How to recover a system from a Ransomware attack

Having a system infected with ransomware can be a painful and frightening experience for some. All of your personal files, including pictures, documents, music, and programs are encrypted and left completely useless.

However, if you’ve got backups and some time on your hands, it is possible to recover from a Ransomware attack. The video below explains the entire recovery process, but it’s important to note that the full recovery took us several hours.

Windows 10 system restore seemed to take forever, which accounted for a majority of the process. We’re not sure why it was so slow, so your results might be different. In addition, the anti-Virus scan also took a considerable amount of time, once the advanced options were enabled.

At the end of the day, we were able to recover the system without paying the ransom and restore our files from backup.

If you’re wondering why we ran anti-Virus instead of wiping the system and just starting over, we wanted to remove any trace of the ransomware – just in case it stuck around and reinfected the system. Our logic was better safe, than sorry.

Recovery:

Just before the Thanksgiving holiday in the U.S., CSO (the parent and host of XSS) infected a laptop with Locky, one of the most common variants of Ransomware on the internet.

We did this to demonstrate the speed and impact of a Ransomware attack. This experiment also gave us the chance to recover the system using free anti-Virus tools and basic system backups. While the video goes into a lot of detail, the process used to recover the laptop is also written out below.

The key points that helped us recover this system were (a) working backups that were stored offline; and (b) making sure system restore is enabled and working on Windows. In our experiment, we used Windows 10.

It’s important to stress that system restore is not a replacement for proper backups. It’s handy sure, but it isn’t a silver bullet. Microsoft provides support for system restore functions and configuring system backups.

Finally, if this is a corporate system, alert your IT department and DO NOT attempt any of this on your own, your company might have policies or procedures for malware, and you’ll need to comply with them.

1.) Reboot the system into safe mode by clicking the start button, selecting power, and holding the SHIFT key while clicking restart.

• Once the system reboots, click Troubleshoot, and then Advanced Options, and finally Startup Settings. Click Restart.
• To boot into safe mode directly, just press F4. However, if you need internet access in order to update anti-Virus software, you’ll need to press F5 instead, which is safe mode with networking.

2.) Install anti-Virus.

• For this experiment, CSO used Malwarebytes Anti-Malware and Hitman Pro, as they are free and well-known tools. Malwarebytes detected Locky and removed it with a quick scan.
• Both programs were updated prior to scanning, which required networking access (obtained by selecting F5 during selective boot). On a second test system, Locky was detected and removed by Malwarebytes without an update to the software. The best method however is to update the AV software before it is used.
• Malwarebytes was used for a second “custom scan” which took 46 minutes to complete. This second scan didn’t detect anything. When Hitman Pro was used, it didn’t detect anything other than cookies from Internet Explorer.

3.) Reboot the system, and once the system is back up and running outside of safe mode, use the system restore function.

• System Restore can be found by right clicking on Start, and selecting System. From there, click on System Protection, and System Restore. Choose the restore point that makes sense, provided it is prior to infection. During our tests, this process took a long time to complete, your results might be different.

4.) Finally, restore from backup.

• Backup settings can be located by right clicking on the Start button and selecting Control Panel. Chose Backup and Restore under System and Security. From there, click “Select another backup…” under Recovery and follow the prompts. You can choose to restore files or folders, and opt to have them go to the same destination or a new location of your choosing.

At this stage, our system was restored and recovered. We had our files back, the Ransomware was gone, and we didn’t need to pay to make this happen. However, our programs and software will need to be reinstalled.

It’s possible to avoid this by creating an image of the system with all of your programs installed. Doing so means that you’ll only need to restore some files form backup, as you’ll just re-image the device instead of using system restore.

There are free system image programs available, such as AOMEI Backupper, as well as paid options, including Acronis True Image.

If all else fails, you could also try a factory restore after running anti-Virus. Microsoft has a number of recovery options for Windows 10, including a system reset. A support document for those options is available here.

If you’re unsure about following these steps, or if you don’t understand, the best bet is to take your system to a local PC repair shop and let an IT professional do the work for you. There is a cost associated with this, but it will be far less than the ransom being demanded by the criminals.