Ransomware Recovery and Prevention

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

If you want more generalized information/links, you might want to look at the Ransomware Resources page and sub-pages, too (or instead).

Table of Contents

Introduction

Malware authors have not always been associated with efficient encryption, but nowadays there is often no simple way to retrieve encrypted files without paying the extortionist. (Who may or may not, of course, help you decrypt them even after you’ve paid.)

That said, not all ransomware uses unbreakable encryption. If you’re using commercial anti-malware, check with the company’s helpline: they may be able to help, even if they didn’t detect the malware in the first place. Unfortunately, if you’re using free AV, you’ll probably find you’re restricted to a support forum, and the advice may be variable in quality.

[Added 5th March 2018]

For Tripwire, Paul Norris writes about How PCI/DSS Compliance Can Protect Your Systems against New Ransomware Threats. His take on the history of ransomware is a little wobbly, and I’m not sure that PCI/DSS is The Answer, but I certainly wouldn’t want to discourage organizations from considering compliance as a Good Thing.

[Added 1st March 2018]

BitDefender: GandCrab Ransomware decryption tool

[Added 28th February 2018]

John Leyden for The Register: Got that itchy GandCrab feeling? Ransomware decryptor offers relief – Claw back your stuff without paying asshat for pricey cracker

[Added 19th February 2018]

There are plenty of articles offering guidance on preventing or dealing with ransomware, but this one has a good list of decryption tools, so well worth a look. Ana Dascalesu for Heimdal: Ransomware Decryption Tools – Unlock Your Data for Free

[Added 26th February 2018]

An article for HelpNet by Jeff Erramouspe (Spanning Cloud) on How to protect Office 365 data from ransomware attacks.Not a technical article, but not bad advice, and I haven’t publicized a how-to article on ransomware for quite a while.

“Ransomware, in particular, has introduced significant risks for Office 365 users. Cerber ransomware, for example, targeted Office 365 and flooded end users’ inboxes with an Office document that invoked malware via macros, and the now infamous WannaCry attack was engineered to take advantage of a Microsoft vulnerability. And now we have an even more insidious ransomware strain with ShurL0ckr – designed to evade the built in malware protection on OneDrive and Google Drive.”

Identifying the Culprit

So how do you know which ransomware has mangled your data?

No More Ransom

Europol, the European Union’s law enforcement agency, has an online portal called No More Ransom(www.nomoreransom.org) and one of its aims is helping victims to recover their data without having to pay ransom to the cybercriminals…

The site includes a facility called Crypto Sheriff – a form for helping victims try to find out which malware they’re affected by and whether a decrypter is available.

And here’s an interesting and related initiative from McAfee: McAfee Ransomware Recover (Mr2)

ID Ransomware

MalwareHunter has a somewhat similar facility for identifying what malware your system is affected by, called ID Ransomware.

As I understand it, the site works like this:

  • It allows a victim to upload a file displaying ransom/payment information or one of the encrypted files, and attempts to use the uploaded file to identify the malware that implemented the attack. It currently claims (14th August 2016) to detect 152 varieties of ransomware.
  • If there is a known way of decrypting the encrypted files without paying the ransom, it directs the victim towards it. The site doesn’t offer to decrypt files directly itself, and doesn’t want samples of the actual malware.

Decryption tools

Removing ransomware with standard security software doesn’t by any means guarantee the recovery of your data, and may even hamper it. On the other hand, you certainly don’t want to restore your data to a system on which the ransomware is still active.

Remember also that trying to recover files with the wrong tool, an obsolete version, or when the tool has misdiagnosed the problem or malware version, may make things much worse. I haven’t personally tested any decryption tools, and can’t make any guarantee about their effectiveness.

Unfortunately, recovery tools are rarely effective forever unless the gang behind it stops developing malware, and often the scammer wises up and fixes the holes in his code. So there are many cases where paying up is the only way to get your data back, if you don’t have backups. But before you do pay up, consider David Balaban’s advice in Ransomware Happy Ending: 10 Known Decryption Cases and ‘describe your problem on computer help forums like Bleeping Computer or Malwarebytes.’ Or, of course, contact the company that makes your security software.

No More Ransom has a range of decryption tools currently limited to tools from Kaspersky (mostly) and Intel. Hopefully other tools from other sources will eventually be approved for use there. There are decrypters around from a variety of resources: see Bleeping Computer’s articles for example. [Added 16th December 2016. The ‘No More Ransom‘ site has quietly added a number of ‘Associated’ and ‘Supporting’ partners. For SecurityWeek, Kevin Townsend explains the difference/partner hierarchy, and quotes a number of industry figures (including me, at some length): No More Ransom Alliance Gains Momentum.It’s good news, but I think there’s more they could do.]

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration.

Remove ransomware infections from your PC using these free tools – A how-to on finding out what ransomware is squatting in your PC — and how to get rid of it.

The fact that free decryption was available in some cases at the time you find such a tool doesn’t mean that current attacks are still remediable. If you’ve just been hit by ransomware, it may not be the malware you think it is, or you may have been attacked by an ‘improved’ version. But it’s still more than worth checking whether an up-to-date decryption tool is available.

Standalone decryption utilities

I haven’t personally tested these, and they may not work against current versions of the ransomware they’re intended to work against. Other companies and sites will certainly have similar resources: I’m not in a position to list them all.

Ransom Warrior

Decrypter for RansomWarrior [sic] from Checkpoint: Ransom Warrior Decryption Tool

MBRfiler

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

LockyDump

Talos: LockyDump config extraction tool – All Your Configs Are Belong To Us

Bleeping Computer malware removal guides

These cover a range of tools and issues, not just ransomware, but this search, at time of writing, filtered out most of the adware and such. Note that some of the hits that search turns up are more generic and may link to other sites, and I certainly haven’t tested them all. In fact, I haven’t looked at all the removal guides either, so, as ever, I can’t make any guarantees.

ESET standalone tools

Included with tools for dealing with other malware. Many of these tools are named according to the product-specific term Filecoder (but this page may dispel some of the murk as far as that’s concerned: Best practices to protect against Filecoder (ransomware) malware). There are also exceptions addressing specific ransomware: for instance How do I clean a TeslaCrypt infection using the ESET TeslaCrypt …

Kaspersky tools

Kaspersky has a wide range of decrypters, some of which are effective against a number of ransomware families rather than just one. For instance its RakhniDecryptor is claimed to be effective against Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Lortok, Cryptokluchen, Democry, Bitman (TeslaCrypt) version 3 and 4, and Chimera.

Trend Micro tools

Also see this page.

Emsisoft decryptors

A range of one-shot malware removers.

AVG decryptors

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Listed families with decrypters (untested by me):

Al-Namrood, Apocalypse, ApocalypseVM, Autolocky, BadBlock, Bart, Bitcryptor, Cerber v.1, Chimera, CoinVault, CrypBoss, CryptoDefense, CryptInfinite, CryptXXX v.1 & 2, CryptXXX v1, 2, 3, 4, 5, DMALocker, DMALocker2, Fabiansomware, FenixLocker, Gomasom, Globe, Harasom, HydraCrypt, Jigsaw, KeyBTC, Lechiffree, Marsjoke | Polyglot, Nemucod, Nemucod, MirCop, Operation Global III, TeslaCrypt, PClock, Petya, Philadelphia, PowerWare, Rakhni & similar, Rannoh, Shade v1 & 2, SNSLocker, Stampado, TeslaCrypt v1, 2, 3, 4, UmbreCrypt, Vandev, Wildfire, Xorist, 777

Talos (June 2018): Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor – “Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor.”

An ounce of prevention

…is better than a pound of cure. The same applies to grammes and kilograms respectively. There often isn’t an effective decrypter against a specific ransomware family, and even if there is, taking precautions – even at a price – is usually less of a problem than recovering tens of thousands of files. Which is, I guess, why some organizations apparently pay the ransom even when they have backups – they find it cheaper to pay up. What preventative measures are available?

[23rd October 2017]

Catalin Cimpanu for Bleeping Computer: Microsoft’s Windows 10 Anti-Ransomware Feature Is Now Live

[Added 10th September 2017]

Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.

I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.

Earlier articles/links:

Here’s an article for The Register that, despite reading rather like a plug for Sophos, nevertheless includes one or two nuggets of useful and vendor-free advice:

The evolution of ransomware: How a nuisance turned into a business menace – As ransomware rapidly evolves, defenders look for help keeping up

Exposure checking

I just learned of an interesting and useful free tool called the Ransomware Impact Analyzer. The web site is in Dutch, but the tool itself is in English. It’s a simple way for a company to check how much damage a ransomware attack would be likely to do. It doesn’t actually touch or modify any files: it simply checks to see what files could be modified by ransomware. I’ll try to come back to that when I’ve had a closer look at it, but time is a bit short right now.

Anti-malware

Anti-malware (or anti-virus, if you must) doesn’t, of course, identify all ransomware proactively (much less all malware), though it does use a variety of techniques to identify strains of malware that haven’t yet been seen in the lab. In other words, it doesn’t only detect known malware using static signatures, however many times other security vendors and the media may tell you it does. Some products are now capable of identifying probable ransomware through its behaviour rather than by examination of its code.

Nevertheless, there is no simple or universal answer to a ransomware attack (apart from taking all possible precautions in advance, and there are no absolute guarantees even then).

Anti-ransomware

Quite a few vendors have started to promote ransomware-specific detection programs. In some cases, I’d regard this as a marketing strategy rather than a security breakthrough, but this isn’t a a market sector I’ve explored in depth. I would say, though, that if a vendor is promoting a ransomware-specific product but also has a more generalist anti-malware product, I’d hope that the ransomware detection technology would also be present in the anti-malware.

Martin Brinkmann’s Anti-Ransomware Software Overview article at ghacks.net is a review of products promoted strictly as anti-ransomware products, not security products that include ransomware detection, and not products intended for data recovery. It still covers quite a range of functionality, but again I haven’t looked at these products myself.

Bitdefender recently offered ‘a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families by exploiting flaws in their spreading methods.’ Combination Crypto-Ransomware Vaccine Released. Bitdefender also offers a Cryptowall vaccine. Bitdefender’s Bogdan Botezatu makes it clear in an article by Lucian Constantin that the vaccine is meant to complement other security measures, not replace them. 

All credit to Bitdefender for adding to the protective options available for end users. I’m just worried that some users of similar tools will place all their faith in them without taking all the other precautions that can help to keep them safe(r) from ransomware. I wrote at some length about the pros and cons of vaccination here: Is Vaccination Long-Term Protection?

According to Jessica Davis, TrapX offers a tool called CryptoTrap which is claimed to use ‘deception technology to trick potential hackers and lure them away from valuable assets.’ It’s claimed to have been found effective in defending network drives against TeslaCrypt, Locky and 7ev3n.

Data Backup

Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system. Aryeh Goretsky’s paper on Options for backing up your computer is a good starting point if you need more information on backing up your data.

Further thoughts on the same topic from a recent article here: Backup, PR Pressure and Ransomware

I agree that backups are an essential precaution (and not only because of the risk of a ransomware attack)but many people and organizations nowadays don’t think first in terms of physical media like optical disks and flash storage, but rather in terms of some form of cloud storage. Which are very likely to be offsite, of course.

However, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local storage is, so it’s important that offsite storage:

  • Is not routinely and permanently online
  • Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
  • Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.

Most articles on backup aimed at home users don’t go deeply into backup strategies, especially as utilized by system administrators, and that’s a gap I’m considering trying to fill.

For the moment it’s worth remembering that backup isn’t a fire-and-forget one-time exercise, but an ongoing task. Furthermore, the last thing you want to do is rely on a single generation of backups on a single site, or using a single provider. Bear in mind also that when cloud providers offer versioning, when backup of a file is triggered when it is modified, it may or may not mean that (one or more) earlier generations of the same file are preserved. It may be more convenient to keep only the latest version of a document, thus saving both space and the potential hassles of version control. But it makes sense to have a generational strategy in place so that you can, if necessary, roll back to a previous version and build on that. It makes even more sense to have read-only versions in reserve, for obvious reasons.

I don’t recommend products I haven’t used, but here’s a backup product from Acronis that might be worth looking into: Backup and Ransomware – a Contender?. There are certainly other products that have pitched anti-ransomware measures, but not have all exhibited reasonable grasp of the nature of the problem. Unfortunately, I can’t claim to have looked at them all, and I certainly haven’t looked at any of them in sufficient depth to make a definite recommendation, including this one.

Here’s my summary of a recent article from David Bisson. (10th February 2017)

Ransomware isn’t the only reason to implement a good backup strategy – for home users as well as for businesses – but it’s a pretty good one, and these days you can’t afford a backup strategy that doesn’t take ransomware’s evil little ways into account.

In an article for Graham Cluley’s blog, David Bisson offers some pretty good advice, in a form that practically anyone can understand.

How to create a robust data backup plan (and make sure it works) – The backup basics that every end-user should know!

More proactive advice

Here are some ESET sources for advice on proactive measures.

Advice from other security vendors and other organizations is available. 🙂 However, my role at ESET means that I’ve got a pretty good idea of what is on offer there, and I simply don’t have the time to track everything that’s published by other vendors, even such sound companies as Sophos, Kaspersky, Malwarebytes and so on. However, here are a couple of resources for businesses wondering how to set about protecting themselves from ransomware.

  • Writing for Bitdefender, Graham Cluley offers The Simple Way to Stop your Business from Being Extorted by Ransomware, instead of simply waiting till you get hit and have to cave in to the extortionist’s demands. His top tips will go a long way towards protecting companies, but many of them also apply to individuals. They will, of course, also help protect against other kinds of malware (and frankly, people and companies should routinely be taking precautions like these already).
  • Kaspersky offers a Practical Guide: Could your business survive a cryptor? I can’t comment on how good it is, since it’s accessed via a contact form that requires information I’m not prepared to give since I don’t want sales calls. The same applies to Kaspersky’s Anti-Ransomware Tool for Business. However, Kaspersky does good work in the provision of free decrypters, so I certainly wouldn’t want to discourage you from checking it out.
  • Adam Alessandrini’s Ransomware Hostage Rescue Manual is interesting. There’s also a link to the same document (plus a ‘Ransomware Attack Response Checklist and Ransomware Prevention Checklist’ in this (quite useful) article: [ALERT] 2016 Is A Ransomware Horror Show. Here Is The New Roundup! I haven’t checked that link or the additional material since it requires registration, but the manual itself is worth a look. 

Paul Ducklin has a good article on Got ransomware? What are your options? He includes sections on:

  • Shortcuts to recovery
  • Longcuts to recovery
  • Cracking the encryption

And those cover most of the recovery options, which is what most people will probably want to know. Unfortunately, those options aren’t always there, hence the downbeat tone of the ‘What to do’ section:

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

However, he does follow up with a list of ‘useful ransomware precautions’, and we can never make too many of those recommendations either. This is certainly a case where prevention is a much better option than cure. In brief, his recommendations include, if I can summarize:

  • Good backup strategy
  • Disable macros
  • Consider viewer apps
  • Distrust attachments
  • Don’t routine run with admin privileges
  • ‘Patch early, patch often’

All good advice. Here are a couple more ‘what you need to know’ articles on ransomware. At some point I might come back to make a few comments about individual points, but in general, if you’re still puzzled as to what it’s all about, you might find some useful thoughts here.

[5th May 2017]

Emsisoft is running a series of ‘Spotlight on Ransomware’ blog articles that look worth reading. The first two are:

  • Spotlight on Ransomware: Common infection methods – the writer says: ‘Malware writers and attackers use a variety of sophisticated techniques to spread their malware. There are three commonly used ransomware infection methods that will be explored in this post; malicious email attachments and links, drive-by downloads and Remote Desktop Protocol attacks. It is our hope that we can help you to focus on protecting the areas most likely to be compromised by cybercriminals and to reduce your risk of infection, starting right now.’
  • Spotlight on Ransomware: How ransomware works – the writer says: ‘In Part Two, we will explore what happens once you’ve made that unfortunate click on a link or document, and what the ransomware does to your system to take control.’

Should I Pay Up?

That’s a delicate question. Here are a few articles that try to address it:

And here’s a study (November 2017) that casts some light on why ransom is paid and indicates that in 1 in 5 cases, the data won’t be paid back anyway.

The second part of a two-part report by Intermedia deals specifically with ransomware and includes a link to a video which I’m afraid I haven’t watched. There are also some interesting statistics. When a ransom gets paid, who pays it? According to Intermedia, 59% of employees have paid personally, and only 37% of those surveyed said that their employer had paid. (Which may say something sad about employee attitudes and unpleasant about employer attitudes.) Yet the company has previously reported that 19% of companies didn’t get their data back. (In sharp contrast to claims that ransomware gangs usually recover data because that’s their business model.) I’d guess that with the increase in wiper activity in recent months, the 2017 figures for unrecovered data could be appreciably here. (Are wipers ransomware? Well, that depends on individual cases, but they do often present themselves as if they are.)

David Harley
ESET Senior Research Fellow