Clear ransomware and reset PC
My PC recently got infected with a ransomware. All of my files were encrypted. Fortunately, I had been planning on wiping the computer and starting over, so I there is nothing on the PC that I can't easily replicate. My plan is to run a scan with malwarebytes, quarantine and delete any infected files, and then reset the computer to factory settings and clean the drives. Is this sufficient, or are there other steps that I need to take to make sure that everything is wiped clean on the PC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Andrew Leniart
BTW.. Kudos to you for having your data backed up!
Good that you have the backup off thesis machine.
Since there is intent to wipe out, suggest you go for it as it will be cleanest approach to eliminate the traces of the ransomware. Suggest that you check on the network file shares mapped and thumb drives used in this machine to make sure they are not affected as well.
If you like to still check on the ransomware, try out id ransomware to have insight and even decryptor if any.
https://id-ransomware.malwarehunterteam.com/
Since there is intent to wipe out, suggest you go for it as it will be cleanest approach to eliminate the traces of the ransomware. Suggest that you check on the network file shares mapped and thumb drives used in this machine to make sure they are not affected as well.
If you like to still check on the ransomware, try out id ransomware to have insight and even decryptor if any.
https://id-ransomware.malwarehunterteam.com/
Andrew is correct, you also must beware of the type of ransomware. Was this fileless ransomware? Some ugly stuff may hide in NVRAM or the CMOS. The only truly safe computer is one that never connects to the internet and is filled with cement. That said, do a low level format on the hard drive and then a regular format, then reinstall the system. Unless you are buying a new computer, I wouldn't use this one for banking or other financial transactions.
User @masq was good enough to point out to me that there really hasn't been a proof of concept (PoC) even for ransomware hiding on the MoBo somewhere. Although I do recall something like this (there have been plenty of instances of virii in the BIOS), I couldn't find the citation, so other than that you should be good. Do use MFA (article on multi-factor authentication), not text-based - which is dangerous, for any financials. If your bank does not have decent MFA - time to change banks (and yes it is that important).
The question is lacking key details about what the PC is (hardware wise) and how old the factory recovery may be. In many ways we are really up to Windows 20 as there has been a major version upgrade every 6 months (or so) since 8/2015 and the latest version is 1903 which was released in late May.
Luckily, one of the nice things that M$ did with Windows 10 is, if you use their media creation tool, you get the latest version which eliminates the need for a lot of updates ( https://www.microsoft.com/en-us/software-download/windows10 ) I prefer to create ISO images which I can then keep and burn onto blank DVD's as needed and have started renaming the Windows 10 ISO files to include the version number. The other nicety is that an ISO image burned to a DVD-R disc cannot be corrupted or infected.
If you want to be completely thorough, create the DVD as above, boot it, choose Advance setup, deleted every partition on the existing drive, then shut the PC down so it turns off. Boot it back up and continue the installation by hitting Next. (Windows will automatically create what it needs AND will automatically activate itself when you connect to the internet so, no you don't need a new license)
It has been a while; but some of the "bootkits" would become memory resident and reinfect the PC if you did not do the power down after deleting all of the partitions.
Luckily, one of the nice things that M$ did with Windows 10 is, if you use their media creation tool, you get the latest version which eliminates the need for a lot of updates ( https://www.microsoft.com/en-us/software-download/windows10 ) I prefer to create ISO images which I can then keep and burn onto blank DVD's as needed and have started renaming the Windows 10 ISO files to include the version number. The other nicety is that an ISO image burned to a DVD-R disc cannot be corrupted or infected.
If you want to be completely thorough, create the DVD as above, boot it, choose Advance setup, deleted every partition on the existing drive, then shut the PC down so it turns off. Boot it back up and continue the installation by hitting Next. (Windows will automatically create what it needs AND will automatically activate itself when you connect to the internet so, no you don't need a new license)
It has been a while; but some of the "bootkits" would become memory resident and reinfect the PC if you did not do the power down after deleting all of the partitions.
since you have a backup - why run a scan still? seems to be lost time to me
knowing the pc model is Always good for precise answers
if you want to be thorough, you can run DBAN on the drive to wipe it completely - but it will take several hours
http://www.dban.org/
then restart from 0, as suggested by Davis above - i would NOT use the manufacturer's recovery software, unless it's needed for some reason
knowing the pc model is Always good for precise answers
if you want to be thorough, you can run DBAN on the drive to wipe it completely - but it will take several hours
http://www.dban.org/
then restart from 0, as suggested by Davis above - i would NOT use the manufacturer's recovery software, unless it's needed for some reason
Suggesting DBAN for wiping a drive after a ransomware infection is an overkill to the max. Besides that;
In fact, until the strain of ransomware is identified, the paranoia being shown here is a bit over the top too, hence why I said "depending on the type and strain of ransomware you were hit with" in my first comment. Most times, a simple ransomware infection only needs the Deletion of the encrypted files and a backup restore - resetting the computer to factory defaults as the OP himself suggested is likely more than is needed - it depends on "what" the infection was - before getting too paranoid IMO.
If worried, a simple format and reinstall of Windows or restore from backup is more than sufficient - again, the determination of what's appropriate can only be made once the infection (ransomware strain) is identified.
To identify, try looking here as per btan's comment: https://id-ransomware.malwarehunterteam.com/
Very, (VERY) few ransomware strains have a payload that will survive a simple drive format.
While DBAN is free to use, there’s no guarantee your data is completely sanitized across the entire drive. It cannot detect or erase SSDs and does not provide a certificate of data removal for auditing purposes or regulatory compliance. Hardware support (e.g. no RAID dismantling), customer support and software updates are not available using DBAN.
In fact, until the strain of ransomware is identified, the paranoia being shown here is a bit over the top too, hence why I said "depending on the type and strain of ransomware you were hit with" in my first comment. Most times, a simple ransomware infection only needs the Deletion of the encrypted files and a backup restore - resetting the computer to factory defaults as the OP himself suggested is likely more than is needed - it depends on "what" the infection was - before getting too paranoid IMO.
If worried, a simple format and reinstall of Windows or restore from backup is more than sufficient - again, the determination of what's appropriate can only be made once the infection (ransomware strain) is identified.
To identify, try looking here as per btan's comment: https://id-ransomware.malwarehunterteam.com/
Very, (VERY) few ransomware strains have a payload that will survive a simple drive format.
ASKER
Thanks for the help. nobus, you were correct that performing a scan was redundant. It was a suggestion from my supervisor.