheap - a 2TB external USB 3.0 drive to store an image on can be had for less than $100.

There is also a good chance you could accidentally get reinfected when you forget that the particular backup you just tried to recover is the one that was encrypted with ransomware

A good chance?  If stored "safely" then the chances are minimal unless zero care was taken when restoring.

If I were to name an Image something like "RANSOMWARE_VIRUS_INFECTED_IMAGE_BACKUP" for example, and then store that backup in a password protected folder on an external drive, that was also appropriately named, then I'd have be pretty irresponsible to accidentally get reinfected from it.  

If I was to ignore a name like that, then I'd probably be the sort of person that might go to crack sites or use pirated software and get myself reinfected anyway.

I take your points on board Thomas, but I can't agree with them.  I am always against admitting defeat to a criminal's actions and will always do my best to beat them at their own games. If criminals think they can make people lose data just because they won't pay them a ransom, then I'll go out of my way to prove them wrong, using the resources of the Security community who are fighting the good fight against such greedy terrorists every day.

My thanks for your comments on this topic however Thomas. It's one I'm sure you can tell I feel quite passionate about :)
1
LVL 33

Expert Comment

by:Thomas Zucker-Scharff
We'll have agree to disagree.  I do feel that ANY infection,  ransomware or not, renders a system untrustable. Yes, the system can be cleaned, but it can never be trusted again.  

Security companies do have excellent heuristics and definitions,  but they will never catch everything. I have several antimalware solutions running as well as some antiransomware software and general security as. Still I make continual clones of my drives.  

The only real way to protect yourself,  while still running a working computer, is to run a virtual machine.
0
LVL 30

Author Comment

by:Andrew Leniart
Security companies do have excellent heuristics and definitions,  but they will never catch everything.

No argument.  But doesn't it then naturally follow that they can never "block" or "prevent" everything either?

Using that train of thought, even with all of the security software that you have protecting your machine(s), how can you be certain that you don't have a key logger recording your key strokes right now? Or a yet unknown time bomb trojan just waiting to jump up and deliver its payload? How could any system ever be trustable?

I'm honestly not trying to be argumentative here, it's just that the logic behind your conclusion is escaping me.

If you can't trust your security software to clean up an infection that has been researched and that it knows about, then how is it that you can trust the same software to prevent a yet unrealized one from occurring?

I'll agree we probably need to disagree.  

Life would be too boring if everyone agreed on everything anyway. :)

My thanks again for your input.
1
LVL 33

Expert Comment

by:Thomas Zucker-Scharff
I guess what I meant was that no one security software is likely to catch everything.  That is why I have a multilayered approach on my machines.  But you are correct, I do not feel safe even with that.  I guess I am on the paranoid side, which begs the question, "Is one paranoid, if the fear is true?"  That is a paraphrase of the original question.

The biggest problem, IMHO, is that to secure one's computer (and still have a computer that actually works, instead of one filled with cement), one needs to put enough security software on there that it slows down even the best of computers.

I would like a product that doesn't hog resources and assures me that I will never get malware of any kind (like that is happening).
2

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month