3 Thoughts on Ransomware Removal

Recently, the ransomware Locky has been gaining local media attention. As I was asked for advice by a friend who is a junior working in the field, I have come up with these 3 things for him to deal with general ransomware in enterprises where infection was reported, such as #3 File recovery, which suggests an approach of restoring shadow copies deleted by malware using Recuva and then recovering the files from shadow copies, since backup may not always be available.
  1. Identifying how many users’ PCs are infected
  2. Disinfecting malware from PCs
  3. File recovery
Read on for the details in each of the steps.
Studying Image courtesy of Jamie

General Suggestions


Prior to any action, it is generally suggested to:
  • Disable the affected users' AD user and computer accounts.
  • Unplug the users’ infected PCs from network.
  • Power them off as well to stop the ransomware process from encrypting more files, unless investigating or collecting evidence.
  • Back up whole disk (block level preferred than image/file level), including OS and infected files (recommended if the files are very important to the users, as there may be ways to restore the files in the future).
  • Prevent unnecessary writing to the file system, in case you want to recover deleted files.

1. Identifying Ransomware Infection

How many users and PCs are affected? Different scopes may require different approaches.

Locating Infections

Below are ransomware identification methods with Locky as a specific example, but the pattern is generally similar. The key is to find the pattern and then (programmatically) search systems for existence of the pattern.
  • Files encrypted by ransomware are usually renamed with a specific word in the filename, for example, Locky has the word ‘locky’ in the filename, so we can tell whether a user’s PC is infected or not by searching for files with that name. Below is a programmatic way for doing so using Windows batch script for the whole system (rename locky to other ransomware pattern as needed).
    • for %%i in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
      cd /d %%i:
      dir /a /b /s *locky*
      )

  • Search registry using reg query for ransomware traces:
    • HKCU\Software\Locky
    • HKCU\Software\Locky\id
    • HKCU\Software\Locky\pubkey 
    • HKCU\Software\Locky\paytext
    • HKCU\Software\Locky\completed           
    • HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
  • Search file system for ransom paying instructions usually in txt or image formats:
    • %UserProfile%\Desktop\_Locky_recover_instructions.bmp
    • %UserProfile%\Desktop\_Locky_recover_instructions.txt
    • %Temp%\[random].exe
  • In addition, current wallpaper may be changed to that of the ransomware with a way for paying ransom.
  • Refer to reputable security website such as Bleeping Computer for ransomware news and disinfection recommendations. For the Locky example:

File Servers

  • Besides checking local computer, check any publicly writable network shared folders the current user account has access to; they might be affected as well.
    • Open properties of decryption instruction files created by ransomware. The owner field indicates the infected user or machine.
    • In case that is not helpful (e.g. because the owner belongs to a group), run compmgmt.msc (Computer Management MMC snap-in) on the file server where encrypted files are located, then go to Shares > Open Files. The user having an enormous number of open files would be the culprit.

2. Malware Disinfection Process (any one of the below)

Depending on requirements of security and urgency of a case, there could be different approaches.

Security First

  • If data on the computer are not important and can be given up, delete everything using diskpart clean command (which ensures boot record, MBR or GPT, is cleaned) and reinstall Windows.

Speed First

3. File Recovery Process (an alternative technique besides restoring from backup)

If you have backup, then just perform the restore from the latest backup. However, if that is not the case and you need another way to restore files, then read on.

Concept

Volume Shadow Copies might contain previous versions of files accessible through the Previous Versions tab in Windows 7. Therefore, ransomware often empties the folder prior to encrypting the file system. If not, good for you - you may just restore files using Previous Versions tab. Otherwise, the technique introduced below restores folders of Volume Shadow Copies emptied by ransomware where deleted documents may be found and then restored.

Prerequisite

System Restore needs to be ALREADY enabled on the user’s Windows PC before infection. (Or, Shadow Copies on the file server if the affected files are on a network location.) This should be the default for Windows 7. Unfortunately, if you use Windows 8 or later, you would need to manually turn it on.   

Required third-party software

Steps

  1. Copy the above utilities to a USB thumb drive.
  2. Use Recuva to restore the deleted "X:\System Volume Information" folder to its original location (where X: is the partition on which the lost/encrypted file is located, usually C) 
  3. Use ShadowExplorer to browse and restore previous versions of the lost/encrypted files.

Conclusion

While the technique was reported to successfully recover/restore files encrypted by a few users, it may not work in all cases, and the malware writer could be aware of such technique and block it in future. Be prepared it does not work in some cases.
  • Avoid the trap of promising users their documents can be restored with ease. Normally, without a backup, the files encrypted/destroyed by this kind of ransomware cannot be restored. (Paying ransom should not be an option.)
I hope this has been informative for you. Good luck in restoring your files!

You may bookmark or share this article using the following:

Comments