SemiAccurate Forums  

Go Back   SemiAccurate Forums > Main Category > Software

Software The code that runs on computers

Thread Tools Display Modes
Old 12-26-2016, 11:06 AM
rarson rarson is offline
640k who needs more?
Join Date: Jan 2012
Posts: 689
rarson is on a distinguished road

Emsisoft has an entire page dedicated to ransomware decrypters. If you or someone you know finds yourself infected with ransomware, the first thing I always tell my customers to do is to shut down the computer immediately. Sometimes the ransomware doesn't get rid of shadow volume copies right away or doesn't securely delete the original files and can therefore be retrieved that way.

The first thing I do is to clone the infected drive so that I have a reliable copy of the exact data they had. Then I try to determine which variant of the many variants they have. ID Ransomware is a good place to help with this, although there are so many variants out there with slight changes to them that it might take some deeper digging to figure it out. (Bleeping Computer is an invaluable resource.) Not only that, but occasionally the same ransomware will be slightly altered once a decrypter is released and you'll have to wait for someone to figure it out and release an updated decrypter.

Some ransomware, like the Locky variants, aren't able to be decrypted yet, and maybe never will be. Even if there is a decrypter available, you'll need both an encrypted and decrypted version of a file to find the proper key. Sometimes the ransom note will include a link that will allow you to upload and decrypt one file in order to prove that decryption is possible. Otherwise, if you have encrypted copies of the Windows sample pictures, for instance, you can grab decrypted versions off any other Windows computer.

With regards to paying the ransom, sometimes that's the only way to get the data back. But keep in mind that these are criminals, and can't really be trusted. Most of the time they'll probably give you your data back in order to ensure that people keep paying the ransoms. However, I've heard of at least two instances of ransomware where the decrypter wasn't written properly and ended up destroying the data in the process of "decryption." So that is something to strongly consider before paying. Again, you need to know which ransomware you're dealing with when determining the best course of action.

Most of the time, ransomware comes in through email attachments disguised to look like PDFs or other documents, claiming to be shipping invoices or other business documentation. They can be hidden in Word documents that suggest enabling macros in order to make the file readable. If you're ever in doubt as to the legitimacy of an email, always go to the source first to verify it before clicking on any links or opening any attachments. I have found it's usually about a 50% chance that I can recover a person's data once it has been encrypted (it all depends on which variant it is and what the user did with the computer once the files were encrypted).

Side note: I found out recently that OneDrive (not the one for businesses) no longer stores backup copies of files like it used to, so if your OneDrive data gets encrypted, you can expect OneDrive to have nothing but newly-encrypted copies of your files if you try to retrieve them that way. This is absolutely baffling to me. Also note that most newer ransomware variants can jump to other network drives and computers whether they're mapped or not.
Reply With Quote

crypt0l0cker, dr. web, ransomware

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 03:39 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
SemiAccurate is a division of Stone Arch Networking Services, Inc. Copyright 2009 Stone Arch Networking Services, Inc, all rights reserved.