Removing ransomware is a multi-step process.
1. ISOLATE THE INFECTED STATION ASAP!
You have to find the infected machine first! It is critical that you immediately disconnect the infected workstation from the network. Unplug the network cable, disconnect Wi-Fi and Bluetooth, and unplug all external storage devices such as USB or external hard drives. Remove the workstation and secure it in a locked location if necessary. It is important that you get the workstation off the network, but this isn’t the time to reimage the machine or attempt a “clean up” using antivirus software.
Download the full Ransomware Rapid Response Kit here.
2. DETERMINE THE SCOPE OF THE INFECTION
There are a lot of things to consider when trying to determine the scope of the infection. To find out how much of your network infrastructure was infected, you need to examine a number of storage areas including the following:
It may be possible to revert your files in cloud storage to previous unencrypted versions so check out this option before reverting to backups. Take an inventory of what files and directories were infected so you are prepared when it is time to restore. If you are forced to pay the ransom, you will need to have cloud storage drives connected in order to decrypt those files. One way to find encrypted files is to search for the ransom notes. Since every file encrypted contains at least two corresponding ransom notes, you can search for the title of the ransom note to easily find them. Search at the root of the drive and sort the results by file path to see how far into your directory structure you need to restore.
There is no shortcut to testing your defenses against a ransomware attack. WatchPoint has created a PowerShell script to allow you to simulate an attack. Click HERE for details.
3. WHAT RANSOMWARE VARIANT DO I HAVE?
4. RESPOND: RESTORE, DECRYPT, IGNORE, PAY UP
After you have isolated the infected workstation, determined the scope of the attack and the ransomware variant, you are ready to craft your response. Unfortunately, the options are few, and all are painful.
Following is your short list of options to carefully consider:
1. Restore files from backup.
2. Decrypt your files using a third party ransomware decryptor.
3. Ignore the ransom and do nothing.
4. Negotiate and pay the ransom.
5. RANSOMWARE VARIANT REMOVAL
Once you have identified, stopped and recovered from the attack, the final step is removing the malware from the infected endpoint. Ransomware removal is the same as removing any other form of malware. Once any forensic information is collected and file recovery has been completed, the best way to ensure the infected machine is clean is to reimage. If reimaging isn't an option, then look to Bleeping Computer or other removal sites for the best way to clear the infected machine.
To download the complete Ransomware Rapid Response Kit click here.
The best was to ensure your network doesn't get infected again is to ensure you have the proper defenses in place. Use our free ransomware simulator to test your network defenses.