Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Ransonware question

26 Sep 2016   #1
martinlest

Windows 7 Home Premium SP1 64-bit
 
 
Ransonware question

I hope I am not tempting fate by saying this, but so far I have had no problem, but as it seems to get ever more widespread I thought I'd do something before the possible event rather than have to do it after! I installed Malwarebytes anti-ransomware beta today on all my PCs and am hoping that's a step in the right direction. I already use MailWasher for my email and so delete all less than 99% legitimate-looking emails on the server before they reach me. My worry is going to a legit website with malicious code embedded - has that happened to anyone?

The question is wanted to ask is this: if you are unlucky enough to get a ransomeware attack, but have all your data backed up (say on an external HDD), and maybe a drive image too, how would you go about cleaning the PC of the malware before restoring the backups. Do you delete all the encrypted files and simply replace them with the backup? Is there not a chance that plugging in an external drive with the backup would cause all those files to be encrypted too? Is the ransomware 'vigilant' in that way, or could that only happen if you ran the same file that installed the ransonware in the first place?

Been Googling this with no real answer to these points; maybe someone here knows how this works..

Thanks,

Martin


My System SpecsSystem Spec
.
26 Sep 2016   #2
samuria

win 8 32 bit
 
 

It depends on the ransomware but if you have anything connected while its active its likely to jump to external drives and any network drives deleting all partitions and formating will remove it its not that hard to remove as once its done its job there is nothing left for it to do
My System SpecsSystem Spec
26 Sep 2016   #3
UsernameIssues

W7 Pro SP1 64bit
 
 

Ransomware sometimes comes in with other types of infections - the "how to clean up" steps would vary considerably. Just speaking about ransomware: I've cleaned up after ransomware a few times. Various antivirus tools can remove the file or files that did the encryption - if those files are still around. The bad guys don't want their file analyzed, so they often delete them after the damage has been done.

Replacing the encrypted files from a backup might be harder than you think. There are too many of them to efficiently replace by hand. The ransomware is encrypting far more than just user created documents, spreadsheets and photos. It also encrypts files needed by some apps to run (e.g. configuration/settings files).

Re-imaging the entire drive is probably best - but that might not get rid of the additional (non-ransomware) infections.


> My worry is going to a legit website with malicious code embedded - has that happened to anyone?
The term "legit" is subjective. Yahoo.com infected lots of users in late 2104 with ransomware. This continued thru most of 2015 and maybe into 2016. https://blog.malwarebytes.com/threat...akes-on-yahoo/


You might look into installing the free version of CryptoPrevent in addition to the security tools that you already use.
My System SpecsSystem Spec
.

26 Sep 2016   #4
UsernameIssues

W7 Pro SP1 64bit
 
 

Forgot to speak to external drives:

Sure, an eternal drive (or network drive) could have it's files encrypted. People often put their backup images on external drives. If those files get encrypted, you probably won't be able to use them to restore your computer to it pre-infected state.

I support some people that keep an external drive connected at all times. Each night, a complete image of the OS and data drives are sent to the external drive. The NTFS permissions on that external drive prevent apps being run by the user from changing the files on the external drive. This is not perfect, but it is the best that I can some up with for these users.
My System SpecsSystem Spec
29 Sep 2016   #5
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by martinlest View Post
The question is wanted to ask is this: if you are unlucky enough to get a ransomeware attack, but have all your data backed up (say on an external HDD), and maybe a drive image too, how would you go about cleaning the PC of the malware before restoring the backups. Do you delete all the encrypted files and simply replace them with the backup? Is there not a chance that plugging in an external drive with the backup would cause all those files to be encrypted too? Is the ransomware 'vigilant' in that way, or could that only happen if you ran the same file that installed the ransonware in the first place?
When a virus attacks (or ransomware, or a worm, malware, trojan or whatever crap you want to name them, it's all the same for this purpose, I'll call it virus for simplicity), there is only one way to truly be sure to remove them, the security people call it nuke it from orbit, or more commonly, reformat your computer, reinstall the OS from scratch from known-clean installation media, and then restore any backups you may have.
The problem with virus infections of any kind is that, once it successfully ran in your system, you have no idea of what it actually did, how can it be hiding, or what other things it introduced into the computer, so you can't trust the computer anymore. Doing so carries a very concrete risk of being still infected without you even noticing, a clean install avoids all those. Plugging the backup media could infect it too (or the virus deleting or corrupting the backups), the virus might be "vigilant" or it can really do pretty much anything once it controls your computer. Of course each virus is different, and definitive answer actually depends on the actual virus you have, but since you can't know for sure what it does, the ONLY safe approach becomes the clean install. Your backups will restore the data and the software (which you must also backup, of course, in installer form).

A more in-depth explanation of the issue is given in those two StackOverflow posts:
How do I deal with a compromised server?
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?
I find this paragraph of particular importance:
"Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that's exactly what you're doing."

Bottom line, don't bother with antiviruses, "expert" advice to clean, or crap like that, delete the system and start from scratch, plain and simple.
Discard any images you may have, they can be compromised too. Data backups should often be fine, and you can always verify the integrity of installers (or redownload them if the need arise). An antivirus on the newly built system can also be useful for extra-safety.


Quote   Quote: Originally Posted by martinlest View Post
My worry is going to a legit website with malicious code embedded - has that happened to anyone?
It's an everyday occurrence! Websites get hacked all the time, vulnerabilities such as XSS and SQL injection appear from time to time, online advertising has become a cancer and loves to inject unknown code in many websites, and phishing can lead you into trusting things you should not. That's why taking good backups and following good security practices is of great importance.


Quote   Quote: Originally Posted by UsernameIssues View Post
the "how to clean up" steps would vary considerably. Just speaking about ransomware: I've cleaned up after ransomware a few times.
The solution to a confirmed infection is ALWAYS a clean install. I'm not sure what you did, but if you didn't reformatted those system in the past, there is no way to know they're really clean.


Quote   Quote: Originally Posted by UsernameIssues View Post
Re-imaging the entire drive is probably best - but that might not get rid of the additional (non-ransomware) infections.
It's not the best way at all! The system could be compromised at the time of taking the image, in such case restoring from it would only lead to catch the same nasty again shortly afterwards. You can only be sure when you noticed the symptoms, not when the infection actually entered the system. Ransomware or non-ransomware is totally irrelevant too, any virus should be treated the same, just blow up everything. But people generally gets more angry when they see all their data gone

Quote   Quote: Originally Posted by UsernameIssues View Post
I support some people that keep an external drive connected at all times. Each night, a complete image of the OS and data drives are sent to the external drive. The NTFS permissions on that external drive prevent apps being run by the user from changing the files on the external drive. This is not perfect, but it is the best that I can some up with for these users.
I don't find that approach too bad. Permissions are a very effective security control (which many people discard because they run as a full-time-admin), but once properly configured, they can effectively keep viruses out of the backups, if the rest of the system is clean. It's true that keeping the backup drive disconnected makes it immune, but also useless. At some point, the drive must be connected to put new data in it, even for short periods of time, and that time window becomes THE chance of the virus to spread. Permissions help with that too.
My System SpecsSystem Spec
29 Sep 2016   #6
martinlest

Windows 7 Home Premium SP1 64-bit
 
 

... thanks; will reply properly soon!
My System SpecsSystem Spec
30 Sep 2016   #7
martinlest

Windows 7 Home Premium SP1 64-bit
 
 

Thanks for the comments.

Yes, I think that to be sure the PC is clean, a new installation of Windows would be the best route. I have a drive image, so I could perhaps reinstall that, though to be honest I have had problems with Windows 7's own image backup, Norton Ghost and Macrium Reflect in the past, all of which have at some stage thrown up some error/excuse for not being able to restore the image I have made (but that's a whole different issue from the one in this thread..).

I have two PCs and a laptop: one PC is for gaming, the other for photo/video/music editing. Neither has an active email client and I don't browse the internet on them, so I suppose risk of infection is very low. I also back up all the data from them onto an external HDD at regular intervals.

The laptop I use for emails, browsing, internet banking etc., so I suppose is more at risk. On the other hand, with Mailwasher and my sceptical attitude to unexpected emails with attachments, I think I should be relatively safe (hope this isn't a case of 'famous last words'!). I don't recall the last time I had a virus on any of my PCs.. years ago, which I suppose is a good sign.

Even so, I have installed the Malwarebytes anti-Ransomware beta on all my PCs/laptops now, not so much because of the worry of lost data, as for the time and annoyance of having to rebuild everything. And as you say, it's not only user-created files that are encrypted, of course. I see from the Malwarebytes forum that the software has stopped a number of people who get the 'Ransom' pop-up for actually having the files encrypted. But even so, maybe from there a clean reinstall is still the best way to go??

So yes, thanks for the advice. Should I ever get this kind of infection, I'll go down the wipe and reinstall Windows/drive image path, Alejandro.
My System SpecsSystem Spec
Reply

 Ransonware question




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Software RAID question, and NAS box software question
The more I try and learn about backups and safe storage the more questions I have. Here's my latest. I have two identical SATA III 1 Gb hard drives, designated "D Drive" under Win 7 64 bit Pro. They are under an Intel software RAID 1 on a Gigabyte GA-Z97X-Gaming 3 motherboard. All appears...
Hardware & Devices
Thermal Paste Question..(Noobish Question)
Hey guys, I recently purchased Corsair H40 that came with pre applied thermal paste. Before I placed the H40 sink on my processor, I applied a thin layer on the on the processor with Cooler Master thermal paste. So essentially I mixed the H40 pre applied thermal paste with the Cooler Master thermal...
PC Custom Builds and Overclocking
Answer Question, Ask Question.
First (hope you get the reference): In a world where a piano is a weapon, not a musical instrument, on what does Scott Joplin play "The Maple Leaf Rag"?
Chillout Room
Logitech 5.1 surround question and soundcard question IDT and Realtek
So my situation is unique lol i have a Dell inspiron n5010 laptop running Windows 7 ultimate 64 bit the soundcard for this is either IDT 92HD79B1, v.6.10.0.6267, A01 or A03 i dont know what the default one mine came with is. Documentation i hope that helps ^ and the attatchment i...
Sound & Audio
Another question
Hello! It's me again... I wanna know this. Is there anything like os that boots very quickly like on HP ProBook series... So when I boot I could choose one of them and maybe just acces internet or something...
General Discussion
Question
Hello, Currently I have Windows 7 Started installed on my netbook. I want to upgrade the OS to Windows 7 Professional. I have a disk with Windows 7 professional on, and what I want to know is; If I boot the disk up, will I have the option to upgrade? And therefore keep all the...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:59.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App