47

I just discovered that my files have been encrypted by ransomware.

  • Can I get my files back? How?
  • Should I pay the ransom?
  • What should I do so that this never happens again?
Anders
  • 65,052
  • 24
  • 180
  • 218
  • 18
    This is a canonical question to use as a duplicate target. See this meta discussion: https://security.meta.stackexchange.com/questions/3349/do-we-need-a-canonical-ransomware-question – Anders Feb 14 '20 at 08:00
  • @R1W This one is set up as a canonical duplicate target. All questions about the same thing should be marked as a duplicate of this one, even if they're older or slightly more specific. – Joseph Sible-Reinstate Monica Feb 16 '20 at 00:35
  • 2
    @R1W unfortunately, it's not the same question. At the time you asked it, it was off-topic since we are not a malware/ransomware removal site. We've been getting a lot more ransomware questions, so Anders went to meta to ask if we should have a generic, canonical question to point people to. Does your question suit as a canonical question? No. It is phrased with a specific scenario in mind and includes specific constraints that would not be universally applicable. And since you accepted a narrow answer, it's not appropriate as canonical. – schroeder Feb 19 '20 at 11:28

3 Answers3

47

Can I get my files back? How?

Maybe.

If you have backups, you can restore your files from there. Just make sure to completely reinstall your operating system first, i.e. "nuke from orbit", to remove the malware first. If you don't do that, you will just get infected again.

If you don't have backups, things get trickier. Some ransomware has been beaten and its encryption can be reversed. Others have not. To find out if you are lucky, you can use a decryptor (e.g. The No More Ransom Project, Kaspersky's No Ransom). They offer a service that helps you identify what strain of ransomware you have, and let you know if there is a tool to decrypt your files.

If you are unlucky and your ransomware is not on the list, you can backup the encrypted files on an external drive (with nothing else on it, it might get infected, too) in the hope of a future cure. But there is a real risk that your files are just irreversibly gone.

Should I pay the ransom?

I wouldn't.

First of all, there is no guarantee that you will get your files back - there is no honor among thieves. Some forms of ransomware don't even bother to encrypt the files - it just replaces it with random junk to make it look encrypted. Obviously, paying in a situation like that does not help.

Second, you will be financing organized crime and creating incentives to create ransomware in the first place.

What should I do so that this never happens again?

Apart from general good computer hygiene (don't download strange stuff, keep things updated, etc.) there is one killer solution to the ransomware problem: Make frequent external backups.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 2
    Also, why are external backups a solution? Don't they get encrypted as well when you connect to the external drive? If not, why? Are there any good practices to be able to make external backups correctly, and prevent the external data from getting encrypted as well? – reed Feb 14 '20 at 13:38
  • 2
    @reed https://www.theregister.co.uk/2018/03/09/less_than_half_of_ransomware_marks_get_their_files_back/ References a 2019 CyberEdge report (thought I can't find an exact quote from the report). Also it is assumed in Anders answers that external backups are pre-infection and so are "clean" to be recovered once the system is restored. On a personal note when I was victim of such an attack, booting windows in Safe mode and rolling back a month or so fixed the issue - presumably because it was "fake" ransomware where the computer was locked up but the underlying file system was intact. – James Feb 14 '20 at 16:24
  • 4
    @reed That's the importance of offline backups. I also see a common misconception that copying folders, naive `rsync`, etc. counts as a backup; it doesn't. If you make a mistake (change the contents of a file, delete a file, have your files encrypted, etc.), such processes will indiscriminately overwrite your backups with the new (bad) files. – Alexander Feb 14 '20 at 17:28
  • 2
    @reed A good backup solution will retain old versions for a period of time, so even if a backup ran after encryption you can still restore from the last good one. For example, [Heroku PGBackups](https://devcenter.heroku.com/articles/heroku-postgres-backups). Really good ones will only store the differences to save space. [MacOS's Time Machine](https://en.wikipedia.org/wiki/Time_Machine_(macOS)), for example. – Schwern Feb 15 '20 at 02:28
  • Agree with @reed here, only the second argument you provide for not paying is legitimate. If that is not persuasive then you almost certainly should pay. If you care enough to ask here, then the data is almost certainly worth much, much more to you than the ransom. The risk of losing a few hundred dollars in ransom given the high percentage of successful ransoms would make this a no-brainer. – President James K. Polk Feb 15 '20 at 17:40
  • @Schwern, what I was saying is that if you don't realize that you are infected (or if the cryptolocker tries to stay silent at the beginning), as soon as you connect an external drive (or anything where you can write data to), the malware might encrypt all the backups as well. I don't know if cryptolockers are "smart" enough to encrypt data as silently as possible, but if they are then they might end up corrupting all your backups (including past ones) and you won't notice it until it's too late. – reed Feb 17 '20 at 11:19
19

Should I pay the ransom?

The inclination here is to post an emphatic HELL NO, tell them where they can stick their malware, and bid them a good day. No payouts for you, Mr. Neer-do-well! The company I work for was hit by the original cryptolocker (circa 2013) and we were able to do just that thanks to a simple but effective use of Windows Backup.

Odds are, if you're here, you don't have one. Or you thought you did, but... well, stuff happened. I disagree with Anders' answer on this point

First of all, you probably won't get your files back

Now this can be true (there's always the one-off morons doing this just because they can), but most people doing this stuff want money. If there were a widespread reputation that people didn't get their files back far fewer people would pay up. There is, at least, a decent chance you can get your files back, but like any media failure, you have to ask yourself this question:

Can I afford to lose the files?

If so, don't pay up. Take your painful lesson, backup in the future and move on. Problem solved

For a decent chunk of the people out there, the answer is probably NO. Like, maybe you work for a city/state/federal government agency and all your digitized records are at stake.

I'd love to tell you there's a magic service that can unencrypt your files, but, alas, even those who sell such services often pay up

Storfer said he’s been told by the FBI that Proven Data’s staff used to rely on “canned responses” that gave clients two options for data recovery. The first was paying the ransom. The second option was to unlock the files using Proven Data’s technology. Unbeknownst to clients, Storfer said, the second option didn’t exist. If they chose it, Proven Data paid the ransom anyway.

The ransom may be your only way if the files must be restored

The prospects are grim otherwise

[O]rganizations have limited options when it comes to fighting back. The most obvious route, if backups are available for affected systems, is to simply restore the affected files. But with embedded computing devices and some other systems, backups may not be an option. Organizations could also use security gateways to try to block Tor traffic to prevent some crypto-malware from obtaining encryption keys, but Schowenberg notes that Tor-blocking "is not a solution to all ransomware problems"—and it might become less of a solution as attackers choose less-detectable communications methods. In some cases, companies have been able to mount an active defense with the help of law enforcement or security researchers.

But this can be a slow and expensive process. one that is problematic when time-sensitive data is involved. So, for companies and organizations without the wherewithal to reboot and restore their systems, paying up may be the least of the possible evils—especially if they can just sweep it under the rug afterward.

Paying up can work

Three Alabama hospitals have paid a ransomware demand to the criminals who waged a crippling malware attack that's forcing the hospitals to turn away all but the most critical patients, the Tuscaloosa News reported.

But wait! That's supporting crime!

Yes, it is. And it really REALLY stinks. Those are your options. You either have a backup, you walk away from the data, or you pay up and cross your fingers. The reason I even suggest it at all is the criminals have an incentive to ensure your files are returned. Just remember, that Anders was 100% correct when he also said this

there is no honor among thieves

Good luck. You're going to need it. And if you've never been hit, you'd best check your backups are working and restorable.

Machavity
  • 3,808
  • 1
  • 14
  • 31
  • 3
    The biggest problem I see with paying is that you can't really trust any of those files. They could include exploits or payloads that make you vulnerable to the same attack in the future. – pcalkins Feb 14 '20 at 23:08
  • 1
    @pcalkins I know it. I just don't want people to think not an option either (some chance is better than none). If you're stuck, it might literally be your only option. – Machavity Feb 14 '20 at 23:14
  • If you're going pay to unencrypt, going forward I would segregate all future backups. Don't keep old decrypted data with new. You simply can't trust the machine that holds that data... so you'd need to quarantine that machine and it's data and any backups of it forever. – pcalkins Feb 15 '20 at 00:43
5

Most of the ransomware attacks directed at US computers originate from countries which used to make up the USSR, to include Russia. I personally got hit with one of these about 3 years ago. It locked all my files, and booted a wordpad note saying I'd been hacked, and auto-took me to several websites saying I'd been hacked and demanding ransom. They wanted several hundred dollars in bitcoin and had a handy "type questions here regarding bitcoin accounts" where someone would actually get on and chat to talk you through getting and sending bitcoin. Knowing that these hackers generally avoid russian-based computers (because Russia don't care if you hack someone else, just don't do crime there.) I decided on a desperate gambit. Instead of asking a bitcoin question I sent, "Your attack in interfering with the ongoing operations of the Russian Federal Security Service. You have 48 hours to return access to this machine or actions will be taken against you." Lo and behold, the next day my computer was unlocked! Mind you it wasn't a clean "erasure" of the virus, as whenever I start my computer I still get a popup of the notepad doc saying I've been hacked. Can't figure out how to ditch it. But haven't had another problem apart from that and all my files were unlocked.

So say you don't have a chatbox/don't want to try it. Will paying get your your stuff back? Yes. Should you? Depends. You're very likely to get your computer unlocked if you do, but how do you feel morally about being extorted by sleazebags? Every success just makes them more likely to keep on trying.

Eriol
  • 115
  • 1
  • 17
    This is a cute anecdote, but it doesn't answer the question. –  Feb 14 '20 at 20:17
  • 13
    Wait, are you saying you're still using the same computer with the same pop-up instead of reloading everything? Seems very dangerous... – Kat Feb 14 '20 at 21:25
  • 2
    did ransomware author write this answer – aaaaa says reinstate Monica Feb 14 '20 at 21:34
  • Technically, it is a valid answer: "I wrote them to say that I was Russian police, and it worked". It's highly doubtful that it's true and it is highly situational and highly dependent on a number of factors, but, as far as a Q&A site goes, it hits all the requirements. – schroeder Feb 15 '20 at 17:46
  • 1
    "Will paying get your your stuff back? Yes." **NO!** There's no certainty, ever. The only honest answer is "Maybe, and there's no way to find it out without actually paying". – Fabio says Reinstate Monica Feb 25 '20 at 10:31