You’re a home or small business user and a dialogue box has just appeared telling you that your Windows PC's files are now encrypted and you have 48 hours to pay £350 ($500) in Bitcoins to get them back. Fail to meet that deadline and the price will rise.
When crypto ransomware targeting Windows turned into a mass phenomenon three years ago, not a lot. By the time you saw the ransom demand, it was too late to pull the plug on the PC to stop further compromise. Your only option was to haul out backups, assuming you had them.
Today, the situation has improved a bit, although the right kind of backups (see below) is still the number one defence. Today’s an anti-virus programmes are now better tuned to block ransomware, usually by watching for the actions of specific variants while a few even claim they can clean up the mess after the fact. This the second priority – making sure that the system is free of infection before reinstating data.
Beyond that, it’s about preparing better defences for future attacks which might be easier than some assume. Although ransom malware almost always uses unbreakable public key encryption to lock files, the number of variants is relatively small at any one time. It is possible that a security programme can be tuned to spot the most active ransomware by watching for known behaviour such as interacting with the filesystem
This article lists the small but slowly growing list of dedicated tools that can be used to achieve clean-up, detection and even – in a very small number of specific cases – decryption. We also recently published more general advice on the topic from a Kaspersky Lab expert.
Best ransomware removal tools: Backup and the cloud
It is axiomatic that backup is a good idea, but which type? Any backup drive connected to the infected system will be vulnerable to having the files on it encrypted too, which also includes archives in a proprietary backup format. Storing files offline is the obvious solution, be that a hard drive, USB stick or DVD, but that can be hard to schedule.
Many consumers and even some small businesses assume that cloud backup services such as Google Drive, Dropbox or OneDrive will rescue them – wrong. These services look like backup but they are really a form of synchronisation that will quickly copy encrypted files created by the ransomware to the cloud store (Google says it scans files for malware but there’s no evidence it will pick up that files have been nefariously encrypted). All have versioning that allows users to go back to a date before the last sync, usually up to 30 days, but restoring files often has to be done one file at a time. How long would it take to retrieve thousands of files? Hours at least but possibly days.
Best ransomware removal tools: Google Drive disaster
An interesting example of how one firm struggled with a large shared Google Drive repository that had been encypted by CryptoLocker can be found here if you doubt the inconvenience of retrieving data. That's another point larger organisations need to ponder - one machine infected by ransomware can affect shared documents, potentially disrupting the work of many staff and not only the source machine. The solution in this case involved building a custom application to automate pulling the files back from Google Drive's inner sanctum and (importantly) reinstating them in the right place so that sharing wouldn't break. This incident is well worth a read - our thanks to Social Faucet for brining this example to our attention.
Beyond making offline copies, one solution is to use a full cloud backup service such as Carbonite or CrashPlan that allow convenient file restoration. This class of cloud backup costs around £4 ($6) per month or £40 ($60) per annum for reliable archiving and backup, arguably money very well spent with more advanced plans for small businesses also available.
It needs to be underlined in bold that competent backup is still the single most important defence against ransomware. Without that on hand, simply removing the infection is just a way of getting back the system, not the data that was on it.
Next: Anti-ransomware tools