Locked Out? Try These Ransomware Removal Tips

This post was originally published at https://invenioit.com/security/ransomware-removal-tips/

If you’ve been locked out of your data and you’re looking for information on ransomware removal, we have some good news and some bad news for you:

• First, the bad news: You probably won’t be able to remove the ransomware itself by breaking the encryption or otherwise uninstalling the malware. Sorry, but these methods are generally impossible in a more serious ransomware attack. But we’ll go over some of your options below.
• Now, the good news: If you’ve been diligently backing up your data, then ransomware removal is easy: simply restore the backup to an earlier, clean recovery point. And poof! The ransomware is gone.

If you don’t have backups, then unfortunately you have few remaining options. You could theoretically pay the ransom, but that doesn’t guarantee anything. The hackers could decide to boost the ransom price, requiring you to shell out even more. Or, they could decide not to give you the decryption keys at all, which means you’d lose your money and your data.

Another option is to reformat your infected machines, essentially wipe everything and start from scratch. That won’t recover your data, but at least the ransomware will be gone.

On a network, if the infection has been isolated to just a few machines, then wiping those machines isn’t a terrible outcome. As long as you’re not losing any business-critical data that was saved directly on those computers, then a factory restore should be a relatively harmless outcome.

Here’s the problem …

Many businesses are unprepared for a ransomware attack.

Over the last year, ransomware incidents have been skyrocketing. Widespread attacks on businesses were projected to claim $1 billion in ransom payouts in 2016, plus an additional $75 million in operational losses, according to figures in The Atlantic.

What’s more, many businesses are using outdated data backup technologies, if they’re using them at all. Traditional backups, stored onsite, are at risk of being infected along with the machines that were infiltrated. In that case, the backups themselves also get encrypted. In other cases, the backups fail during the recovery process.

Below, we’ll go over some crucial steps for better data protection, as well as for preventing the attack in the first place. But first, let’s see if we can help you get rid of your ransomware.

8 steps to ransomware removal & response

Your systems have been infected. Now what? Here are some steps you should follow immediately, along with a few methods that might help you to remove the ransomware, depending on what kind it is.

1. Isolate the infected computer(s). Remove those machines from the network immediately. Don’t assume the infection won’t spread – most strains of ransomware are designed to access every connected server, drive or device. By isolating the infected machine early, you could stop the malware before it reaches your business-critical data.
2. Isolate the non-infected devices. Go ahead and turn them off, if necessary. This will prevent the infection from worsening and will allow more time to clean and/or recover your data on the infected computers.
3. Contact your local FBI field office—now. The FBI advises all ransomware victims (businesses and individuals) to contact them immediately. Law enforcement agencies may be able to use removal methods or other tools to get your data back that are unavailable to most organizations. Also, the FBI is actively focused on apprehending the criminals behind such attacks, which (theoretically) helps to prevent future losses for everyone.
4. Take your backup systems “offline,” if they’re not already. Ideally, they should not be permanently connected to the computers and networks they’re backing up anyway.
5. Try running your anti-malware and anti-virus systems in Safe Mode. Some forms of ransomware are actually relatively harmless and sometimes referred to as “scareware.” In essence, these make you think your computer has been bricked, when in reality it hasn’t. But it scares you into thinking you need to pay up to “fix” it. If you can still access your files and other programs, that’s a good sign it’s scareware. Your anti-malware software may be able to remove this ransomware, especially in Windows Safe Mode.
6. Try a System Restore. If you can’t run programs or do much else with Windows, try using Windows System Restore, if enabled. This will return system files and settings to an earlier state. Restart the PC and repeatedly press the F8 key, which should bring up your advance boot options.
7. Try running your virus scanner from a USB drive (or bootable disk). Sometimes called an “offline scan,” this is another method to try if System Restore doesn’t work. Shut off the PC, restart and hit the F8 key, as above, to access the boot menu and run your scanner from the USB device. But again, these methods will only work for the less harmful types of ransomware, not the latest file-encrypting CryptoLocker and Locky variants.
8. Delete registry values and files to stop executable ransomware files from loading. This applies to cases in which you know you have the malware on your machine, but it hasn’t fully completed the encryption process.

What about ransomware decryption? Is it possible?

Maybe—but don’t get your hopes up.

Some anti-malware companies, like Avast and Trend Micro, now offer ransomware decryption tools (usually for free). These tools are downloadable software designed to help decrypt files that have been encrypted by ransomware, without paying hackers for your decryption key.

Sounds good, right?

The problem is these tools only work with certain, generally older forms of ransomware. As of right now, they won’t work on the newer, more tenacious forms, like Locky. However, they are worth trying before you consider your machine a goner.

Still no luck? Here are your options

At this point, the only remaining options are to restore a backup (if you have one) or perform a factory restore to start from scratch.

The latter option would be crippling for most businesses, because it would likely apply to entire servers of data, rather than a single machine. This is why it’s so important to address your data backup and recovery preparedness within your business continuity planning.

Organizations must be sure they have a dependable backup system that will safeguard data and ensure a rapid recovery after a ransomware attack. Otherwise, operations will grind to a halt.

Restoring a backup

With a good backup system in place, removing the ransomware attack is as simple as rolling systems back to a point in time before the attack hit.

The sooner you can restore that backup, the better. And the more recent the backup is, the less data you’ll lose.

This is why data-protection companies have started adding ransomware protection directly into their backup technologies. Datto, for example, had already positioned its backup solutions as a failsafe for ransomware. Its technologies automatically take snapshots of a company’s data and systems at regular intervals, and stores them in a secure location (in the cloud, on site or both).

But in late 2016, the company went a step further. It added built-in ransomware detection, so that its systems could automatically detect an infection and notify administrators to rollback to healthy data. This effectively curbs the spread of infection and also shortens downtime.

Prevention is key

With the right preventative measures, you may never even have to think about ransomware removal. By taking the appropriate steps, you can prevent an infection from occurring in the first place.

Your organization should absolutely use anti-malware and anti-virus solutions. But that’s only part of the picture. The vast majority of infections still occur as a result of a user action, such as opening an infected email attachment. Training your staff and implementing file-access controls can significantly reduce the risk of a ransomware attack.

Consider these questions:

• Do your personnel know how to differentiate a phishing email from a legitimate one?
• Are there policies in place about opening suspicious email attachments or clicking links from unknown senders?
• Have personnel been trained on how to identify a potentially malicious email?
• Are staff aware of the consequences of a ransomware infection (or other cyberattack)? Have they been educated on the risk assessment as identified in your BCP?
• Do all users have write-access to every folder on the network? Or, are accounts configured to limit write-access to only those who absolutely need it, and only in the folders that pertain to their job functions?
• Are there any policies or controls in place to stop the installation of unwanted software?

Remember, users are the victims of a ransomware attack, not the reason for it. In an infection, you can only blame the attackers and the lack of having adequate controls that could have prevented it.

Additionally, don’t assume that “low-level employees” are the most likely to fall victim to an attack. Not even the CEO is immune from a well-designed phishing scheme. Your cybersecurity training should apply to every person in your organization.