Ransomware Removal

Posted by Greg Edwards on Oct 10, 2017 1:44:09 PM
Greg Edwards
submit to reddit

Removing ransomware is a multi-step process.  

1. ISOLATE THE INFECTED STATION ASAP!

You have to find the infected machine first! It is critical that you immediately disconnect the infected workstation from the network. Unplug the network cable, disconnect Wi-Fi and Bluetooth, and unplug all external storage devices such as USB or external hard drives. Remove the workstation and secure it in a locked location if necessary. It is important that you get the workstation off the network, but this isn’t the time to reimage the machine or attempt a “clean up” using antivirus software.

Download the full Ransomware Rapid Response Kit here. 

Ransomware Response Kit

2. DETERMINE THE SCOPE OF THE INFECTION

There are a lot of things to consider when trying to determine the scope of the infection. To find out how much of your network infrastructure was infected, you need to examine a number of storage areas including the following:

  • All folders on the infected workstation
  • Shared folders
  • Network attached storage
  • Cloud storage (Box, Dropbox, OneDrive, iCloud, Google Drive, etc…)
  • USB drives
  • External Hard Drives

It may be possible to revert your files in cloud storage to previous unencrypted versions so check out this option before reverting to backups. Take an inventory of what files and directories were infected so you are prepared when it is time to restore. If you are forced to pay the ransom, you will need to have cloud storage drives connected in order to decrypt those files. One way to find encrypted files is to search for the ransom notes. Since every file encrypted contains at least two corresponding ransom notes, you can search for the title of the ransom note to easily find them. Search at the root of the drive and sort the results by file path to see how far into your directory structure you need to restore.

There is no shortcut to testing your defenses against a ransomware attack.  WatchPoint has created a PowerShell script to allow you to simulate an attack.  Click HERE for details.

3. WHAT RANSOMWARE VARIANT DO I HAVE?

cryptojoker.pngThere are a number of different variants of ransomware, with some being much more sophisticated than others. All versions of ransomware to date share some common traits. To start with, all variants of ransomware encrypt files, but not all versions use the same level of encryption. Most ransomware today demands a bitcoin payment within a certain deadline, however, some variants of crypto-ransomware like TrueCrypter accept Amazon gift cards as payment. The payment amount demanded can vary wildly by strain. There is ransomware that uses audio to speak its ransom demand to victims, and even better, there is a version called CryptoJoker that allows you to negotiate the ransom with the attacker. Keep in mind there are versions of ransomware that can be decrypted with free tools developed by IT security experts, so you certainly want to check into this before paying a ransom. WatchPoint has documented many of these ransomware strains in our blog and ransomware decryptors collection. If you are facing a new strain of ransomware, you may need to consult with security experts and provide certain system files to determine what strain of ransomware you are infected with.

Simulate Ransomware on Your Network

4. RESPOND: RESTORE, DECRYPT, IGNORE, PAY UP

After you have isolated the infected workstation, determined the scope of the attack and the ransomware variant, you are ready to craft your response. Unfortunately, the options are few, and all are painful.

Following is your short list of options to carefully consider:
1. Restore files from backup.
2. Decrypt your files using a third party ransomware decryptor.
3. Ignore the ransom and do nothing.
4. Negotiate and pay the ransom.

5. RANSOMWARE VARIANT REMOVAL

Once you have identified, stopped and recovered from the attack, the final step is removing the malware from the infected endpoint.  Ransomware removal is the same as removing any other form of malware.  Once any forensic information is collected and file recovery has been completed, the best way to ensure the infected machine is clean is to reimage.  If reimaging isn't an option, then look to Bleeping Computer or other removal sites for the best way to clear the infected machine.

To download the complete Ransomware Rapid Response Kit click here.

The best was to ensure your network doesn't get infected again is to ensure you have the proper defenses in place.  Use our free ransomware simulator to test your network defenses.

Topics: Ransomware