Your computer has been infected by ransomware. All those files -- personal documents, images, videos, and audio files -- are locked up and out of your reach.
There may be a way to get those files back without paying a ransom. But first a couple of basic questions:
- Do you you have complete backups? If so, recovery is simply a matter of wiping the machine -- bye bye, ransomware! -- reinstalling your applications, and restoring the data files. It's a little stressful, but doable.
- Are they good backups? Even if you did the right thing, backups aren’t foolproof, as legions of traumatized users have discovered. Unfortunately, this may be hard to determine without a full restore, so be aware that the wipe-and-restore method carries some risk.
If you answered no to either question, don’t throw in the towel and pay the ransom yet. Maybe -- maybe -- there's a decryption tool that can get you out of this jam. But before we examine that option, let's run through what you should do step by step.
1. Isolate the infection
The first step, once you've been infected, is to immediately disconnect the infected computer from the network. Turn off wireless networking and Bluetooth. Disconnect from all peripherals, cloud services, and external hard drives. This ensures the infection can’t spread -- and prevents the malware from communicating with the mothership. It buys some time, and when the ransom note threatens to increase the payment if you take too long, every second is precious.
Remember the clock is ticking. The bad guys will carry out their threats if you take too long: Jigsaw deletes your files every hour you don't pay, and CryptoLocker used to increase the ransom amount if you didn’t pay within the imposed time limit.
2. Learn the malware’s true name
Knowing which ransomware variant you are dealing with can be tricky. There are nearly 70 families of ransomware, with some variants inconsistent with earlier versions. In some cases, as with TeslaCrypt, the message saying your files have been encrypted proudly includes the ransomware name. Reputation matters, because victims are more likely to pay up if they know that other victims successfully got access to their files after paying the ransom.
Nonetheless, some ransomware seems to prefer anonymity. CryptoLocker was a big problem during its heyday because its dialog box simply warned that files have been encrypted. Some use a specific file extension. An example is Locky, which got its name because encrypted files featured the .locky file extension. If you still can't make a positive ID, try searching the Internet for the bitcoin payment address or the actual ransom message to discover which ransomware family infected the files.
If you can't identify the ransomware at all, there's a chance it could be fake -- a low-rent social engineering attack you can escape from easily (see "How to tell if you've been hit by fake ransomware").
3. Look for a decryption tool
When you know the exact strain of ransomware you're dealing with, you can search for possible ways to treat the infection. A handful of public tools are available, but be warned they may not work on the specific ransomware version that nailed you.
BitDefender offers a Crypto-Ransomware Vaccine to clean up CTB-Locker, Locky, TeslaCrypt, and Petya ransomware infections. Kaspersky Lab recently released a tool to unlock files encrypted by CryptXXX. There's also a RakhniDecryptor utility for restoring files infected by Rakhni and its assorted variants (identifiable by the file extension).
The attackers may have made mistakes in the encryption or a different part of the code, allowing security researchers to reverse-engineer the malware and crack the encryption. For example, Kaspersky Lab’s ScraperDecryptor utility can decrypt files because of flaws in TorLocker’s implementation of the encryption algorithm.
Cisco Talos researchers found that earlier versions of TeslaCrypt claimed to use the asymmetric RSA-2048 standard to encrypt the files, but were actually using symmetric Advanced Encryption Security (AES) instead. The source code for the decryptor tool for that particular strain of TeslaCrypt is available on GitHub. Another version of TeslaCrypt has a flaw in the way encryption keys are handled, so files with certain extensions --.ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, and .vvv -- can be decrypted with the TeslaDecoder tool.
BitDefender has a script for Linux Encoder, the first Linux ransomware.
EmsiSoft’s Fabian Wosar developed the DecryptInfinite utility to reclaim files encrypted by CryptInfinite. Wosar also released a decryptor for files infected by Radamant, which changes file extensions to .rrk and .rdm, as well as Gomasom and LeChiffre.
“Some ransomware encryption mechanisms are not very sophisticated, so in those cases it makes sense to use a decryptor tool,” says Aviv Raff, co-founder and CTO of Seculert.
Several unsophisticated attack groups have based their ransomware variants from Eda2/Hidden Tear, an open source ransomware proof-of-concept from Turkish programmer Utku Sen. Sen had backdoored the code and has helped victims recover encrypted files. Ransomware based on this project include Magic, Linux.Encoder, and Cryptear.B, which means all of the encrypted files can be cracked.
In some cases, security companies successfully recovered decryption keys from the command-and-control servers, such as what Kaspersky Lab did for CoinVault and Bitcryptor victims.
A little luck goes a long way
Security experts disagree on the efficacy of these decryption tools. “These tools are ineffective,” says Norman Guadagno, chief evangelist at Carbonite. “Variants are being patched at a faster rate than we can defend against, making public decrypt codes obsolete.”
That may be true, but considering the number of tools and utilities security researchers have assembled already, searching for alternatives on the Internet before paying is worth a shot.
But whatever you do, don’t click the first decryptor link you find on the Internet. Make sure it comes from a trusted source, such as a reputable security company, a recognized forum (such as BleepingComputer), or a well-known researcher. Also, after the files are saved, run antimalware software repeatedly to ensure the ransomware has entirely been removed from the system.
Last but not least: Patch your software and operating system to protect against the infection coming back. Unpatched software is probably how that ransomware landed on your computer in the first place.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.