Ransonware question


  1. Posts : 661
    Windows 7 Home Premium SP1 64-bit
       #1

    Ransonware question


    I hope I am not tempting fate by saying this, but so far I have had no problem, but as it seems to get ever more widespread I thought I'd do something before the possible event rather than have to do it after! I installed Malwarebytes anti-ransomware beta today on all my PCs and am hoping that's a step in the right direction. I already use MailWasher for my email and so delete all less than 99% legitimate-looking emails on the server before they reach me. My worry is going to a legit website with malicious code embedded - has that happened to anyone?

    The question is wanted to ask is this: if you are unlucky enough to get a ransomeware attack, but have all your data backed up (say on an external HDD), and maybe a drive image too, how would you go about cleaning the PC of the malware before restoring the backups. Do you delete all the encrypted files and simply replace them with the backup? Is there not a chance that plugging in an external drive with the backup would cause all those files to be encrypted too? Is the ransomware 'vigilant' in that way, or could that only happen if you ran the same file that installed the ransonware in the first place?

    Been Googling this with no real answer to these points; maybe someone here knows how this works..

    Thanks,

    Martin
      My Computer


  2. Posts : 3,772
    win 8 32 bit
       #2

    It depends on the ransomware but if you have anything connected while its active its likely to jump to external drives and any network drives deleting all partitions and formating will remove it its not that hard to remove as once its done its job there is nothing left for it to do
      My Computer


  3. Posts : 10,485
    W7 Pro SP1 64bit
       #3

    Ransomware sometimes comes in with other types of infections - the "how to clean up" steps would vary considerably. Just speaking about ransomware: I've cleaned up after ransomware a few times. Various antivirus tools can remove the file or files that did the encryption - if those files are still around. The bad guys don't want their file analyzed, so they often delete them after the damage has been done.

    Replacing the encrypted files from a backup might be harder than you think. There are too many of them to efficiently replace by hand. The ransomware is encrypting far more than just user created documents, spreadsheets and photos. It also encrypts files needed by some apps to run (e.g. configuration/settings files).

    Re-imaging the entire drive is probably best - but that might not get rid of the additional (non-ransomware) infections.


    > My worry is going to a legit website with malicious code embedded - has that happened to anyone?
    The term "legit" is subjective. Yahoo.com infected lots of users in late 2104 with ransomware. This continued thru most of 2015 and maybe into 2016. https://blog.malwarebytes.com/threat...akes-on-yahoo/


    You might look into installing the free version of CryptoPrevent in addition to the security tools that you already use.
      My Computer


  4. Posts : 10,485
    W7 Pro SP1 64bit
       #4

    Forgot to speak to external drives:

    Sure, an eternal drive (or network drive) could have it's files encrypted. People often put their backup images on external drives. If those files get encrypted, you probably won't be able to use them to restore your computer to it pre-infected state.

    I support some people that keep an external drive connected at all times. Each night, a complete image of the OS and data drives are sent to the external drive. The NTFS permissions on that external drive prevent apps being run by the user from changing the files on the external drive. This is not perfect, but it is the best that I can some up with for these users.
      My Computer


  5. Posts : 2,464
    Windows 7 Ultimate x64
       #5

    martinlest said:
    The question is wanted to ask is this: if you are unlucky enough to get a ransomeware attack, but have all your data backed up (say on an external HDD), and maybe a drive image too, how would you go about cleaning the PC of the malware before restoring the backups. Do you delete all the encrypted files and simply replace them with the backup? Is there not a chance that plugging in an external drive with the backup would cause all those files to be encrypted too? Is the ransomware 'vigilant' in that way, or could that only happen if you ran the same file that installed the ransonware in the first place?
    When a virus attacks (or ransomware, or a worm, malware, trojan or whatever crap you want to name them, it's all the same for this purpose, I'll call it virus for simplicity), there is only one way to truly be sure to remove them, the security people call it nuke it from orbit, or more commonly, reformat your computer, reinstall the OS from scratch from known-clean installation media, and then restore any backups you may have.
    The problem with virus infections of any kind is that, once it successfully ran in your system, you have no idea of what it actually did, how can it be hiding, or what other things it introduced into the computer, so you can't trust the computer anymore. Doing so carries a very concrete risk of being still infected without you even noticing, a clean install avoids all those. Plugging the backup media could infect it too (or the virus deleting or corrupting the backups), the virus might be "vigilant" or it can really do pretty much anything once it controls your computer. Of course each virus is different, and definitive answer actually depends on the actual virus you have, but since you can't know for sure what it does, the ONLY safe approach becomes the clean install. Your backups will restore the data and the software (which you must also backup, of course, in installer form).

    A more in-depth explanation of the issue is given in those two StackOverflow posts:
    How do I deal with a compromised server?
    How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?
    I find this paragraph of particular importance:
    "Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that's exactly what you're doing."

    Bottom line, don't bother with antiviruses, "expert" advice to clean, or crap like that, delete the system and start from scratch, plain and simple.
    Discard any images you may have, they can be compromised too. Data backups should often be fine, and you can always verify the integrity of installers (or redownload them if the need arise). An antivirus on the newly built system can also be useful for extra-safety.


    martinlest said:
    My worry is going to a legit website with malicious code embedded - has that happened to anyone?
    It's an everyday occurrence! Websites get hacked all the time, vulnerabilities such as XSS and SQL injection appear from time to time, online advertising has become a cancer and loves to inject unknown code in many websites, and phishing can lead you into trusting things you should not. That's why taking good backups and following good security practices is of great importance.


    UsernameIssues said:
    the "how to clean up" steps would vary considerably. Just speaking about ransomware: I've cleaned up after ransomware a few times.
    The solution to a confirmed infection is ALWAYS a clean install. I'm not sure what you did, but if you didn't reformatted those system in the past, there is no way to know they're really clean.


    UsernameIssues said:
    Re-imaging the entire drive is probably best - but that might not get rid of the additional (non-ransomware) infections.
    It's not the best way at all! The system could be compromised at the time of taking the image, in such case restoring from it would only lead to catch the same nasty again shortly afterwards. You can only be sure when you noticed the symptoms, not when the infection actually entered the system. Ransomware or non-ransomware is totally irrelevant too, any virus should be treated the same, just blow up everything. But people generally gets more angry when they see all their data gone

    UsernameIssues said:
    I support some people that keep an external drive connected at all times. Each night, a complete image of the OS and data drives are sent to the external drive. The NTFS permissions on that external drive prevent apps being run by the user from changing the files on the external drive. This is not perfect, but it is the best that I can some up with for these users.
    I don't find that approach too bad. Permissions are a very effective security control (which many people discard because they run as a full-time-admin), but once properly configured, they can effectively keep viruses out of the backups, if the rest of the system is clean. It's true that keeping the backup drive disconnected makes it immune, but also useless. At some point, the drive must be connected to put new data in it, even for short periods of time, and that time window becomes THE chance of the virus to spread. Permissions help with that too.
      My Computer


  6. Posts : 661
    Windows 7 Home Premium SP1 64-bit
    Thread Starter
       #6

    ... thanks; will reply properly soon!
      My Computer


  7. Posts : 661
    Windows 7 Home Premium SP1 64-bit
    Thread Starter
       #7

    Thanks for the comments.

    Yes, I think that to be sure the PC is clean, a new installation of Windows would be the best route. I have a drive image, so I could perhaps reinstall that, though to be honest I have had problems with Windows 7's own image backup, Norton Ghost and Macrium Reflect in the past, all of which have at some stage thrown up some error/excuse for not being able to restore the image I have made (but that's a whole different issue from the one in this thread..).

    I have two PCs and a laptop: one PC is for gaming, the other for photo/video/music editing. Neither has an active email client and I don't browse the internet on them, so I suppose risk of infection is very low. I also back up all the data from them onto an external HDD at regular intervals.

    The laptop I use for emails, browsing, internet banking etc., so I suppose is more at risk. On the other hand, with Mailwasher and my sceptical attitude to unexpected emails with attachments, I think I should be relatively safe (hope this isn't a case of 'famous last words'!). I don't recall the last time I had a virus on any of my PCs.. years ago, which I suppose is a good sign.

    Even so, I have installed the Malwarebytes anti-Ransomware beta on all my PCs/laptops now, not so much because of the worry of lost data, as for the time and annoyance of having to rebuild everything. And as you say, it's not only user-created files that are encrypted, of course. I see from the Malwarebytes forum that the software has stopped a number of people who get the 'Ransom' pop-up for actually having the files encrypted. But even so, maybe from there a clean reinstall is still the best way to go??

    So yes, thanks for the advice. Should I ever get this kind of infection, I'll go down the wipe and reinstall Windows/drive image path, Alejandro.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:37.
Find Us