Ransomware attacks have ramped up over the past few years, making ongoing headlines in the media. Just recently, in March 2019, a massive ransomware attack took down several plants of aluminum giant Norsk Hydro, costing them more than $40 million in the first week following the incident. Ransomware has been around for years. But a recent surge in popularity has made businesses and consumers more vulnerable than ever. With almost twenty thousand detections every single day, ransomware is on the rise and doesn’t show any signs of slowing down.
Ransomware attacks can hit anyone, at any time, and it’s not always clear what to do if you are targeted. This guide offers practical tools and steps that individuals and enterprises can take to remove and even block ransomware attacks before they strike.
What is Ransomware?
Ransomware is a type of malware designed to take over a user’s data, systems or entire devices and make them inaccessible until the victim pays a ransom to regain control.
Cybercriminals typically trick unsuspecting victims into installing ransomware by clicking an attachment or link in a phishing email that looks legitimate, or when a victim visits a hacked website.
The rising popularity of Ransomware-as-a-service (RaaS) allows evenless-skilled criminals to employ this tactic on a massive scale - with high reward for little effort and less technical knowledge.
Ransomware attacks on organizations are generally more disruptive than traditional cyberattacks focused on stealing information. They can prevent access to critical data causing a shutdown of part, if not all, of a business operation until the data is restored or replaced.
Types of Ransomware
There are several general categories of ransomware that have varying threat levels and removal methods.
These fake antivirus or PC Cleanup tools pretend to be ransomware and try to scare you into paying for fake removal programs. Scareware is highly uncommon these days, but some of these viruses still exist and many of them are now targeting mobile phones.
If you think you are seeing scareware on your computer or phone, there’s a simple way to investigate. See whether you can access your files or folders, such as the items on the desktop or in the My Documents folder. If you can navigate the system and open most files, then you're probably seeing something fake that's just trying to scam you.
How to remove: Scareware is the easiest to get rid of - in most cases, you can remove scareware using standard anti-virus removal tools, such as Bitdefender Antivirus, Malwarebytes Anti-Malware or others.
This version of ransomware locks the device and displays fake messages from law enforcement agencies like the FBI or police or tax authorities, informing the victim that they've detected illegal activity on the computer for which a fine must be immediately paid. While the screen locker won’t encrypt or delete your files, you may find yourself forced to perform a system restore.
How to remove: Screen-lockers can be easily removed at little to no cost. At first restart your computer in Safe Mode by following the relevant instructions below:
- Windows tablet/laptop: Power button + S at startup
- Windows desktop PC: Click restart + hold down Shift on login screen
- Mac: Restart + hold down Shift
From there, you should be able to clean up the ransomware using a free malware removal tool like the ones mentioned above.
If that doesn’t work, you can perform a system restore to a point before the scareware or screen locker began popping up messages. After you've done this, we recommend running your antivirus software one more time to make sure your system is clean.
To learn more about how ransomware attacks work, read our real-time report on BadRabbit, one of the most popular strains ofransomware.
This is the most damaging and therefore alarming type of ransomware. It encrypts user’s files with a strong algorithm and presents a ransom note informing victims how to pay (typically in bitcoin or other digital currency) in order to restore access to their assets.
Encrypting ransomware is one of the most significant cyberthreats facing businesses and individuals today. By 2021, global ransomware damage costs are predicted to reach $20 billion. These attacks are becoming increasingly sophisticated, more challenging to prevent, and more damaging to their victims. For example, advanced ransomware will also attempt to encrypt on-line backup copies of local files to increase the likelihood of getting paid.
How to remove: Since this type is much more complicated to deal with, on the next page we'll provide an in-depth guide.
How to Remove Encrypting Ransomware
Ransomware infection can be scary, but don’t panic. If you receive a ransom note and you can’t access your files, try these steps before you consider paying.
1. Disconnect Your Computer
from the network and any external drives, printers, webcams and anything else. You don't want the ransomware to spread to other devices on your local network or to file-syncing services such as Dropbox.
2. Take a photo of the ransom note
on your screen. After you’re done with removing ransomware we recommend reporting the attack to authorities and using the photo as evidence.
3. Remove the ransomware
using a reliable antivirus (e.g. Kaspersky Internet Security) or anti-malware solution before you attempt to recover your data. Otherwise, the ransomware will repeatedly lock your system or encrypt files. There are also removal tools available for specific ransomware families. Once you’ve removed the malicious software, you’ve won half the battle; getting your data back is the second, sometimes trickier, half.
4. Find out if you can recover deleted files
Ransomware typically copies your files, encrypts the copies and then deletes the originals. However, your server may contain shadow copies that can be used to restore data. See if you can rebuild deleted files with data recovery tools such as ShadowExplorer, a free-to-use option. Unfortunately, most of the modern versions of ransomware delete the Windows shadow copies, making restoring from shadow copy impossible.
5. Restore your files from a backup
If you regularly back up the affected computer or device, you should be able to restore the files from the backup. However, you'll want to make sure the backup files weren't encrypted too. Plug a backup drive into another computer, or log in to an online backup service, to check on the status of the files. If all is good, fully wipe the drive of the infected device, do a clean installation of the OS and then restore the files from the backup. If you can’t restore your files from a backup, don’t lose hope just yet; the following will guide your next steps. If you are lucky, you will be able to find a utility to decrypt your files.
6. Identify the ransomware affecting your PC
If the ransomware doesn't show its name, try Crypto Sheriff or ID Ransomware - online tools that can help you find out exactly which ransomware family you're dealing with. You just need to upload either: a ransom note, one of your encrypted files, an email or a web address. If the sites can identify your ransomware, you will be provided with a solution in the next steps.
7. See if there are decryption tools available
Many security firms and industry researchers have been studying ransomware encryption techniques and have developed special decryption tools. These programs, when matched with the correct type of ransomware, can decrypt and rescue your files for free. If you already know the name of the ransomware, head over to the list of decryption tools at No More Ransom to see if there's a matching decryptor (the top two entries on the list, Rakhni and Rannoh, can decrypt multiple strains). The list is not alphabetical, and new decryptors are added to the bottom of the list. Before running the tool, remember that you need to remove the ransomware from the computer (Step 3), otherwise it will encrypt the decrypted files again. Head over to the Useful Resources to find more links and sites with available decryption tools, as well as the list with ransomware examples that have decryptors.
Not all ransomware families have decryptors. In many cases, security professionals are unable to create them because the ransomware utilizes advanced and sophisticated encryption algorithms. We recommend duplicating your encrypted files and keeping a copy safe. That way, if a ransomware decryption tool becomes available in the future, you may be able to recover your files.
8. To pay or not to pay
If you are unable to restore your files you’ll need to decide whether you are going to pay the ransom. Many security companies don’t recommend paying a ransom and the FBI officially does not support it either. There’s no guarantee you will get your files back once hackers receive the payment – they can simply scam you. Moreover, with every dollar transferred you are actually funding cybercriminals activity.
9. Report the attack
to the relevant authorities in your country. It's a necessary step if you want to file an insurance claim or a lawsuit based on your infection, and you will also help keep track of ransomware infection rates. Reporting mechanisms vary from one country to another. Victims of ransomware in the US are requested to report it immediately to CISA (Cybersecurity and Infrastructure SecurityAgency) at www.us-cert.gov/report, or a local FBI Field Office, or Secret Service Field Office, or file a complaint through the Internet Crime Complaint Center at www.IC3.gov. Victims in the European Union can find the links to the local websites of specific countries to report cybercrime on this Europol site.
Security Tips to Avoid Ransomware
There are simple security practices you can follow to limit damage by preventing ransomware infections before they strike
1. The first line of defense is to subscribe to a security service provided by your ISP or mobile operator, in addition to installing a reputable security agent on your PC or smartphone.
2. Do not open suspicious email attachments and click on links, even if you know and trust the sender - most ransomware is distributed via phishing emails.
3. Make regular offline backups. Since some variants of ransomware can delete backup copies on your computer and network drives, save your files on an external drive or in the cloud. This ensures you don’t lose files if you are targeted by a ransomware attack.
4. Keep your OS and all your software updated and patched.
5. Beware of pirated content and software, which are usually distributed via P2P and torrent sites and can include malware.
6. Use strong and unique passwords for every site.
7. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Hackers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
8. If you notice any suspicious activity on your computer, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) to prevent the infection from spreading.
Websites that aggregate ransomware decryptors:
Free decryption tools provided by security vendors:
Ransomware with decryptors:
Be sure to match the family and version of the ransomware with its decryptor tool, as described in this guide.
GandCrab (versions 1, 4 and up through 5.1)
Dharma (Rakhni decryptor)
Ransomware is not a new cyberthreat, but it has evolved to become a ubiquitous and serious one, targeting anyone and everyone to bring big profits to its authors. By adopting healthy internet practices, you can minimize your chances of falling victim and spare yourself all the hassle. If you DO see a ransom note on your screen one day, we hope this guide will help you handle it. Disclaimer: We have made every reasonable effort to present accurate information in this guide; however, we are not responsible for any of the results you experience while using it. We cannot assure you that all of the information provided will always be accurate or up to date, nor can we take responsibility for your use of this information.
If you are a communications service provider interested in offering security services to your customers, learn more about how Allot can help.
Allot Ltd. (NASDAQ, TASE: ALLT) is a provider of leading innovative network intelligence and security solutions for service providers worldwide, enhancing value to their customers. Our solutions are deployed globally for network and application analytics, traffic control and shaping, network-based security services, and more. Allot’s multi-service platforms are deployed by over 500 mobile, fixed and cloud service providers and over 1000 enterprises. Our industry leading network-based security as a service solution has achieved over 50% penetration with some service providers and is already used by over 21 million subscribers in Europe. For more information, visit www.allot.com