Yeah… Speaking of malware…
With all of the email problems I’ve been having over the past month or so, I’ve had my hands full. I’m nearly certain that I’ve got some kind of malware. Removing it, has been a real chore; but at least I don’t have any ransomware. Yeah. That would really suck.
Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay a ransom through an online payment system in order to regain access to their data or system. Some ransomware encrypts files. Other ransomware blocks communications.
No matter which way you look at it; you don’t have access to your data. Depending on how valuable that data is to you or to your organization, that can be a problem.
One of the most popular pieces of ransomware is CryptoWall or CryptoLocker – same thing. CryptoWall is a Microsoft Windows based Trojan horse. A computer that is infected with this virus has its hard drive encrypted, with the RSA decryption key held by a third party.
When infected, the virus payload installs itself in the user’s profile folder and then adds a key to the registry that causes it to run on startup. It then attempts to contact one of several, designated command servers where it retrieves a 2048bit RSA key pair. The command server sends the public key to the infected computer.
The virus then encrypts the user’s files across all local and mapped network drives with the public key and logs each encrypted file in a registry key. The process only effects files with a specific extension type – usually those belonging to Microsoft Office, OpenDocument, JPEG, GIF, BMP, etc.
Once encrypted, the virus then displays a ransom message that includes a countdown clock. If a ransom of $400USD or €400 in the form of a pre-paid cash voucher – like a MoneyPak or an equivalent amount of BitCoin. If the ransom isn’t paid within the specified timeframe, your decryption key gets deleted, and then there’s no way to decrypt your data. Once paid, the user is able to download a decryption program, preloaded with the decryption key, that unlocks the files.
However, some victims have claimed that even though they have paid the ransom, their files were not decrypted.
Now, there are three ways to get rid of CryptoWall/ CryptoLocker once you get it. Some of them are easy, others are not. Let’ run them down so you know what the options are.
- Pay the Ransom
- Restore from a Non-Infected Backup
- Use an Appropriate Mitigation Method
- Call it Quits and Restart from Scratch
Pay the Ransom
Many security experts have said that with a 2048bit encryption key, using some kind of brute force attack to get the decryption key was nearly impossible. Previous versions of the Trojan horse used 1024bit keys and while that may have been crackable – in at least one case, it was – doing so, was not easy and took a great deal of time. That method also required the use of tools and skills that most consumers don’t have, can’t afford, and wouldn’t know how to use.
While removing the Trojan from an infected PC is possible, especially in its early encryption stages (depending on the amount of data in question, encryption can take quite a while), the nature of the infection is that it works in the background. Many users don’t know or see that anything bad is happening. In cases like this, many security experts initially agreed that the only way to recover files was to pay the ransom. Users can usually expect to receive their decryption key within 24 hours.
However, given the dishonest nature of the individuals behind the Trojan horse infection, the 24 hour waiting period and the fact that some people don’t always receive their decryption keys without the call for additional payments, this is a risky removal method. Its certainly not guaranteed. They got your money once. Its very likely that if you don’t get your decryption keys early in the 24 hour period that you will get asked to make additional payments.
It has been estimated by Symantec that up to 3% of all infected victims pay the ransom. Its also been estimated that ransomware operators have collected upwards of over $3.0M USD. So, while you may get your data back with this, paying the ransom doesn’t always get your life’s memories back; and it could end up costing you more than was originally asked for.
Regardless of how much you may pay, if this is the case, you’re going to want to make a back up of your decrypted data and then blow your hard drive and reinstall Windows and all your applications from scratch. You’re also going to want to invest in a malware scanner and some kind of backup plan after that.
Whether its online or offline, it doesn’t matter. The key is starting from a known clean slate and then making certain you don’t get hit again.
Restore from a Non-Infected Backup
Even if your PC and all of your data becomes completely encrypted, if you have your computer’s restore DVD’s AND you have a back up of your data before it became infected (and that drive isn’t always connected to your PC), then you’re more than half way home.
In this case, you can just go tell the malware creator to go pound sand.
However, this may take just a bit of work on your part. You’re going to have to do a few thins to make certain you can safely get to your data.
If you’re using a backup drive that’s connected to your PC all the time, its likely infected and encrypted. However, if you’ve backed data up AFTER you got infected, its likely encrypted and should be considered bad. Do NOT use that data.
If its not always connected to your PC, do NOT connect it to your infected PC. CryptoWall/ CryptoLocker will encrypt it. Check the status of the backup from ANOTHER, uninfected PC and check the last backup date and perform a malware scan on it. Once verified clean, that’s the state of the data you’re going to get back.
If you’ve got all of your data on a cloud service drive, you’re in even better shape., as its likely NOT encrypted. Those services should be set to scan all the data that comes into their data centers and should prevent infections like CryptoWall or CryptoLocker from infecting them. You just need to restore your PC (see below) and then log back into your cloud service and resync your data.
Restore Your PC
After you have the back up drive for your PC identified and set aside, you’re going to need to restore your PC back to factory fresh status. You’re going to need to do this no matter what you do (pay the ransom, restore from a non0infected backup or use a mitigation tool. Once compromised, its not good to continue to use a Windows installation that’s been infected by such a serious piece of malware.
If you have something like a Surface Pro or other tablet/ convertible device do NOT restore from the device’s recovery partition. There’s no way to know that it hasn’t also become infected as well.
In that case, you’re going to need to download the recovery image on a separate computer and then burn that image to a DVD, also from that separate computer. Do that and set it aside
If you have a PC that has a set of restore DVD’s grab those now. Place the restore DVD (either the one you just made for your Surface or other similar device or the ones that come from your PC manufacturer) into either your PC’s DVD drive, or into a USB DVD drive connected to your computer.
You’ll need to set your UEFI or BIOS to boot from the DVD drive. Use that DVD to restore your computer. Once it finishes, and you can reinstall your backup software and a suitable malware scanner. After you’ve updated all of the appropriate malware definitions and performed a malware scan on your newly configured PC, THEN connect your backup drive to your PC.
Perform a second malware scan on your backup drive before the restore. Its better to be safe than sorry.
Once verified clean again, you can restore your data; and you should be good to go.
Use an Appropriate Mitigation Method
You should know up front that this is by far, the riskiest option of all. Its not easy, and you’re not guaranteed to be successful.
If you don’t have your data on some kind of cloud sync service, backed up to a drive that was connected to your PC BEFORE you got infected with CryptoWall/ CryptoLocker, and you aren’t using an online backup tool and you MUST get all of your data back, then you can try to use an appropriate mitigation method.
Now… this is where things get a bit sticky. If you’re not comfortable working with and modifying the Windows Registry, installing and updating hardware drivers or other low level components, then stop. It might be a good idea to take your infected computer to a trusted, reputable repair shop and let them handle it.
They’ll likely keep it for a few days. They may charge you $150 – $250 bucks to get rid of the virus; but you’ll likely get your computer back, with some to most of your data, without having to pay a huge sum to some crook.
In a nutshell, here are the steps you’ll need to perform:
- Boot to Safe Mode
In Windows 7, XP and Vista, you’ll need to restart or turn on your PC and quickly and continuously press F8 until you see the Advanced Boot Options screen. From here, you’ll have 30 seconds to use the up/down arrows to choose the “Safe Mode with Networking” option from the list and press the Enter Key.
In Windows 8/ 10, its best to start with the computer already on and sitting at the Windows Logon Screen.
Press and Hold the Shift key, and then click Restart. On the resulting screen select Troubleshoot – Advanced Options – Startup Settings, and then Restart. When your computer becomes active, select Enable Safe mode with Networking.
Let your PC boot into Safe Mode. Your PC should be up and running in Safe Mode. You should be logged in (do so if you aren’t) and you should have access to the Internet.
- Download a Malware Removal App
Open up a browser window and download SpyHunter or other spyware/ malware removal app. Purchase a licensed copy if you need to. Use it to remove CryptoLocker/ CryptoWall from your PC. Use that app to remove all of the malicious files that belong to the ransomware and complete the CryptoWall/ CryptoLocker removal.
- Salvage your Data
If this works, get your data off your computer and store it on a known clean drive. Then, refer back to the section above where I tell you how to rebuild your PC from scratch.Rebuild your PC from scratch.If you don’t get everything – and that’s possible, even with a good malware removal too – you don’t want to be on a PC that’s had ransomware on it. Rebuild your PC and then put your data back on it.
If that doesn’t work, or if your version of CryptoWall/ CryptoLocker prevents you from booting to Safe Mode with Networking, then you can try something else. However, if this doesn’t work, your options become limited.
- Boot into Safe Mode with Command Prompt
In Windows 7/ XP/ Vista, restart or turn on your PC and tap F8 multiple times until you see the Advanced Boot Options window. Use the up and down arrows to move down to Safe Mode with Command Prompt and press Enter.In Windows 8/ 10, at the Windows login screen, press and hold the Shift key and then click Restart. On the resulting screen select Troubleshoot – Advanced Options – Startup Settings, and then Restart. When your computer becomes active, select Enable Safe Mode with Command Prompt in the Startup Settings Window.
- Restore your System Files and Settings with System Restore
Once the Command Prompt window is available, you should be logged into your computer and the Command Prompt window should have you logged in to C:\Windows\system32Type – cd restore – and press the Enter keyType – rstrui.exe – and press the Enter key
When System Restore comes up, click the Next button and then select a restore point that is PRIOR to you getting infected with CryptoWall/ CryptoLocker. After that, click the Next button again.
A warning dialog will display, notifying you that System Restore can’t be interrupted. Click the Yes button and let System Restore run and complete.
- Remove the Virus Files
After System Restore completes, you can reboot your PC. After that, you can download Spy Hunter or other spyware/ malware removal app. Use it to get rid of the malware files
- Attempt to Salvage your DataYou need to understand that using a mitigation method does NOT remove any encryption from your data. It just removes the malware. If you data is encrypted, you can try to use Windows’ Previous Versions feature to restore any files that may have been encrypted.To do that, find the file in question and right click it. Choose Properties from the context menu that appears. When the Properties dialog appears, look for the Previous Versions tab and look for a restore point for your file. Choose a date before you got infected, and follow the process.
However, you need to understand that this method is ONLY effected after System Restore completes and the ransomware is removed. Ransomware often deletes Shadow Volume Copies and this method may fail to work.
Call it Quits and Restart from Scratch
Ransomware is a very SERIOUS piece of malware. If you get it and you end up with your data encrypted, depending on how adventurous or wealthy you are, you can try one of the methods that I’ve listed above, or you can cut your losses and call it a day.
In other words, you can simply resign yourself to the fact that your data is gone and you can rebuild your PC, again, using one of the rebuild methods I noted, above.
Depending on how much you trust the drive you’ve got, you may want to just go and buy a new hard drive for your computer, put it in, and then rebuild your PC from scratch, again, using one of the rebuild methods I noted, above.
There are a few advantages to this. While it consigns your files to a permanent rubbish bin, its likely a much safer way to go, especially if you catch it early in the encryption process.
Ransomware is a huge problem in many countries around the world, especially in the United States. Malware is EVERYWHERE on the internet, and you can get it from visiting dubious websites and even through ads that display in a browser window. You can get malware from email, from infected files and just about anywhere else on the internet.
While you’re clean, the best thing for you to do is to make a backup of all of your data. You can use a backup program, a cloud data service like Dropbox, Google Drive orOneDrive and the like. You can also use online backup programs like Carbonite or Backblaze. Whatever you do, though. Make a backup of your data.
If you do find that you get infected with ransomware, again, you have very limited options. You can:
- Pay the Ransom
- Restore from a Non-Infected Backup
- Use an Appropriate Mitigation Method
- Call it Quits and Restart from Scratch
There’s a price to each of these, either in cold hard cash, or in time. Unfortunately, despite any of these methods, you’re likely going to experience some data loss, unless you have a recent, uninfected backup. So the rule here, as always should be to back up early and often.
But again, if you do get infected, the best thing to do as quickly as you can, is to get off the internet, remove the malware, rebuild your system and then restore your data. How you pull this together is up to you, but it isn’t easy, and it can often create other problems that you didn’t initially anticipate.