This Article Applies to:

  • All Operating Systems and Antivirus versions

Ransomware refers to malicious software that encrypts important files on a device and then threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Even after paying the ransom, there is no guarantee that you can recover your files. The best protection against this type of malware is to keep separate backups in a location not on your main network.

First Steps

Immediately disconnect ransomware-infected devices physically from the network to prevent other devices in your network from getting infected!

Our virus lab is unable to decrypt any encrypted files affected by ransomware, nor do these encrypted files contain any useful data to add to our virus definitions. Removing ransomware is usually not required because most ransomware often delete themselves after executing (running). However, sometimes secondary malware is installed to attack the system again, or even allow further breaches. For this reason, the best start when cleaning infected devices is to identify the ransomware variant that attacked your devices:

Once identified, you may know what common locations any remaining infection may occupy, the scope of the attack, and whether or not a decryption tool exists that would allow you to recover your files. As a general practice in the security community, any decryption tools that have been developed are usually shared by the developer for free. Here is a link to Avast's decryption tools:

Identify Sources for the Attack

Identifying the infection may also allow you to identify potential sources for the attack. Identifying the source will be important because as you move forward, your primary concern should be a second attack rather than the same infection persisting. Here is some information about areas you can check in order to harden against/investigate the attack:

RDP Ports

Many hackers are successful abusing open RDP ports. Even when the Administrator password is not known, the password may be brute forced if the RDP port is open to the public and your current security policy allows this. When the Administrator password appears to have been used, you should assume that it has either been guessed or stolen. In either case, it is highly recommended that administrator passwords are reset.

Passwords are commonly stolen through phishing, and reviewing company email policy may be a good step towards hardening against attacks. Lastly, reviewing user activity in the Windows logs can help you determine what user account was used to initiate the attack.

Operating System Vulnerabilities

If your site is secured with a firewall, it may be advisable to close your site to SMB connections unless strictly required for operation.

Lastly, many ransomware attacks leverage vulnerabilities inherent to the Windows operating system. Sensitive to these attacks, Microsoft attempts to patch known vulnerabilities as quickly as they are found. With this in mind, it is always advisable to keep Windows as up-to-date as your site security policy will allow.

Avast and AVG Business Patch Management can help keep your operating system and applications up-to-date to close vulnerabilities.

Recovering from Ransomware

Unless you have a secure, preferably off-site backup solution for your devices and their important files, you may not be able to recover any encrypted files after a ransomware attack. We always recommend using secure backups to ensure your company can quickly recover.

Restoring Files

  1. Immediately disconnect infected devices physically from the network to prevent other devices on your network from getting infected
  2. Format and reinstall the operating system(s) on all infected devices
    • We do NOT recommend manually removing the virus
  3. Restore files from unaffected offsite/online data backups

Once your site has been cleaned and secured, we can try to verify the infection will not be allowed again. Though definition scanning can be notoriously difficult to use in reference to ransomware, we can always use any samples of the malware to create new definitions for the attack. If you find any remnants of the malware, please submit the file to VirusTotal© and send us the URL link of the results page. Our virus team will use the created file hash to update our virus definitions. We will also use any gathered information to improve our ransomware defenses when possible.