For the past four years, a multitude of Ransomware malware types have come to existence.
As discussed in a former blog post, the creators of Ransomware have gotten increasingly creative with the variety of malware types. In the beginning days, though very crafty, Ransomware were not as strong in terms of being able to overcome the file encryption problem. However, more recently, the malware has become progressively tougher, where with certain versions there is no decryption solution.
If you happen to be a victim of any malware resembling Ransomware (e.g. a request to pay money), the most important thing to do is to immediately disconnect the machine from the internet, disconnect any local or network drives connected to the machine, and power off the computer.
The next step is to NOT panic. While it is difficult to refrain from powering on the computer and “See what happens?!? Does the computer work as normal?”, the best ensuing thing to do is to relax and assess whether there is a proper current backup copy available outside the same computer that could be used to restore the data. If a current backup copy exists, then consider yourself lucky and give yourself (or the backup team), a pad on the shoulder for doing a great job creating timely backups.
If a backup is not available, and subsequently, experienced Ransomware staff are unavailable, the most beneficial course of action is to seek professional help. Experienced Ransomware professionals should remove the drive from the affected computer and connect it to a secondary machine with the purpose of file sampling and consequently identifying the Ransomware version in question. This method should ideally be conducted in a read-only environment.
One very useful resource for potentially identifying the Ransomware malware out of the 52 various currently known types is a tool called ID Ransomware, which has been made available by the malware hunter team here.
Why is this important? It is because it will allow the professional to get a quick sense via file sampling whether a file decryption solution exists for the type of Ransomware at hand. Indeed, as mentioned before, for some Ransomware versions there is no solution available. Moving forward, the professional should know, or at least be able to search for a suitable solution, or if extremely advanced, potentially reverse engineer the malware and be able to create a new file recovery solution.
Failure to follow the steps enumerated above, will more than likely cause further damage to the files themselves, however even worse, it may cause the malware to spread to other storage devices and cause additional havoc.
Asking questions first and acting second based on professional advice is the way to go.