Crypto-ransomware is a large threat today and is only expected to get worse. The key to it’s success is the business model employed for many strains and the method of deployment used.
I am infected! Please help!
Remove your infected machine from the network to prevent spread of the virus.
- Do not panic, you are already infected and your files are already encrypted, take a breath and decide how you want to settle this issue. Hold off on removing the virus, if you come to terms with paying the ransom removing the virus may remove your ability to decrypt the files. Remove it only after deciding on one of the below solutions.
You have several options:
If you have backups you can just nuke your install and start fresh, but if you are here it can be assumed you do not have backups.
- Try a decrypter, several exist and can be found below:
A list of cryptoransomware with known decrypters can be found here
Pay a company to attempt recovery of your data or pay the ransomer. You need to assess the worth of your data and decide if this option is viable.
If no decrypter currently exists for your strain you can either set the drive aside or make an image of it to hopefully have a chance at recovering the data at a later date.
- These are the only options, there is no magic way to solve this and there is no way to crack the encryption yourself.
What do I do after?
- Backup your stuff
- Disable macros in Microsoft Office. Much like the previous point, ransomware can also exploit macros in Office to run their malicious payloads.
- Do not open attachments in emails that you are not expecting, see the above two points for why.
- Stay up to date on all OS and application updates, an unpatched system is a vulnerable system.