If computer files become encrypted due to a ransomeware attack, couldn’t a person just wipe the hard drive clean and reinstall the operating system? Does ransomware encryption prevent access to wipe the hard drive? Of course you would lose data but it would be compromised anyway if the hijackers get it.
I would rather pay a computer guy to do that than pay a hijacker.
Sure, you could wipe & re-install.I’m no computer genius, or any other kind, FTM, but you can wipe & re-install.
BTW–you are also right about not paying the cyber-crook.
Who can say if he’d actually remove the 'ware, or just use your info to rip you off for even more dough?
Sure, but this isn’t the point. The point is the “of course you would lose data”. Ransomware isn’t targeting your computer. It is targeting your data. It is targeting people who don’t have adequate backups, and are about to lose all their data. Which can mean anything from all their archived email, documents and pictures, right through to losing their entire business data. The ransom is carefully chosen, faced with losing their entire photo collection, many people will pay the few hundred dollars.
The ransomware is insidious - it doesn’t simply encrypt your data overnight. It does so over time, and inserts an active decrypt in the way of accessing the data, to allow continued operation of your system - so that you don’t notice that the actual files are encrypted. This means that your backups can end up filled with encrypted files before you know about the problem. So even reasonable backup practices may not be enough to protect you.
ETA - the ransomware extortionists are remarkably smart. They even have a helpdesk. They view this as a business. Once you pay them, they apparently actually actively help to ensure you get your data back. Which is good business practice. It isn’t a small time operation.
Interesting… never thought of it as a slow moving process. I thought it was an “instant encryption” sort of thing. Clever, I must admit. Can anti-virus or anti-malware programs find and stop the encryption process?
Oh, sure I could just wipe the hard drive and reinstall the operating system. but that’s not going to bring back my 70 GB of music, or decades of family photos, or my bank statements/tax returns, or all of that other irreplaceable data I have.
I don’t give a crap about the operating system. I give a crap about my data, and it’s my data ransomware is after.
Even with backups you can’t guard against the encryption getting to a new file before the next backup cycle. Or worse, the malware inserting itself into the file-system code itself, and only letting the system write encrypted files to disk.
But multiple, versioned, offline, backups are not just for big companies.
I have 2 external hard drives that I back up everything on. They are not connected to any computer except during the backup process. I do this about twice a month or so. I have no business concerns, just pictures, music, text or pdf’s docs. So I really have nothing on my computer that I cannot live without.
The reason for my initial question is that while I was on a website I had not previously been on, I suddenly got flashing banners, with bells and whistles going off, saying a virus has been installed and to call a certain number for instructions as to how to get rid of it. I just shut down the computer, rebooted and, so far, everything seems fine. I did a virus/malware scan and no issues were detected.
I don’t believe that current anti-malware technology adequately protects against ransomware. If you get it, your only real option is to wipe and restore. As multiple people on the thread have mentioned, you need to have multiple versions of backup going and, ideally, versions of truly critical data that are stored offsite (cloud-based, for example).
There is normally an element of “social engineering” to ransomware attacks - the phone call from Microsoft, the pop-up window from a known (or unknown) security vendor that says you’ve got a virus and you must act now. My mother-in-law fell for it. Obviously a lot of people do. Being educated offers more protection with this type of situation than a software solution can currently provide. Backup and restore is a remediation for after the fact.
I saw a business once which got hit by ransomware (one of many). The one workstation had its local files encrypted, then it was working its way through the shared drive. It got to folders starting with “C” when it was stopped. (Presumably, the workstation downloaded an updated version of the antivirus signatures?) The program hits once and hard, because once detected, it is removed as the first step. However, rewriting several gig of photos and documents can take an appreciable time. (How long do your backups take?)
Most such programs are not that clever. They exploit a known hole to get onto the system, they enumerate and encrypt any writeable shares they find on the network.
I had this exact same thing happen to me a few weeks ago. I absolutely freaked out. Because I was on a company computer but was not going through the company network, which meant that some of the protections I would have ordinarily had were not in place - specifically the company network would have blocked that site (a music file-sharing site). And one thing I do not want to be doing is explaining to the company’s tech people that I let their computer get taken over by ransomware because I was using it for personal use without their protections.
But I was afraid to shut the computer off, because I was afraid that it wouldn’t let me log back on without paying or something. What I did was I relogged onto the company network, made sure I had downloaded the most recent version of their approved anti-virus software, and then ran it repeatedly on the entire c-drive. So far so good.
They’re crooks, but ethical crooks, at least. And they know if word gets out that they don’t release files after people pay the ransom, soon nobody’s going to pay them. So they have helpdesk staff, and some will even release a couple of files as a show of good faith when you call them.
So, pick your pain… Pay up and probably get your files back, or nuke and pave the computer and hope your backups are good.
If you do a wipe and reinstall, be sure you also wipe the boot sector. Viruses can be saved in the special area of the hard drive used for the initial boot. If you don’t also wipe that, the virus can reinfect your reinstalled computer the next time it starts up.
If you don’t understand what is meant by the boot sector or how to figure out how to wipe it, it’s probably worth paying someone to do the wipe to make sure it’s done correctly. Or just get a new hard drive.
You got lucky - there have been some versions that only make it look like your files are trashed, or are relatively child’s play to circumvent, such as early versions of Cryptolocker, where universal keys are available on the web, but most of the versions in play now aren’t messing around and encrypt with uniquely-keyed AES, RSA, or similar high-grade methods.
Disks are so cheap now, I’d just trash the drive and replace it. My employer trashes drives as a matter of standard procedure if a server or workstation is compromised as it’s cheap insurance that there are absolutely no “leftovers” of an infection.
Amusingly enough, if you’re able to read it, changing your keyboard layout in Windows to Russian will prevent a lot of ransomware from activating. It’s hypothesized that most of the ransomware operators are in Russia, so they avoid domestic criminal charges by not bothering fellow citizens. For the most part, no countries have extradition treaties with Russia, so attacking people in other countries is fair game.