Ransomware is one of the biggest scourges we face as Internet citizens today. What happens when you have been struck by it? The most obvious option would be to pay the ransom. You would not be alone if you did – even large companies and non-profits have had to pay, or at least negotiate, a ransom. But should that be your first option? Hardly.
Why Are Ransomware Attacks so Successful?
The core reason for ransomware “success” is the sophisticated manner of attack. Hackers create smart campaigns based on social behavior insights. Moreover, technology enables them to hide encryption software in almost any document. Imagine getting an email that includes the text “If the encoding of the attached Word document seems incorrect, please activate macros. This is done as follows…”
Another reason lies in the weakness of IT networks’ security policies. Factors such as inadequate backups, the lack of disaster recovery plans, poor updates of operating systems and applications, inadequate control over changes in IT infrastructure and user permissions, and lack of employee security education and training can all put organizations at serious risk of ransomware encryption.
How to Fix ransomware: Practical Tips and Free Tools
-
Have good backups
The best defense is a good offense – having good backups. This can come in a couple of forms.
- Shadow copies. If you are a Windows administrator, you may be familiar with the Volume Shadow Copy Service, a piece of software, first introduced in Windows Server 2003, that takes snapshots of data on specifically configured volumes at predetermined points in time. This service informs the Previous Versions feature in Windows client, which allows users to right-click a file on the disk and open a previous version if, for example, they make a mistake in a spreadsheet. If you catch a ransomware infection early, shadow copies are likely a good way to restore an unencrypted version of your files. If you are not using shadow copies, configure them today. Unfortunately, some variants of ransomware have caught onto this procedure. During their silent infection process, prior to encrypting files, they delete all shadow copies found on a disk.
- Regular backups that you restore from a tape or archive disk. You are making regular backups of your storage system, right? And you are regularly testing them to verify the files can be restored intact? If not, then stop reading right now and go configure a backup scheme. If you are, then rest a little easier, as the worst case for a ransomware infection in this case would be wiping your machines and restored their data from backups. Sure, it is an investment of time, but you will absolutely not need to pay any ransom, and you might just be seen as a hero.
Good backups are probably the best answer to the question “How do I fix ransomware?”
-
Look for available free anti-ransomware tools
If you do find yourself on the other end of a completed ransomware attack, you have a couple of options that don’t involve paying the ransom.
As governments and security researchers continue to make progress against ransomware threats, these parties have managed to break the encryption schemes used by some variants of ransomware. It is important to keep in mind that not every variant of ransomware has been “broken” by the good guys, so you should not rely solely on the hope that these encryption schemes have been foiled. Do not rest on your laurels when it comes to building defenses against this type of attack.
If you have already been victimized, then head over to the No More Ransom Project at https://www.nomoreransom.org and look for the variant you have been hit with. This site is sponsored jointly by the European Cybercrime Center, Politie, Kaspersky Lab, and Intel Security, and contains current decryption tools for the following variants:
- Crysus
- Marsjoke/Polyglot
- Wildfire
- Chimera
- Teslacrypt
- Shade
- Coinvault
- Rannoh
- Rakhni
The aforementioned organizations are working on breaking other variants as well, but breaking good encryption takes time, and malware creators have a perverse incentive to make their encryption stronger and even more difficult to break. It is an unfortunate dance, but for now, you might be able to save yourself with the decryption tools on the site. Beware of ransomware removal tools from other sources—they may actually be ransomware disguised as a prevention tools.
Check the list of ransomware removal tools from No More Ransom Project and beware of decryption tools from other sources
-
Use the File Server Resource Manager to catch bad actors
Even if you have been infected by ransomware, it is not too late to prevent further damage. You will likely have some encrypted files, but the sooner you stop the spread of the infection, the fewer files end up being held hostage, and the easier your cleanup task is. As we have covered on this blog before, you can use the tool built into Windows Server called File Server Resource Manager to catch ransomware attacks as they happen. Essentially, you create a honeypot share with a dollar sign in front of the name to fool ransomware into starting with that particular share in its efforts to encrypt files. Let the group Authenticated Users have full control of this share so that any process wanting to write to the share can do so. This is not a drop box for other files, so do not publicize this share to actual users; its only legitimate use is to catch things that should not be on your systems. When the File Server Resource Manager screen notices activity happening within that share, it assumes that someone has been infected and will cut off that user’s access to any share to stop the encryption attack in its tracks. There is a simple PowerShell script that can be fired by the File Server Resource Manager in order to accomplish this:
Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName '[Source Io Owner]' -Force }
Once these permissions have been removed, ransomware cannot access files for encryption, and basically just stop. You can then remove the malware, restore the files that were encrypted, and move on with your life.
For much more detail on this method of stopping a pending attack or an attack that has just begun, check out Ransomware Protection Using FSRM and PowerShell on our blog.
You can prevent the spread of ransomware infection by using the File Server Resource Manager and a simple PowerShell script
Feeling stressed because of never-ending ransomware drama? See how Netwrix Auditor can help you reduce the damage from ransomware attack.
What are your ways to fight ransomware? Please share in the comments below.