Ransomware Removal and Recovery – What’s Your Plan?

It’s inevitable that ransomware like NotPetya and WannaCry will infect your corporate endpoints. Sure, there are precautions you can take to prevent infection, but it’s often a result of a mistake or errant click by a trusted user. And developers of ransomware and malware are always finding new ways to trick people into allowing entry. It’s hard to predict how they’ll seize and hold for ransom your sensitive data, and it’s hard to keep up with their technology.

Training staff and IT to identify likely entry points for malware is important, it’s more important to prepare for your recovery after an endpoint is hijacked. Do you know what to do if you or others at your company see the infamous “pay to recover your data” screen?

What is Ransomware? 

It’s malicious software that carries out a crypto-viral extortion attack. In other words, it takes the data stored in a computer hostage and demands a ransom to unlock it. Ransomware usually makes it way onto a computer via unsecured email attachments or other shared files – a user receives an attachment, downloads it without knowing what it is, and the ransomware is secretly installed on the machine. Then, the controller of the Ransomware can trigger it to carry out its malicious purpose.

How can you prevent a ransomware virus from seizing your data?

Easy ways to help prevent a ransomware attack:

• Patch your computers to stop Server Message Block (SMB) exploits.
• Disable SMBv1 on every endpoint for good measure
• If you’re not using a network overlay platform like Vaultize, block outside access to SMB

-associated ports 137, 138, 139 and 445 to prevent unwanted traffic through your firewall.

• Ensure Windows 10's Credentials Guard is working properly on all endpoints, as it thwarts password extractors in NotPetya and other malware.
• Create a read-only file C:\Windows\perfc.dat, which can thwart the file-scrambling of NotPetya and other ransomware versions. This won’t stop them from spreading across your network, though.
• Unless it’s critical, don’t immediately download and install updates to widely-used programs on your network that might have domain admin access or on endpoints with domain admin access. Wait to see if others report issues.
• Carefully examine your network structure. Is it “flat”? Do network administrators have carte blanche, and can they access and control other endpoints from theirs? If so, change your structure so that, if their machine is infected, ransomware can’t sniff out credentials and take control of other endpoints in order to spread.

What should you do after ransomware?

Your first reaction shouldn’t be to pay the hacker’s ransom. You could wait for a decryption key if you have access to a service that can provide one, but there’s no guarantee that you’ll get one that works. Your best course is to reset infected endpoints back to safe versions, but what about all the important data stored on their hard drives? Just rewinding a computer to a point before infection will also permanently delete tons of your important documents and files

That’s why endpoint backup is a critical, if not the most important, facet of a recovery strategy. By continuously backing up versions of your endpoint devices, you’ll maintain a complete library of restore points you can roll back to if your data is hijacked or compromised.

If you do have endpoint backup:

1. If you suspect a sketchy attachment or link has been clicked, or an endpoint has been infected by some other means, do not reboot the system. Some ransomware versions go to work on reboot, so restarting can help spread the virus and allow it to encrypt your data.
2. If you’re sure ransomware has encrypted your system, immediately remove the endpoint from the network.
3. Instruct users to never pay the ransom – they probably won’t get a decryption key. And sometimes – as was the case with NotPetya –there’s no way to receive a decryption key.
4. If you want, copy the infected disk to a quarantined device or location for later analysis.
5. Restore the endpoint to a point before ransomware got on using Vaultize’s endpoint backup utilities - If you’re unsure when the computer was infected, question the user about their behaviors to see if there are any red flags. Access their email inbox via another device that’s not linked to the corporate network and examine opened messages – see if you can spot attachments or links they opened or clicked. Also research any recent program updates, and try to find out if any were compromised by hackers.
6. After you’ve restored the endpoint to a previous point, boot in safe mode and then run your antivirus program. This may or may not catch ransomware (it probably won’t), so beware. Be sure the antivirus software is fully updated and try again. But because you restored the endpoint to a point before infection, you will be safe.

If you don’t have endpoint backup:

If you don’t haven’t backed up the endpoint’s C: drive but you’re still able to access your data:

• Try to ID the ransomware version that’s infected the endpoint. Try using a free online service like ID Ransomware.
• If you can identify the ransomware, check if a ransomware decryption tool for it is available.
• If you haven’t backed up the device and can’t access your data: You can try to unlock it with Kaspersky WindowsUnlocker. This probably won’t work, especially if the ransomware is well built, but it’s your second to last option.
• If all else fails, your only other option may be to pay the ransom and pray that you get a legitimate decryption key.

Odds are very slim that you’ll be able to recover your data without endpoint backup.

Meanwhile, identify other endpoints that could be infected by running a full virus scan on all machines (if they’re not already showing the “pay up or lose your data” screen). It’s prudent to roll back all endpoints to versions that predate the introduction of ransomware to the known infected system.