I’ve got Ransomware… what now?

Unfortunately for many people, their first exposure to bitcoin comes in the form a shocking ransom note, informing them that they must pay a fee to regain access to their files. These cyber-crooks request bitcoin because it makes it incredibly easy for them to receive payment fairly anonymously.

With hundreds of new variants hitting organizations and individuals in 2016, thousands of victims all over the world have had their files encrypted and held at digital gunpoint. For many unfortunate users, this means paying a ransom in bitcoin to decrypt their files.

If you’ve been unlucky enough to become infected with this kind of virus, a few simple steps will help you regain control of your files and get back to life/work as quickly and painlessly as possible.

First you need to answer the question: What are these files worth to me?

Most people find the choice of enriching someone who has invaded their systems and victimized them very distasteful. Especially on a personal computer where this feels like a major invasion of your privacy. As Alina Simone wrote in March of 2015:

Computers are no longer just machines to rely on. They are second brains, extensions of our innermost selves, clandestine caves in which to stash our memories, secrets, dreams, and hidden vices.

Rather than grappling with the morality of paying these bandits, I find its best to approach the situation dispassionately with the end-user’s best interests firmly in mind. If the encrypted files are worth more than the ransom, then it’s worth paying to recover them.

For a business that’s been infected this should be very easy to work out. You need to calculate the work that would be lost between when your files were locked and when they were last backed up. Unless your company is very small or the infection is limited to a single system, then the work done during this time will likely be worth more than the ransom would cost to pay. Consider the following example:

A small business with 10 employees earning an average of $60,000 per year averages about $290/hour in employment costs. This means that by noon on a regular day, these employees should have done about $1160 worth of work. Since this is already higher than the cost of an average ransomware unlocking, it may be worth their while to pay the ransom unless they have backups that are only a few hours old.

I’ve seen several businesses waste days of productivity attempting to remove the virus and debating whether to pay the ransom. Unless you have an extremely recent backup or you happen to have have a variation on the virus that can be easily unlocked(more on that below), then you are better off to bite the bullet and pay the ransom as soon as possible so you can get back to work.

For a home user, the choice can be more complicated. If you use your computer occasionally for some Netflix, Facebook and email, then its very unlikely that it will be worth your while to pay this ransom. Spend some time and think about what kind of files might be on this computer. For some people, a dozen treasured images that aren’t saved anywhere else could easily be worth hundreds of dollars. If nothing comes to mind the you are better off to move on.

For this kind of user its very important to note: Just because your files are locked, does not mean your computer is broken or ruined. In this case, all you need to do is restore your computer to a previously uninfected state. At worst, this may require that your computer be wiped and your operating system be reinstalled. Call your local IT professional.

However if you are a more serious user with a significant collection of media or other important things on your computer, you are going to want to recover those files. Most media and software purchased from services like iTunes or Steam can be restored after a reinstall so take that into account when counting your potential losses.

Whether you are a business looking to get back to work or a hardcore Phish fan with a massive, irreplaceable collection of live jam sessions, the first step to recovering your files is to identify which variant of the virus you have. In many cases it will tell you right on the ransom screen. If this doesn’t work, a virus scanner like Kaspersky or Windows Defender might shed some light on the situation. Its possible that the virus may block your access to virus scanners. It’s important that you don’t allow your virus scanner to attempt to remove the virus at this stage as it could potentially make recovery impossible at a later point.

If you are able to determine which variant has infected your system. Your first stop should be to check the Kaspersky Labs RANSOMWARE DECRYPTOR https://noransom.kaspersky.com/

However, if you aren’t able to find which variant you have or it’s not on the Kaspersky list, then its time to bite the bullet and pay the ransom. Bitcoin Brains has completed or assisted with the unlocking of 100s of systems, I can tell you that the odds of successfully unlocking your system after a ransom payment are very high. Some variants will store the key to unlock your system locally. In these cases its possible for your virus scanner to damage the recovery file if its allowed to attempt to remove the virus. Other variants store this key on a remote server, in this scenario its possible that the remote server could be taken down or compromised. While its unlikely, the possibility does exist that you could be left without your files or your bitcoins.

The final step once your files have been recovered is to attempt to identify where this virus came from. On a personal computer, check your inbox and browser history. When you find the file in question DON’T OPEN IT AGAIN. This might seem obvious but I’ve seen it happen more than once. The most common cause of infection is opening unknown attachments. If you aren’t expecting something, don’t open it.

In a small business setting, which may not have the tightest of user controls, pinpointing the source can be more difficult. Because many businesses necessarily hire at least a few staff who are less than tech-savvy, educating everyone in a workplace about the dangers of email attachments can be a major challenge. One smaller oil company came to us 5 times within a 3 months span to unlock ransomware which had all been downloaded by employees in their sales department. They’ve since instituted a more rigorous backup schedule and tighter user controls.

This article makes some assumptions about your ability to acquire and send bitcoins. If you are having trouble with this step then contact a bitcoin or IT professional. If you are in Canada, you can check out the options that Bitcoin Brains has available.