ransomware removal

Ransomware essentially involves digital extortion where malware holds files or computer systems hostage until the victim pays a fee. Ransomware is popular with an increasing number of cybercriminals, likely due to its ease of implementation and high return on investment. Add to this the advent of cryptocurrency, which has made it easier for attackers to get away with their crimes. According to Daniel Tobok, CEO of Cytelligence Inc., a cybersecurity and ransomware removal company, “Ransomware is really the weapon of choice for a criminal. They can see us but we can’t see them.”

Ransomware can be costly for individuals, but can be especially harmful to businesses. It’s estimated that total damages to businesses in the United States due to ransomware totalled $5 billion in 2017 alone. Damages may include costs involved in paying ransoms, losing data, paying professional services to try to recover data, downtime during attacks, loss of customers after attacks, and more.

The best way to reduce the threat of ransomware is to prevent it being installed in the first place. But if you do fall victim, you have options. In this guide, we explain what ransomware is and how to prevent and remove it. We focus on practical methods that you can employ that emphasize removal over paying the ransom, which we strongly discourage.

What is ransomware and how does it work?

Part of taking the fear out of ransomware involves understanding how it actually works. As former UN Secretary-General Kofi Annan once said, “Knowledge is power. Information is liberating.”

Ransomware is similar to some other forms of malware, with an added bit of extortion. Ransomware is a category of malware, but there are also different types of ransomware. It penetrates computer systems in the same manner as other forms of malware. For example, you might:

  • Download it from a malicious email attachment or link
  • Load it onto your machine from a USB flash drive or DVD
  • Download it while visiting a corrupted website

Once it’s on your system, the ransomware shuts down select system functions or denies access to files. In the case of Windows machines, it usually disables your ability to access the start menu (that way you can’t access antivirus programs or try to revert to Safe Mode).

A staple of many types of ransomware is encryption. The ransomware encrypts files on your device so they cannot be opened without a password. To get the password, you must pay a ransom to the attacker.

Any file can be encrypted with ransomware, although most ransomware won’t attempt to encrypt all types of files. Common targets include image files, PDFs, and any type of file created by Microsoft Office (such as Excel and Word files). The common method ransomware will use is to search for files on common drives and encrypt any or most files it finds there. Some newer forms of encrypting ransomware have even taken to encrypting network shared files as well, a dangerous development for businesses in particular.

Until you clear the virus from your machine (or pay the demanded ransom and hope the criminal clears it for you), you won’t have access to those files. Some ransomware will even demand that you pay up within a certain amount of time, or else the files will stay locked forever or the virus will completely wipe your hard drive.

Related: How to start Windows 7/8/10 in safe mode

Why is ransomware so effective?

Whichever method the program uses to penetrate your system, ransomware is designed to hide itself by pretending to be something it’s not, even changing file names or paths to make your computer and antivirus software overlook suspicious files. The key difference between ransomware and other forms of malware is that the purpose of ransomware extends beyond just mischief or stealthily stealing personal information.

If anything, ransomware acts more like a bull in a china shop once it has effectively found its way onto your system. Unlike many other viruses, which are often designed around stealth both before and after invading your system, ransomware designers want you to know the program is there.

After the program is installed, it completely takes over your system in such a way that you’ll be forced to pay attention to it. It’s a very different modus operandi than virus designers have traditionally followed, and it appears to be the most effective money-making virus design to date.

Ransomware works through fear, intimidation, shame, and guilt. Once the program is there, it begins a negative campaign of emotional manipulation to get you to pay the ransom. Far too often those fear tactics work, especially on individuals who don’t realize that there are alternatives to paying up.

According to a 2016 Malwarebytes survey of large businesses affected by ransomware, 40 percent of victims paid the ransom, while an IBM survey of small- to medium- sized businesses in the same year reported a much higher rate of 70 percent.

Types of ransomware

Ransomware has been around since the 1980s, but many attacks today use ransomware based on the more modern Cryptolocker trojan. File-encrypting ransomware is increasingly the most common type. However, according to Malwarebytes, there are several categories of ransomware that you may still encounter:

Encrypting ransomware

Cryptolocker
If ransomware finds its way onto your machine, it’s likely going to be of the encrypting variety. Encrypting ransomware is quickly becoming the most common type due to a high return on investment for the cybercriminals using it, and how difficult it is to crack the encryption or remove the malware.

Encrypting ransomware will completely encrypt the files on your system and disallow you access until you’ve paid a ransom, typically in the form of Bitcoin. Some of these programs are also time-sensitive and will start deleting files until the ransom is paid, increasing the sense of urgency to pay up.

On this type of ransomware, Adam Kujawa, Head of Intelligence at Malwarebytes, had this to say: “It’s too late once you get infected. Game over.”

Online backup can be a great help in recovering encrypted files. Most online backup services include versioning so you can access previous versions of files and not the encrypted ones

Scareware

Scareware
Source: College of St. Scholastica

Scareware is malware that attempts to persuade you that you have a computer virus that needs removal right away. It will then try to get you to clear the virus by buying a suspicious and typically fake malware or virus removal program. Scareware is highly uncommon these days, but some of these viruses do still exist out in the wild. Many target mobile phones.

Scareware doesn’t encrypt files, although it may attempt to block your access to some programs (such as virus scanners and removers). Nevertheless, scareware is the easiest to get rid of. In fact, in most cases, you can remove scareware using standard virus removal programs or other methods without even entering Safe Mode (although this may still be necessary or recommended).

Screen locker (or lock-screen viruses)

screen locker

Screen lockers will put up a warning screen that limits your ability to access computer functions and files. These can be installed onto your machine or exist within a web browser. They’ll typically come with a message claiming to represent a law enforcement organization and carry a message saying you’ll face severe legal consequences if you do not pay a fine immediately.

You might end up downloading a lock-screen virus via a number of different ways, including visiting compromised websites or by clicking on and downloading an infected file contained in an email. When installed directly onto a computer, you may have to perform a hard reboot, although you may also find that you’re still greeted with the screen lock message even when the operating system loads up again.

Screen lockers tend to lock you out of your menu and other system settings, but don’t completely remove access to your files. This means some of the malware’s primary attack methods prevent you from easily accessing your virus removal software, and at times may even prevent you from restarting your computer from the user interface.

Screen lockers are another good reason why having online backup is extremely important. While the screen locker won’t encrypt or delete your files, you may find yourself forced to perform a system restore. The system restore may not delete your important files, but it will return them to an earlier state. Depending on the restored states, that may still result in a lot of lost data or progress. Regular online backups will help prevent data loss that performing a system restore does not guarantee, especially if the virus has been hiding on your system for much longer than you realized.

How to prevent ransomware

Decrypting files encrypted with ransomware is incredibly difficult. Most ransomware these days will use AES or RSA encryption methods, both of which can be incredibly difficult to crack. To put it in perspective, the US government also uses AES encryption standards for classified documents. Information on how to create this kind of encryption is widely known, as is the difficulty in cracking it. Until someone realizes the dream of quantum computing, brute-force cracking for AES is effectively impossible.

This being the case, the best method to fight ransomware is never allowing it to get onto your system in the first place. Protection can be accomplished by shoring up weak areas and changing behaviors that typically allow ransomware to get onto your system. Here are some best practices to follow to prevent ransomware:

  • Invest in solid data backup. This is hard to understate. Data backup is the single best thing you can do. Even if you do get hit by ransomware, having effective and consistent data backup means your data will be safe, regardless of which type of ransomware you’re attacked with.
  • Invest in effective antivirus software. In this case, you don’t just want malware or virus cleaners, but software that will actively monitor and alert you to threats, including inside web browsers. That way, you’ll get notifications for suspicious links, or get redirected away from malicious websites where ransomware may be housed.
  • Never click on suspicious email links. Most ransomware spreads through email. When you make it a habit of never clicking on suspicious links, you significantly lower your risk of downloading ransomware and other viruses.
  • Protect network-connected computers. Some ransomware works by actively scanning networks and accessing any connected computers that allow remote access. Make sure any computers on your network have remote access disabled or utilize strong protection methods to avoid easy access.
  • Keep software up to date. Updates to Windows and other operating systems and applications often patch known security vulnerabilities. Updating in a timely manner can help lower the risk of susceptibility to malware, including ransomware.

What to do if you catch ransomware mid-encryption

Encryption is a resource-intensive process that consumes a lot of computational power. If you’re lucky, you may be able to catch ransomware mid-encryption. This takes a keen eye and knowing what unusually large amounts of activity look and sound like on your computer. Ransomware encryption will happen in the background, so it’s almost impossible to detect this actually occurring unless you’re specifically looking for it.

Additionally, the virus doing the encryption will likely be hiding inside another program, or have an altered file name that is made to look innocuous, so you might not be able to tell which program is performing the action. However, should you discover what you think is a ransomware virus encrypting files, here are a couple of options:

Place your computer into hibernation

This will stop any running processes and create a quick memory image of your computer and files. Do not restart your computer or take it out of hibernation. In this mode, a computer specialist (either from your IT department or a hired security company) can mount the device to another computer in a read-only mode and assess the situation. That includes the recovery of unencrypted files.

Suspend the encryption operation

If you can identify which operation is the culprit, you may want to suspend that operation.

In Windows, this involves opening up the Task Manager and looking for suspicious operations. In particular, look for operations that appear to be doing a lot of writing to the disk.

You can suspend operations from there. It’s better to suspend the operation instead of killing it, as this allows you to investigate the process in more detail to see what it’s actually up to. That way you can better determine whether you have ransomware on your hands.

If you do find that it’s ransomware, check which files the process has been focusing on. You may find it in the process of encrypting certain files. You can copy these files before the encryption process has finished and move them to a secure location.

You can find some other great suggestions by security and computer professionals on Stack Exchange.

Ransomware removal: How to remove scareware and screen lockers (lock-screen viruses)

Screen lockers are more troublesome to remove than scareware, but are not as much of a problem as file-encrypting ransomware. Scareware and lock-screen viruses are not perfect and can often be easily removed at little to no cost. You have two main options:

  1. Perform a full system scan using a reputable on-demand malware cleaner
  2. Perform a system restore to a point before the scareware or screen locker began popping up messages.

Let’s look at both of these in detail:

Option 1: Perform a full system scan

This is a fairly simple process, but before performing a system scan, it’s important to choose a reputable on-demand malware cleaner. One such cleaner is Zemana Anti-Malware, or Windows users could even use the built-in Windows Defender tool.

To perform the full system scan using Zemana Anti-Malware, do the following:

  • Open your Zemana Anti-Malware home screen.

  • Click on the Gear Symbol on the top right to access settings.
  • Click on Scan on the left.

zemana

  • Select Create Restore Point.
  • Return to the home screen and click on the green Scan button on the bottom right.

zemana

Setting the restore point is a good best practice for virus scans in general. Meanwhile, your virus scan might tag some things as problems that aren’t problems (Chrome extensions often come up as problematic, for example), while you could find areas of concern that you weren’t expecting.

In my case, a recent Zemana system scan revealed a potential DNS hijack. Yikes! (It also misclassified a few programs as malware and adware, so be careful make sure to check which files you’re cleaning and quarantining properly.)

zemana

To perform a full system scan using Windows Defender, do the following:

  • Perform a quick system search for “Windows Defender.”
  • Access Windows Defender and select Full on the right side.
  • Click on Scan.

Microsoft continually improves its built-in Windows antivirus software, but it’s not as good a solution as an on-demand option like Zemana or many other high-quality programs. You could choose to run two programs to cover your bases, but note that they can’t be run concurrently.

When dealing with screen-locking ransomware, you may need to enter Safe Mode to get the on-demand virus removers to work or to run your system restore properly. Even some scareware can at times prevent you from opening your virus removal programs, but they usually can’t prevent you from doing so while you’re in Safe Mode. If you’re having trouble getting your computer to restart in Safe Mode (a distinct possibility if you have a screen locker), check out our guide on How to Start Windows in Safe Mode.

Option 2: Perform a system restore

Another option is to perform a system restore to a point before the scareware or screen locker began popping up messages. Note that this option assumes that you have your computer set to create system restore points at preset intervals, or that you’ve performed this action yourself manually. If you’re accessing this guide as a preventative measure against ransomware, creating restore points from this point forward will be a good idea.

Here’s how to find your restore points or set new restore points in Windows:

  • Access your Control Panel (you can do this through a system search for “Control Panel”).

system restore

  • Click on System and Security.
  • Click on System.
  • Go to Advanced system settings.

system restore

  • Click on the System Protection tab and select System Restore.

system restore

  • If you have never run a system backup, click on Set up backup. This will open up the backup operations and get you started. Once there, you’ll need to pick your backup location, the files you want to be backed up (or you can let Windows select those for you), schedule when you want your backups to occur, and then perform the backup.

system restore

  • If it shows that you already have a backup in place, select the backup files from the most recent restore point or from whichever restore point you desire.

system restore

The backup restoration process may take several minutes, especially if the amount of data being restored is significant. However, this should restore your file system to a point before the virus was downloaded and installed.

Note that both a scan and a restore can have delayed reaction times, so it’s a good idea to do both.

Indiana University also provides a helpful knowledge base with a few advanced methods for more troublesome scareware. We also recommend checking out our Complete Guide to Windows Malware and Prevention. It will walk you through the process of malware removal and what that process looks like with several different programs.

Ransomware removal: How to remove file encrypting ransomware

Once encrypted ransomware gets onto your system, you’re in trouble if you want to keep any unsaved data or anything that hasn’t been backed up (at least without paying through the nose for it). Surprisingly, many cyber criminals are fairly honorable when it comes to releasing the encryption after they’ve received payment. After all, if they never did, people wouldn’t pay the ransom. Still, there is a chance that you could pay the ransom and find your files never released, or have the criminals ask for more money.

That being said, if you’re hit with a nasty piece of encrypting ransomware, don’t panic. Alongside that, do not pay the ransom. You have two alternative options for ransomware removal:

  • Hire a professional ransomware removal service: If you have the budget to hire a professional and deem recovering your files worth the money, then this might be the best course of action. Many companies, including Proven Data Recovery and Cytelligence specialize in providing ransomware removal services. Note that some charge even if the removal is unsuccessful, while others don’t.
  • Try to remove the ransomware yourself: This is typically free to do and may be a better option if you don’t have the funds to hire a professional. Recovering your files yourself will typically involve first removing the malware and then using a tool to decrypt your files.

If you’d like to try resolve the issue yourself, here are the steps to take:

Step 1: Run an antivirus or malware remover to get rid of the encryption virus

Refer back to the malware/virus removal instructions provided in the scareware/screen locker removal section above. The removal process in this step will be the same, with one exception: WE STRONGLY ENCOURAGE YOU TO REMOVE THIS VIRUS IN SAFE MODE WITHOUT NETWORKING.

There is a chance that the file-encrypting ransomware you’ve contracted has also compromised your network connection, so it’s best to cut off the hackers’ access to the data feed when removing the virus. Note that this may not be wise if you’re dealing with a few variants of the WannaCry ransomware, which check against a gibberish website to identify a potential killswitch. If those sites are registered (which they are now), the ransomware halts encryption. This situation is highly uncommon, however.

Removing the malware is an important first step to deal with this problem. Many reliable programs will work in this case, but not every antivirus program is designed to remove the type of malware that encrypts files. You can verify the effectiveness of the malware removal program by searching its website or contacting customer support.

The real problem you will find is that your files will stay encrypted even after you remove the virus. However, trying to decrypt files without removing the malware first may result in the files getting re-encrypted.

Step 2: Try to decrypt your files using a free ransomware decryption tool

Again, you should be doing everything you can to avoid paying a ransom. Your next step is going to be to try a ransomware decryption tool. Note, however, that there is no guarantee that there will be a ransomware decryption tool that will work with your specific malware. This is because you may have a variant that has yet to be cracked.

Kaspersky Labs and several other security companies operate a website called No More Ransom! where anyone can download and install ransomware decryptors.

nomoreransom

Kaspersky also offers free ransomware decryptors on its website.

First, we suggest you use the No More Ransom Crypto Sheriff tool to assess what type of ransomware you have and whether a decryptor currently exists to help decrypt your files. It works like this:

  • Select and upload two encrypted files from your PC.
  • Provide a website or email address given in the ransom demand, for example, where the ransomware is directing you to go to pay the ransom.
  • If no email address or website is given, upload the .txt or .html file with the ransom note.

The Crypto Sheriff.

The Crypto Sheriff will process that information against its database to determine if a solution exists. If no suggestion is offered, don’t give up just yet, however. One of the decryptors may still work, although you might have to download each and every one. This will be an admittedly slow and arduous process, but could be worth to see those files decrypted.

The full suite of decryption tools can be found under the Decryption Tools tab on the No More Ransom! website.

Running the file decryptors is actually pretty easy. Most of the decryptors come with a how-to guide from the tool’s developer (most are from EmsiSoft, Kaspersky Labs, Check Point, or Trend Micro). Each process may be slightly different, so you’ll want to read the PDF how-to guide for each one where available.

Here’s an example of the process you’d take to decrypt the Philadelphia ransomware:

  • Choose one encrypted file on your system and a version of that file that’s currently unencrypted (from a backup). Place these two files in their own folder on your computer.
  • Download the Philadelphia decryptor and move the executable to the same folder as your paired files.
  • Select the file pair and then drag and drop the files onto the decryptor executable. The decryptor will then begin to determine the correct keys needed to decrypt the file.
  • This process may take quite a lot of time, depending on the complexity of the program

Philadelphia decryptor

  • Once completed, you will receive the decryption key for all files encrypted by the ransomware.

Philadelphia decryptor

  • The decryptor will then ask you to accept a license agreement and provide you the options for which drives to decrypt files from. You can change the location depending on where the files are currently housed, as well as some other options that may be necessary, depending on the type of ransomware. One of those options usually includes the ability to keep the encrypted files.
  • You will get a message in the decryptor UI once the files have been decrypted.

Again, this process may not work, as you may have ransomware for which no decryptor is available. Many individuals who do get infected simply pay the ransom without looking into removal methods, so many of these ransomware are still used, despite having been cracked.

Backup option: Wipe your system and perform a complete data restoration from a data backup

Steps 1 and 2 only work when used together. If either fails to work for you, you’ll need to follow this step. Hopefully, you have a solid and reliable data backup already in place. If so, don’t give in to the temptation to pay the ransom. Instead, either personally or have an IT professional (preferably this option) wipe your system and restore your files through your online or physical backup system.

This is also a reason why bare-metal backup and restoration is important. There’s a good chance your IT professional may need to perform the complete bare-metal restoration for you. This not only includes your personal files, but your operating system, settings, and programs as well. Windows users may also need to consider a complete system reset to factory settings. Microsoft provides an explanation for multiple system and file restoration methods and options.

The history of ransomware

As mentioned, ransomware is not a new concept and has been around for many years. While the timeline below is not an exhaustive list of ransomware, it gives you a good idea of how this form of attack has evolved over time.

1989 – “Aids” Trojan, aka PC Cyborg, becomes the first known case of ransomware on any computerised system.

2006 – After a decade-busting hiatus, ransomware returns en masse with the emergence of Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive. All are notable for their use of sophisticated RSA encryption algorithms.

2008 – Gpcode.AK arrives on the scene. Utilising 1024-bit RSA keys, it requires a massive effort, beyond the means of most users, to break.

2010 – WinLock hits users in Russia, peppering displays with porn until the user makes a $10 call to a premium rate number.

2011 – An unnamed Trojan locks up Windows machines, directing visitors to a fake set of phone numbers through which they can reactivate their operating systems.

2012 – Reveton informs users their machine has been used to download copyright material or child pornography and demands payment of a ‘fine.’

2013 – The arrival of the now infamous CryptoLocker. Ramping up the encryption level, it is incredibly hard to circumvent.

2013 – Locker turns up, demanding payment of $150 to a virtual credit card.

2013 – Hard to detect, CryptoLocker 2.0 adds the use of Tor for added anonymity for the criminal coder who created it.

2013 – Cryptorbit also adds Tor use to its repertoire and encodes the first 1.024 bits of every file. It also uses installs a Bitcoin miner to milk victims for extra profit.

2014 – CTB-Locker mainly targets Russia-based machines.

2014 – Another significant development, CryptoWall infects machines via infected website advertisements and manages to affect billions of files worldwide.

2014 – A somewhat more friendly piece of ransomware, Cryptoblocker avoids Windows files and targets files under 100 MB in size.

2014 – SynoLocker targets Synology NAS devices, encrypting every file it finds on them.

2014 – TorrentLocker utilizes spam emails to spread, with different geographic regions targeted at a time. It also copies email addresses from the affected users’ address book and spams itself out to those parties as well.

2015 – Another hard-to-detect piece of ransomware, CryptoWall 2.0 uses Tor for anonymity and arrives in a manner of different ways.

2015 – TeslaCrypt and VaultCrypt can be described as niche ransomware in that they target specific games.

2015 – CryptoWall 3.0 improves on its predecessor by coming packaged in exploit kits.

2015 – CryptoWall 4.0 adds another layer to its encryption by scrambling the names of the encrypted files.

2015 – The next level of ransomware sees Chimera not only encrypt files but also publish them online when ransoms are not paid.

2016 – Locky arrives on the scene, named primarily because it renames all your important files so they have a .locky extension.

2016 – Located on BitTorrent, KeRanger is the first known ransomware that is fully functional on Mac OS X.

2016 – Named for the Bond villain in Casino Royale who kidnaps bond’s love interest to extort money, LeChiffre program takes advantage of poorly-secured remote computers on accessible networks. It then logs in and runs manually on those systems.

2016 – Jigsaw will encrypt and then delete files progressively until the ransom is paid. After 72 hours, all files will be deleted.

2016 – SamSam ransomware arrives complete with a live chat feature to help victims with their ransom payment.

2016 – The Petya ransomware utilizes the popularity of cloud file sharing services by distributing itself through Dropbox.

2016 – The first ransomware worm arrives in the form of ZCryptor, which also infects external hard drives and flash drives attached to the machine.

2017 – Crysis targets fixed, removable, and network drives, and uses powerful encryption methods that are difficult to crack with today’s computing capabilities.

2017 – WannaCry is spread through phishing emails and over networked systems. Uniquely, WannaCry uses a stolen NSA backdoor to infect systems, as well as another vulnerability in Windows that was patched over a month before the release of the malware (more details below).

WannaCry ransomware

The WannaCry ransomware is probably the most infamous in recent years, mainly due to the shear number of computers it affected. It quickly became the fastest-spreading ransomware in the history of ransomware, affecting 400,000 machines in its wake. Generally speaking, WannaCry is not particularly unique, so much that it has infected some very big names and important government agencies across the world, and used a stolen National Security Agency (NSA) exploit tool to do it.

The stolen NSA tool is part of the reason WannaCry was so successful in spreading. Compounding the issue is the fact that many agencies and businesses were slow to roll out the proper Windows patch that would have prevented this exploit in the first place. Microsoft pushed that patch in mid-March 2017 but WannaCry didn’t start infecting systems until May.

Interestingly, the first variant of WannaCry was thwarted by a cyber security researcher and blogger who, while reading the code, discovered a kill switch written into the malware. WannaCry’s first variant checks to see if a certain website exists or not, the result determining whether or not it continues.

The security blogger decided to go ahead and register the site for around $10, which significantly slowed the spread of the virus. However, WannaCry’s creators were quick to roll out new variants (one of which had another website kill switch that was soon used to stop that variant).

In total, it’s estimated that WannaCry netted its creators around $140,000 worth of bitcoin. While this is no small sum, it’s nowhere near the estimated $325 million earned by those behind the Cryptowall Version 3 ransomware in 2015. This may be due to better education on ransomware or failings in the virus, but with the number of users affected, it seems things could have been worse.

Cryptolocker ransomware” by Christiaan Colen. CC Share-A-Like 3.0