Ransomware has become a nasty problem lately. It quickly encrypts all document, PFD, and picture files on your hard drive (some of the more aggressive ones have a wider range of affected filetypes - we'll address that later, in the IT professionals section below, where we talk about viable recovery options.)

For now, you should be aware of three things:

1. If you're not backing up your files, YOU SHOULD BE.

Also, be sure your secondary backup is not connected directly to your computer at all times, or it could be encrypted as well. This goes for shared network resources and mapped network drives.

Ideally your secondary backup should either be an offsite backup service, a drive you ONLY connect to the computer during backup cycle (or you could cycle out your permanently connected USB backup weekly), or a mapped network drive on a secure computer whose link/access is TERMINATED at the end of any backup script.

2. There (under most circumstances) IS NO WAY to unencrypt the files. They're encrypted with a 1024-bit RSA key. If that means nothing to you, fine, but you should now that it equates to, in human terms, "uncrackable."

3. Even if you do pay the ransom, you MAY NOT get your files back. If your antivirus has halfway removed the virus, it may have removed the part with your key response in it to access the unlock code in attacker's database. Also, the attacker may have picked up shop and moved on.

How does this happen?

So we know this is VERY DANGEROUS and destructive. The best way to prevent hardship is to not catch the virus in the first place. Keep your antivirus up to date, don't click on ads or strange links, and DO NOT open zipfiles in E-mails stating such things as "you have a late invoice" or "you missed your FedEx package."

These mails look very convincing, but that is the intent.

Also, ads on the internet with taglines like "you won't BELIEVE what happens next!" or "The AMAZING thing a Winsconsin mom did!" are almost always a trap. We call these "click-bait."

RANSOMWARE GUIDELINES:

Okay, so we know how to AVOID it, but nothing's 100% proof against everything, so let's start with what you should do as an end-user if you suspect ransomware on your computer.

Your first clue is that some of your files aren't opening properly. Pictures will say something like it isn't in "the right format" and your documents will come up as gibberish, and some programs will ask you what "format" or "encoding" they're in. This is a sign that the virus has encrypted these files.

STEP 1: TURN OFF THE COMPUTER.

Actually, I'm going to repeat that.

STEP 1: TURN OFF THE COMPUTER.
STEP 1: TURN OFF THE COMPUTER.
STEP 1: TURN OFF THE COMPUTER.
STEP 1: TURN OFF THE COMPUTER.
STEP 1: TURN OFF THE COMPUTER.

These things eat through files AMAZINGLY quickly. The faster you turn off your computer,
the less damage.

DO NOT turn your computer back on because you "just need one E-mail." The moments
it takes to recover that E-mail could mean hundreds to thousands of files lost.

STEP 2: LEAVE THE COMPUTER OFF

I will repeat from Step 1: Under NO circumstances should you turn the computer
back on. The virus destroys files at an alarming rate, and a few moments = hundreds
of files.

STEP 3: INFORM YOUR IT SUPPORT

Let them know not to boot to the operating system. Tell them there's an encryption
locker virus on it. Competent IT people can recover some of your data if you're VERY
VERY lucky. However, the probability is usually low.

FOR IT PROFESSIONALS:

Through trial an error, we've come up with the best way (relatively speaking) to deal with a ransomware locked computer. Luckily, most of them are sort of a code-by-numbers kit, and a lot of people releasing these are lazy in their programming, targeting only the most common, highly esteemed files (.jpg/jpeg, .gif, .doc/docx, .xls/xlsx, .bmp, .png, .tif... you get the idea.) and they leave things like .QBW/.DBF/.PST/.MBX alone.

That makes recovery a little more simple, and hopefully a little more successful.

You'll need a Live Linux USB, an external USB hard drive with PLENTY of space, an active internet connection to get to the Linux repos (not necessary if USB Linux is preloaded with all the proper tools), and a recent copy of Testdisk/photorec.

STEP 1: Boot the computer into live Linux with a USB drive.

A CD here will be too slow and clunky, and you'll want to install a few extra tools from the repos
(or just grab our premade ones. Links at top where it says "Attention Geeks!") A CD works, sort of, but... not well.

Make sure that the computer's internal hard drive shows up, and that Linux is reading the files. You won't have to worry about the virus spreading any further, as it won't run under Linux, and you can assess the damage more thoroughly.

Back up all the salvageable files and directories into a FOLDER on a USB hard drive.

Use this opportunity to grab files in the AppData and ProgramFiles directories that your clinet will want,
such as quickbooks and other database files, PST files and folders, and any specialized data folders, files, and directories from proprietary software.

CLONE THE HARD DRIVE TO A .RAW FILE USING dd

This is a good idea if you miss something. You'll be formatting their hard drive anyway, after you're done, so cloning it thoroughly at a raw-data level is advisable.

This will ensure maximum recoverability. If you haven't been messing with dd lately, the command is:

sudo dd if=/infected_dev of=/backupdrive/partition/image.RAW conv=sync,noerror bs=4M

PHOTOREC

Now that you have a backup, you can start trying to pull files off the damaged drive.

Interestingly enough, this virus USUALLY seems to generate the encrypted version of the file, delete the old file, and THEN copy the new file into it place. This is good news. It means that the original file exists, albeit without filename OR info on the hard drive somewhere.

This is another good reason to turn the computer off immediately. The "blank" space doesn't get overwritten.

Install testdisk, and use the photorec option, telling it to scan the whole disk, regardless of partitions.

For partition type, always select "Other: ntfs/Fat32/etc." because I guarantee that your partition is almost always NTFS in this case, unless they had a flash drive plugged in that fell victim to the virus.

Point the restore directory to a FOLDER on your good, external USB hard drive and wait. (You may have to try several times and you don't want everything mixed in together).

(Be sure to put Linux's desktop into presentation mode, or, failing that, turn off the sleep/hibernate feature.)

LOOK FOR FILES OVER 1MB

You are going to have a LOT of files recovered from PhotoRec.

Almost all of them are going to be the result of every banner ad, web image, Facebook game, software installer, news site logo, and internet image that the end user has ever looked at. That's okay, it means we're actually getting somewhere.

HOWEVER! If you're looking for quick results to tell you that you are actually recovering files, do a search on all the PhotoRec results (usually lots and lots and lots and LOT of directories) for JPG files between 1 and 16MB.

Windows had this feature built into the Explorer filesearch bar, and it shouldn't be difficult. If you're using Linux the command is a tidge more complex, but then again, you're using Linux, so you'll be fine. ; )

AFTERMATH/CLEANUP

Format the hard drive completely before reinstalling Windows. Your clients haven't been backing up
until now, and there's no reason to kid yourself that they're probably going to start now. That LAST thing you want is for them to re-infect themselves with a pre-loaded copy of the virus.

INSTALL ANTIVIRUS AND UPDATE IT COMPLETELY before dumping the salvaged files back onto their computer. If you can't figure out why, then you don't need to be in the I.T. industry.

When restoring PST/MBX/mailbox files of any sort, make sure the antivirus has the mailbox scan tool present. Most likely your client got the virus from a fake E-mail with a .zip attachment. Don't let them re-infect themselves from the get-go.

Keep the .RAW file from their pre-formatted hard drive around for a while, just in case.

Give them ALL the files PhotoRec recovers. I've had clients that save little piddly ad images for reference, and I'd rather THEY make the call on what to DELETE, than ME make the call on what to salvage or not.

NONSTANDARD FILE FORMATS

Okay, so if you're here, you've got hold of one of the nastier variants that doesn't limit itself to just
personal document and image files. Now, PhotoRec has a LOT of filetypes it recovers, but some fall
through the gaps. I've tried to add custom file info to it with varying degrees of success, but if you're
REALLY in a pinch, you'll need to get a good hex editor, look up info on the file type you're after
(headers, identifiers, etc. - I LOOOVE file types that store the actual filename in the file header.
It's absolutely MARVELOUS.)

Once you've found any identifying quirks, just run a search (either on the damaged hard drive OR
its RAW file) for any identifying bits or bobs of the file. With any luck, it's deleted, but not over-
written, and corruption will be at a minimum.

I like HxD as a good, free, Windows-based hex editor, but any one will do, provided it has an ASCII
text raw search feature. Good luck!