Remediate A Ransomware Infection: A Concise Guide

Tuesday, January 24, 2017

What is Ransomware?  Ransomware is malicious software that silently encrypts data, demanding a sum of money (or, ransom!) for access restoration.  Businesses as well as individuals are targeted with the malicious software often deployed through unusual “Unpaid Invoice” style e-mails or suspicious websites.  Some examples of Ransomware include but are not limited to:

· Cryptowall
· Cryptowall 2.0
· Cryptowall 3.0
· Cryptowall 4.0
· Cryptolocker
· Cryptolocker 2.0
· Tescrypt
· Teslacrypt
· Exxroute
· Cerber
· Reveton
· Critroni
· Teerac
· Locky
· Brolo
· Fakebsod
· Crowti
· Crysis
· zCrypt
· Carbon Black
· Petya
· CrypBoss
· Hydracrypt
· Crypto-js

Many times, the variant of Ransomware will leave “HOW_TO_DECRYPT” style recovery instructions where ever encrypted (infected) files are present along with the preferred method for payment, usually BitCoin.  Example instructions can be found below:

What is the best form of defense against Ransomware?  The absolute best defense against Ransomware is Backup Redundancy.  Period.  However this is not a substitute for an effective AntiVirus solution,  awareness training, and auditing.

Here at Concise Computer Consulting, we have a procedure in place to effectively and efficiently remove Ransomware, and restore data and productivity:

1.) Reboot the Server, all computers on the network, and disconnect the networking switch.  This will temporarily halt the encryption process and prevent further spreading of malware throughout the network.

2.) Connect an unaffected computer to an alternate internet source (WIFI, or HotSpot) and download the following utilities to a USB flash drive:

HitMan Pro
Malwarebytes’ Anti-Malware

3.) Connect the USB drive to the Server and all computers on the network, execute the utilities, and remove any malicious files found.

4.) Navigate to an affected Network Share and examine the malicious files and the dates modified.  This will tell us what date and time encryption occurred:

5.) Recover Backup Files before date of encryption:

Option A.) Shadow Copies / Previous Versions

Navigate to affected Network Shares and examine Shadow Copies / Previous Versions:

Restore from a point before encryption occurred.

Option B.) In some cases, Ransomware will delete the Shadow Copies.  If this is the case, we’ll utilize Windows Server Backup:

The most recent date prior to encryption should be selected and a “Files and Folders” restore to the original location can be performed:

Option C.) Cloud Backup Restoration

If a restoration from Shadow Copies or Windows Server Backup is not a viable solution, restore from a Cloud or Online Backup source.  Concise recommends Evergreen Backup:

6.) Index the affected volume for the malicious file extension and “HOW_TO_DECRYPT” files (for this example, we’ll use ‘*.Locky’) and delete the results:

7.) At this point, the files will be recovered, Ransomware has been removed from all computers, and all networking can safely be restored.  It may also be a good idea to do a “post-mortem” and speak with the user who may have accidentally downloaded the malware in the first place to review best practices.

 

by:  Michael Schneider, Jr.