For those of you not familiar with exactly what Ransomware is/does, here’s the current Wikipedia definition:

“Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of Ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying.”

Over the past 6 months, New River Computing has been getting more and more phone calls from businesses who’ve been attacked by some form of Ransomware Virus. While desperately trying to find a solution, most of these businesses (many in other states, North Carolina, Atlanta Georgia, and even one business from Kalamazoo Michigan who called in yesterday) searched the web for answers and stumbled across an old blog post that we released on the subject back in April 2012: http://newrivercomputing.com/blog/computer-virus-outbreak-alerts/latest-ransomware-anti-child-porn-spam-protection/.

How would you react if you were attacked by Ransomware? Do you have a backup plan? Do you have a backup machine or server in place? What would you do if someone gained access to your computer or server, encrypted all your photos, business files, financial documents and other hard (if not impossible) to replace files and then demand a ransom for their return?

In a perfect world, all you would have to do is restore your machine from a recent backup. But, since this isn’t a perfect world, and a lot of people don’t keep recent backups. Some people don’t even back up at all. If you fall in to the “not in a perfect world” category, don’t panic just yet if you’ve been a victim of Ransomware. If you have recent backups, you can stop reading here and just go restore your machine using your most recent image. If not, well then, roll up your sleeves, keep reading and get ready for some work! This might not be easy…

Here’s a detailed list of steps and tools that I’ve put together based on the most up-to-date research from industry leading security companies on the subject of remediating Ransomware:

***Be warned: there’s no guarantee that any/all these methods will work. Every Ransomware attack situation is different and there are many different variants. These steps are meant to be used as a last resort before giving up and reformatting a machine. ***

Remove Ransomware with HitmanPro Kickstart

You can use HitmanPro Kickstart to bypass the Ransomware infection and access your computer to scan it for malware.

1. We will need to create a HitmanPro Kickstart USB flash drive,so while you are using a “clean” (non-infected) computer, download HitmanPro.
2. Insert your USB flash drive into your computer and follow the instructions from the below video:

3. After you create the HitmanPro Kickstart USB flash drive, insert this USB drive into the infected machine and start your computer.
4. Once the computer starts, repeatedly tap the F11 key (on some machines its F10 or F2), which should bring up the Boot Menu, from there you can select to boot from your USB. If your machine doesn’t support booting from USB, you can download the HMP ISO files here and burn a CD that you can boot from.
   Next, you’ll need to perform a system scan with HitmanPro as see in the below video:

Kaspersky WindowsUnlocker to fight ransom malware

Kaspersky WindowsUnlocker utility is designed to disinfect registries of all Operating systems on your Computer.

Start Computer from Kaspersky Rescue Disk with Kaspersky WindowsUnlocker

1. First download the Kaspersky Rescue Disk with WindowsUnlocker ISO image from Kaspersky Lab Server to your Computer and burn it to CD/DVD.

2. After successful creation of Kaspersky Rescue disk 10, insert the disk into CD/DVD Rom drive and boot your machine from it.

3. A message appears on press any key to enter the menu, press any key – start up wizard loads with graphical user interface select English or other language.

4. Select graphic mode and press Enter, End User license agreement appears on screen agree it to by pressing C key on your keyboard.

Linux OS now starts and detects the devices and OS installed on your system.

Launching Kaspersky WindowsUnlocker

Once you’ve booted Rescue disk in graphic mode, click on Start button located at the left bottom corner and select Kaspersky WindowsUnlocker item.

More steps and information can be found here if needed.

Use the Dr.WEB search tool for unlock codes found here.

Using the Sophos Ransomware Decrypter Tool

Before You Begin:

• You will need at least one original file and an encrypted counterpart, they must be identical in file size and known to have been originally the exact same file.
• The tool should be ran as a user with Administrative rights.
• The requested un-encrypted file must be larger than 4KB.

When the tool has checked the provided encrypted and unencrypted file, the scan that follows should then be able to restore the discovered encrypted files in the specified scan location and below.

What To Do:

1. Download the Sophos Ransomware Decrypter Tool:
   http://downloads.sophos.com/misc/RansomDecrypter.zip
2. Extract the contents of the Zip file into a folder of your choice.
   A file called RansomDecrypter.exe will be extracted.
3. Launch the application RansomDecrypter.exe, read and accept the End-User License Agreement.
4. Click Start Scan, this will prompt you to locate a copy of an un-encrypted file that is larger than 4KB. Once the file has been located and selected click Open.
   Note: The file you choose must also have an encrypted counterpart for the scan to be able to run.
5. The next prompt will ask for a copy of the same file selected previously but in an encrypted state, this file will normally follow the format of locked-<original filename>.<random 4 character extension>. Once located, click Open once again.
6. If successful, another prompt will appear, click OK.
7. Select a location where you would like the tool to scan for encrypted files, if you are unsure where the files are, you should start with the C: drive under My Computer.
   Note: The tool will intentionally skip locations where the malware does not encrypt files.
8. On completion a summary will appear stating how many files were scanned and how many were unlocked. A log file with the results is also created in the same location as the tool as RansomDecrypter-1.0.0.3-YYYY-MM-DD_HH_MM.txt.

How did I get this Ransomware?

The Ransomware virus gets into systems through various security holes and vulnerabilities found when users visit infected websites or download infected files and emails. If you ignore Windows updates and 3^rd party software updates for software such as Adobe, Flash and Java then you will be much more vulnerable to attack.

Ransomware appears to be a strong moneymaker for online criminals. So don’t expect it to go away any time soon. Be careful, keep your software patched and your Anti-Virus definitions up to date.

Have fun, be safe, and stay informed. Happy surfing!