June 9, 2020 By David Whipple
Google the phrase “How do I remove ransomware” and you’ll be greeted by hundreds of ads with promises that, for only a few hundred dollars, the ransomware attack you’re currently experiencing will be nothing more than a sad memory in only a few short hours. The truth about ransomware removal can be a little more dire. In this post we’ll cover the typical ransomware removal options and offer some tips on how to prevent a ransomware attack.
If you’re just catching up on our ransomware series, be sure to check out our previous posts:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
- Recent Ransomware Attacks and Examples
- How to Prevent and Prepare for Ransomware Attacks
- Should You Pay the Ransomware Demand
Ransomware is a class of malicious software (or malware) that works on the admittedly clever idea that data doesn’t need to be stolen in order for the bad guys to profit. In fact, after an attack, your data is in exactly the same place you left it--either inaccessible to you, locked away, or in the worst case scenario, scrambled. In each possible outcome, the ransomware attack is identified by a notice from some leach attempting to extort payment from you in return for access to your data.
Your ability to recover from these attacks has varying chances of success, each predicated on the type of ransomware attack you’re experiencing. Let's look at each type and see what can be done:
Scareware Attacks At the lower level of sophistication, scareware attacks compel the user to spend money or grant third party access by doing nothing more than presenting the user with a screen containing an alarming message. Untrained users can fall for this--more times than you might believe--and blindly follow through with the instructions believing their sensitive data has been breached and their business endangered.
While it might seem that society should be aware of these techniques and modern computing evolved enough to make these a dim memory, the truth is that these attacks can still be found in the wild. Luckily, these attacks are generally curable since they rarely damage underlying data files. Most modern anti-malware solutions have the ability to detect, quarantine, and remove scareware based ransomware quickly and easily.
Lockware Attacks Rather than working at the individual file level, lockware simply denies a user access to their computer. These generally work by hijacking the user interface and serve to lock the user out of their systems. Since these generally don’t harm filesystem resources, the same solutions used to remediate scareware attacks (proper anti-malware solutions) can be used.
Crypto Attacks These are the attacks to worry about and are unfortunately on the rise due to their efficacy. Crypto attacks use enterprise-grade encryption algorithms to encode your data files in place using sophisticated algorithms that are impossible to decrypt. Every little one and zero is in a different order now and completely unusable without a special decrypting key that will cost you money. Sometimes that means big money.
If you’re unfortunate enough to fall victim to an encryption based attack, you only have a few solutions:
First, the threat itself has to be removed. The software that performed the encryption is likely still present on your systems and must be removed in order to prevent further damage. The method to do this is highly dependent on the brand of ransomware and you will need to consult with experts quickly in order to begin remediation.
Once the threat has been removed, you’re still left with inaccessible data. What you do next depends on several factors:
- Decide whether or not to pay the ransom. Consulting experts and specialists and your legal team are critical to making the right decision. The ransom will likely be demanded in bitcoin and instructions will be provided.
- Restore data from your backups. This is the best approach. It’s important to regularly check your backups and make sure they work--in a ransomware event, you don’t want to find out that your data isn’t fully backed up and safe.
- Try to find a decryption tool online. This is highly unlikely unless your attacker reuses keys and you can find it on the web.
In all ransomware scenarios, the best defense is...a good defense. A good first step is to invest in information security tools that have proven efficacy. Endpoint security solutions are now both easy to deploy and affordable. The best solutions are updated regularly and go beyond simple signature based detection. They look at the behavior of applications that run on your laptops, desktops, and server infrastructure. And don’t forget to protect your frontline--your employees. Proper and regular training on new social engineering techniques and how to spot a phishing email are best practices, as well as next steps in the case of a ransomware attack--who to tell, what to do, etc.
A ransomware event can be complex and expensive. Insurance can help you prepare for the financial consequences, but a true cyber partner can help you get back to business sooner if you’re attacked with ransomware. Use the Measured risk calculator to learn more about your risk.