Decrypt Files Locked By Ransomware

Ransomware Banner11 Apr 2018

Okay so you have had a ransomware attack, or you are "just asking for a friend". This article assumes that something seriously has gone wrong with your DR plan to "recover from the most recent backup", or that you may have already paid the ransom but the cyber-criminals did not oblige by sending you the decryption key (unfortunately this is quite common).

  1. You must remove the ransom-ware or else your data will get locked up again.
  2. In most cases you will need to know the name of the ransomware that has infected your files. See the links in the section on Finding the name of your Ransomware infection in this post for help on identification.
  3. In case these tools can't help you. Backup your files that are being held hostage so that if a decryptor is later discovered then you will be able to rescue your files.

Ransomware Decryptors.

Over time security companies have cracked some of the encryption methods used by the cyber criminals. In the interests of helping out the victims, many of these decryption tools have been made publicly available. Quite good instructions are given on the sites listed below. Please make sure you fully read and understand these instructions before charging off to the rescue. Or better still get your local Computer Troubleshooter to help you. Here are Computer Troubleshooter's New Zealand Locations.

Kaspersky Lab's Free Ransomware Decryptors
Trend Micro Ransomware File Decryptor
Avast Ransomware Decryption Tools
No More Ransom Project
Emisoft Decrypter
Bitdefender Ransomware Recognition and Decryption Tools
McAfee Ransomware Recover

Finding the name of your Ransomware infection.

Follow this link to the Malware Hunter team. Here you can send a copy of the malware's Ransom note, a sample encrypted file or any address or hyperlink that is given and the tool will identify the strain of Ransomware that has infected your files. This service currently detects 570 different flavours of Ransomware and more are added as they become known. Alternately Bit Defender also have a similar tool that you may download and run.

Computer Troubleshooters recommend:

  1. Don't pay the ransom - This only encourages the cyber criminals to continue profiting from others misery. Also there is no guarantee whatsoever that you will get your data back.
  2. Backup often - If you are using a USB removable hard drive, do not leave it plugged into your computer after the backup or the Ransomware will encrypt it too. A proper and managed offline backup system as offered by Computer Troubleshooters is a much better business solution.
  3. Be very careful of Cloud file storage services for your data. These were not designed for backup. The synchronisation feature could enable those files to become encrypted too. Microsoft have recently added a rollback feature to their 365 OneDrive service which will help. Hopefully other companies will follow suit.
  4. Use proper business grade security software on your systems. Sophos have a wonderful product called Intercept-X that stops unauthorised encryption in its tracks. Computer Troubleshooters are a Sophos Silver Partner.
  5. Make sure you have all your operating system and application patches up to date at all times. For businesses without an in-house IT resource this can be a hassle. Computer Troubleshooters offer managed security and patching as part of their popular BEST and HOST plans.
  6. Train your staff - All of the infections we have seen so far (and that's many), have been detonated by a staff member, and logically this need not have happened. That's not to say its the only way you will get Ransomware but so far it's proven to be the most popular way.

Update: 11th January 2019.
To further assist you there is a very good PDF called "Ransomware Hostage Rescue Manual" that you can download from KnowBe4. KnowBe4 is a US based company that specialises in offering staff training and ongoing testing around safe cyber awareness.

Image Copyright Credit:
chainat / 123RF Stock Photo