How to recover your system from a Ransomware attack

CSO Online | Jan 9, 2017

After infecting a system with Locky Ransomware, CSO attempted to recover it using basic tools and backups

Similar
Steve Ragan: Hey, how you doing? My name's Steve Ragan with CSO Online. Yesterday, I infected this computer with ransomware. Today, I'm going to try and fix it, and I'm going to show you how.
The first thing I'm going to do here is reboot Windows 10 into Safe mode. It's not as simple as rebooting your computer and pressing F8, there's actually things you have to do.
You can see my screen. What I'm going to do is come down here to the Start button, and I'm going to press Power. Before I hit Restart, I'm going to hold the Shift key.
Now there are times while the system's rebooting that you're not going to be able to see my screen from the live feed, so we've got a camera over my shoulder, as you can probably tell, and we're going to record this.
After I reboot the computer into Safe mode, once I set the options, you're no longer going to see the live feed. I'm going to describe to you what I'm doing and what I'm seeing. That way, you'll still have a basis of what's going on.
I'm going to hold down the Shift button, and I'm going to click Restart. Now that the computer's back up, you'll see that you have three options to pick from. The first thing I'm going to do is click Troubleshoot.
Now once that screen comes up, you're going to click Advanced Options and then Startup settings.
From this point on, you're probably not going to see the live stream, but once you're in the Startup settings, you're going to see a list of things it could do for you, and a little button that says Restart. Just click Restart.
This will put your computer into a selective boot mode. What's going to happen is once it boots out of BIOS and comes right back into the operating system, you're going to be shown a list of things.
This list requires your function keys, F1, F2, etc. The one you want to press for Safe mode is F4. Once that Startup settings screen comes up, press F4 on your keyboard, and it's going to boot your computer into Safe mode.
Safe mode is a very basic loading of Windows, only the bare minimums put up. The reason we're booting into Safe mode is because I'm going to try to install some antivirus, scan my computer, and see if I can't remove Locky that way.
Now that's not going to decrypt my files, I'm still going to need backups for that. It makes no sense for me to load backups onto my computer, or load files on my computer if Locky's still there because it's just going to encrypt them. I'm not going to be able to get those back.
We've rebooted into Safe mode. If it looks weird to you, don't worry about it. Once Safe mode is loaded, you need to install some anti malware. What I've done is downloaded and installed Malwarebytes Anti malware and HitManPro, both are free.
I've also updated both software versions. Now I'm going to run scans on the system with them. Now my hope is that by doing so, I'm able to find and remove Locky. There's no guarantee, but we're going to try it anyway.
The passive scan with Malwarebytes detected Locky and it went to remove it, it required a reboot. The reboot took me back into my normal desktop, so I went through the whole process again of booting back into Safe mode.
Now that all that's done, what I have in front of me is Malwarebytes open again, and I'm in Safe mode.
I'm going to come over here to Scan, and I'm going to select the Custom scan. I'm going to configure that to scan all of drive C and all of drive E. If you remember, drive E is my attached storage that got encrypted by Locky.
The reason I'm doing that is to make sure that if there is anything hanging about, it's going to be found.
On the left side of the screen here for Malwarebytes, check the box that says Rootkits, and then hit Scan. This scan will take some time, so just relax and let it run. Then once it's done, we'll move on.
After about 46 minutes, Malwarebytes is done, it hasn't found anything. The next step is to install HitManPro, update that, and then run it as a scan. Now remember, Malwarebytes already found Locky, which is a good thing.
Now we're going to let HitManPro run because let's just see if there's anything else we need to take care of.
I ran HitMan, it took a few minutes for that to run. It found some cookies and other stuff, but nothing major. We've rebooted out of Safe mode, we're back at our regular desktop.
We've got this hideous looking background here, which if you right click, select Personalize as you can see on the screen on the streaming to your right there you just pick all that from right there.
What I'm going to do now is restore my computer to a previous state. I'm going to right click and go to System, and it's going to bring this up. I'm going to click on System Protection, and you see System Restore.
Lo and behold, right here, I have an automatic restore point from before this computer was infected.
It's going to warn you, once started, you can't stop, and that's fine. I'm just going to say, yes, and it's going to prepare to restore the system. This will take some time, so we're going to let this run, and I will be right back.
We started the System Restore. Just like on a cooking show, how they put it into the oven and suddenly the finished product's waiting for you, well, the finished product is waiting for you.
Yesterday, while we were infecting one laptop with ransomware, we actually infected two laptops with ransomware. Why break one machine when you can break multiples?
As you can see, I have a pretty bleak background because when I did the System Restore, I didn't have anything on this computer at all. If we look in My Documents, everything's gone. So I am going to right click on my Start button.
I'm going to go to Control Panel, and I'm going to select Backup and Restore because what I'm going to do is restore my files from a backup. That was the external backup I'd mentioned earlier.
I'm going to select another backup, come here, pick the top one because that's what I want. I'm going to browse for folders.
When I made the backup, it was on the Administrator account, which means everything I need is in the Documents folder there. Add that folder, select Next, and I'm going to tell it to go to Steve's Document folder now. We're not going to do a direct replacement.
Hit Restore, Finish. When you open Documents here, you obviously have to go to the thing. It's going to tell you don't have permission, I do, and there you go. All the files that were encrypted have been restored.
To give you an idea of the pain, rather than just reimage the machine, like your IT Department would do, we did this the manual way, and it took about four and a half hours.
That is not including the time I'm going to spend now to download and install Microsoft Office again and things like that. The big win here is that I was able to recover my files with a backup, and I'm going to get all that stuff back, and I didn't have to pay $2,000.
For more information about ransomware and, of course, all the other updated news about ransomware and things like that, you can look that up on CSO Online.
Again, my name is Steve Ragan, and this is "Recovering from Ransomware." See you soon.



Transcription by CastingWords
Top