- Identifying how many users’ PCs are infected
- Disinfecting malware from PCs
- File recovery
Prior to any action, it is generally suggested to:
- Disable the affected users' AD user and computer accounts.
- Unplug the users’ infected PCs from network.
- Power them off as well to stop the ransomware process from encrypting more files, unless investigating or collecting evidence.
- Back up whole disk (block level preferred than image/file level), including OS and infected files (recommended if the files are very important to the users, as there may be ways to restore the files in the future).
- Prevent unnecessary writing to the file system, in case you want to recover deleted files.
1. Identifying Ransomware Infection
How many users and PCs are affected? Different scopes may require different approaches.
Locating InfectionsBelow are ransomware identification methods with Locky as a specific example, but the pattern is generally similar. The key is to find the pattern and then (programmatically) search systems for existence of the pattern.
- Files encrypted by ransomware are usually renamed with a specific word in the filename, for example, Locky has the word ‘locky’ in the filename, so we can tell whether a user’s PC is infected or not by searching for files with that name. Below is a programmatic way for doing so using Windows batch script for the whole system (rename locky to other ransomware pattern as needed).
for %%i in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
cd /d %%i:
dir /a /b /s *locky*
- Search registry using reg query for ransomware traces:
- HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
- Search file system for ransom paying instructions usually in txt or image formats:
- In addition, current wallpaper may be changed to that of the ransomware with a way for paying ransom.
- Refer to reputable security website such as Bleeping Computer for ransomware news and disinfection recommendations. For the Locky example:
- Besides checking local computer, check any publicly writable network shared folders the current user account has access to; they might be affected as well.
- Open properties of decryption instruction files created by ransomware. The owner field indicates the infected user or machine.
- In case that is not helpful (e.g. because the owner belongs to a group), run compmgmt.msc (Computer Management MMC snap-in) on the file server where encrypted files are located, then go to Shares > Open Files. The user having an enormous number of open files would be the culprit.
2. Malware Disinfection Process (any one of the below)Depending on requirements of security and urgency of a case, there could be different approaches.
- If data on the computer are not important and can be given up, delete everything using diskpart clean command (which ensures boot record, MBR or GPT, is cleaned) and reinstall Windows.
- Otherwise, if continuing using the OS without reinstallation is desired (this is not recommended but in some cases it is the only option), disinfect it using multiple updated anti-virus scanners. (It is recommended to scan file system offline under another OS. Still, the ransomware may be too new/variated to be detected, so better scan it once again at a later time.)
- Or, disinfect with sophisticated methods (e.g. Sysinternals Process Explorer, Autoruns, VirusTotal. Recommended for experienced system administrators.)
3. File Recovery Process (an alternative technique besides restoring from backup)If you have backup, then just perform the restore from the latest backup. However, if that is not the case and you need another way to restore files, then read on.
ConceptVolume Shadow Copies might contain previous versions of files accessible through the Previous Versions tab in Windows 7. Therefore, ransomware often empties the folder prior to encrypting the file system. If not, good for you - you may just restore files using Previous Versions tab. Otherwise, the technique introduced below restores folders of Volume Shadow Copies emptied by ransomware where deleted documents may be found and then restored.
PrerequisiteSystem Restore needs to be ALREADY enabled on the user’s Windows PC before infection. (Or, Shadow Copies on the file server if the affected files are on a network location.) This should be the default for Windows 7. Unfortunately, if you use Windows 8 or later, you would need to manually turn it on.
Required third-party software
- Copy the above utilities to a USB thumb drive.
- Use Recuva to restore the deleted "X:\System Volume Information" folder to its original location (where X: is the partition on which the lost/encrypted file is located, usually C)
- Use ShadowExplorer to browse and restore previous versions of the lost/encrypted files.
ConclusionWhile the technique was reported to successfully recover/restore files encrypted by a few users, it may not work in all cases, and the malware writer could be aware of such technique and block it in future. Be prepared it does not work in some cases.
- Avoid the trap of promising users their documents can be restored with ease. Normally, without a backup, the files encrypted/destroyed by this kind of ransomware cannot be restored. (Paying ransom should not be an option.)
You may bookmark or share this article using the following: