Ransomware Recovery Question

If computer files become encrypted due to a ransomeware attack, couldn’t a person just wipe the hard drive clean and reinstall the operating system? Does ransomware encryption prevent access to wipe the hard drive? Of course you would lose data but it would be compromised anyway if the hijackers get it.

I would rather pay a computer guy to do that than pay a hijacker.

Sure, you could wipe & re-install.I’m no computer genius, or any other kind, FTM, but you can wipe & re-install.
BTW–you are also right about not paying the cyber-crook.
Who can say if he’d actually remove the 'ware, or just use your info to rip you off for even more dough?

Sure, but this isn’t the point. The point is the “of course you would lose data”. Ransomware isn’t targeting your computer. It is targeting your data. It is targeting people who don’t have adequate backups, and are about to lose all their data. Which can mean anything from all their archived email, documents and pictures, right through to losing their entire business data. The ransom is carefully chosen, faced with losing their entire photo collection, many people will pay the few hundred dollars.

The ransomware is insidious - it doesn’t simply encrypt your data overnight. It does so over time, and inserts an active decrypt in the way of accessing the data, to allow continued operation of your system - so that you don’t notice that the actual files are encrypted. This means that your backups can end up filled with encrypted files before you know about the problem. So even reasonable backup practices may not be enough to protect you.

ETA - the ransomware extortionists are remarkably smart. They even have a helpdesk. They view this as a business. Once you pay them, they apparently actually actively help to ensure you get your data back. Which is good business practice. It isn’t a small time operation.

Interesting… never thought of it as a slow moving process. I thought it was an “instant encryption” sort of thing. Clever, I must admit. Can anti-virus or anti-malware programs find and stop the encryption process?

Reading the above, I wonder if a “grey hat” hacker might not one day release a small amount of this virus and screw over the victims, in order to spread the reputation that paying is futile…

Which is why any automatic backup system has to have versioning – the ability to specify a particular version of a file to restore. This lets up restore the good files and not the encrypted ones.

Oh, sure I could just wipe the hard drive and reinstall the operating system. but that’s not going to bring back my 70 GB of music, or decades of family photos, or my bank statements/tax returns, or all of that other irreplaceable data I have.

I don’t give a crap about the operating system. I give a crap about my data, and it’s my data ransomware is after.

But even this won’t help you if the ransomware encrypts your entire backup drive. Only an off-line backup done before the infection can save you.

Even with backups you can’t guard against the encryption getting to a new file before the next backup cycle. Or worse, the malware inserting itself into the file-system code itself, and only letting the system write encrypted files to disk.

But multiple, versioned, offline, backups are not just for big companies.

I have 2 external hard drives that I back up everything on. They are not connected to any computer except during the backup process. I do this about twice a month or so. I have no business concerns, just pictures, music, text or pdf’s docs. So I really have nothing on my computer that I cannot live without.

The reason for my initial question is that while I was on a website I had not previously been on, I suddenly got flashing banners, with bells and whistles going off, saying a virus has been installed and to call a certain number for instructions as to how to get rid of it. I just shut down the computer, rebooted and, so far, everything seems fine. I did a virus/malware scan and no issues were detected.

You simply got hit by the popup equivalent of a scam phone call “Hi we are from Windows support and you have a virus”.

Best answer is to always browse with the standard set of addons - typically no-script, ad-block, ghostery. No-script is an absolute necessity. If your browser won’t support it, switch.

I don’t believe that current anti-malware technology adequately protects against ransomware. If you get it, your only real option is to wipe and restore. As multiple people on the thread have mentioned, you need to have multiple versions of backup going and, ideally, versions of truly critical data that are stored offsite (cloud-based, for example).

There is normally an element of “social engineering” to ransomware attacks - the phone call from Microsoft, the pop-up window from a known (or unknown) security vendor that says you’ve got a virus and you must act now. My mother-in-law fell for it. Obviously a lot of people do. Being educated offers more protection with this type of situation than a software solution can currently provide. Backup and restore is a remediation for after the fact.

I saw a business once which got hit by ransomware (one of many). The one workstation had its local files encrypted, then it was working its way through the shared drive. It got to folders starting with “C” when it was stopped. (Presumably, the workstation downloaded an updated version of the antivirus signatures?) The program hits once and hard, because once detected, it is removed as the first step. However, rewriting several gig of photos and documents can take an appreciable time. (How long do your backups take?)

Most such programs are not that clever. They exploit a known hole to get onto the system, they enumerate and encrypt any writeable shares they find on the network.

They typically target “data”, office files, PDF, JPG, TXT, etc. -stuff you need and would pay to recover. Hiding themselves deep in the OS is waste of time because (a) that’s a different level of tech and expertise, (b) most enterprises (and some homes) will wipe if they get a serious virus, and ©encrypting OS files could cause the system to crash if not done right. Similarly, there are too many backup programs out there. Yes, they could add some standard backup files (i.e. *.bkp) to the list. But to infiltrate even the top 3 backup programs? And there are too many versions out there… Again, not worth the effort.

I had this exact same thing happen to me a few weeks ago. I absolutely freaked out. Because I was on a company computer but was not going through the company network, which meant that some of the protections I would have ordinarily had were not in place - specifically the company network would have blocked that site (a music file-sharing site). And one thing I do not want to be doing is explaining to the company’s tech people that I let their computer get taken over by ransomware because I was using it for personal use without their protections.

But I was afraid to shut the computer off, because I was afraid that it wouldn’t let me log back on without paying or something. What I did was I relogged onto the company network, made sure I had downloaded the most recent version of their approved anti-virus software, and then ran it repeatedly on the entire c-drive. So far so good.

They’re crooks, but ethical crooks, at least. And they know if word gets out that they don’t release files after people pay the ransom, soon nobody’s going to pay them. So they have helpdesk staff, and some will even release a couple of files as a show of good faith when you call them.

So, pick your pain… Pay up and probably get your files back, or nuke and pave the computer and hope your backups are good.

Or get a Tech.

I had ransom-ware, & a local tech was able to free up my computer & 99% of my data.

Don’t give crooks a nickel.

If you do a wipe and reinstall, be sure you also wipe the boot sector. Viruses can be saved in the special area of the hard drive used for the initial boot. If you don’t also wipe that, the virus can reinfect your reinstalled computer the next time it starts up.

If you don’t understand what is meant by the boot sector or how to figure out how to wipe it, it’s probably worth paying someone to do the wipe to make sure it’s done correctly. Or just get a new hard drive.

You got lucky - there have been some versions that only make it look like your files are trashed, or are relatively child’s play to circumvent, such as early versions of Cryptolocker, where universal keys are available on the web, but most of the versions in play now aren’t messing around and encrypt with uniquely-keyed AES, RSA, or similar high-grade methods.

Disks are so cheap now, I’d just trash the drive and replace it. My employer trashes drives as a matter of standard procedure if a server or workstation is compromised as it’s cheap insurance that there are absolutely no “leftovers” of an infection.

Amusingly enough, if you’re able to read it, changing your keyboard layout in Windows to Russian will prevent a lot of ransomware from activating. It’s hypothesized that most of the ransomware operators are in Russia, so they avoid domestic criminal charges by not bothering fellow citizens. For the most part, no countries have extradition treaties with Russia, so attacking people in other countries is fair game.

I partition my drive to C: and D:. The OS goes to the C: drive and my sensitive data on D:.

The C: drive is 1/4 to 1/3 of the capacity of the whole drive. More than enough to hold the OS and installed programs. I use the D: drive for data and archives.

Once you have the drive ready make a back up copy of the C: drive and you’re done. Hackers usually don’t see your D: drive.

When your system gets hijacked the reset button is your best friend, push it or hard power off instead.

Unplug the modem once in a while to clear the cache and unplug your computer data cable off the modem overnight.

Happened to me the other day too. I had that “oh fuck, it’s finally happened to me” moment. A restart fixed it and compelled me to update and run all my bad-thing checkers.

Does backing things up to the cloud help?