How to Rescue Your PC From Ransomware

8/22/2019 How to Rescue Your PC From Ransomware

1/12

How to rescue your PC from ransomware

ric Geier@eric_geier Jan 13, 2014 3:30 AM

With the nasty CryptoLocer !a"#are !aing the ro$n%s&encrypting its 'icti!s( )i"es, an% then re)$sing to pro'i%en"oc ey $n"ess a pay!ent o) *300 is !a%e 'ia +itcoin or a prepai% cash 'o$cher&ranso!#are is ac in thepot"ight-

o$ can re!o'e !any ranso!#are 'ir$ses #itho$t "osing yo$r )i"es, $t #ith so!e 'ariants that isn(t the case- /n theast /('e %isc$sse% genera" steps )or re!o'ing !a"#are an% 'ir$ses, $t yo$ nee% to app"y so!e speci)ic tips an% tricor ranso!#are- he process 'aries an% %epen%s on the type o) in'a%er- o!e proce%$res in'o"'e a si!p"e 'ir$s scanhi"e others re$ire o))"ine scans an% a%'ance% reco'ery o) yo$r )i"es- / categorie ranso!#are into three 'arieties:

care#are, "ocscreen 'ir$ses, an% the rea""y nasty st$))-

Scareware

n e5a!p"e o) a )ae anti'ir$s app-

he si!p"est type o) ranso!#are, aa scare#are, consists o) og$s anti'ir$s or c"ean$p too"s that c"ai! they('eetecte% $!pteen iss$es, an% %e!an% that yo$ pay in or%er to )i5 the!- o!e speci!ens o) this 'ariety o) ranso!#a!ay a""o# yo$ to $se yo$r 6C $t o!ar% yo$ #ith a"erts an% pop$ps, #hi"e others !ight pre'ent yo$ )ro! r$nninny progra!s at a""- ypica""y these in'a%ers are the easiest type o) ranso!#are to re!o'e-

Lock-screen viruses
http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html#ericgeierhttp://www.pcworld.com/article/2060640/cryptolocker-creators-try-to-extort-even-more-money-from-victims-with-new-service.htmlhttp://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.htmlhttp://images.techhive.com/images/article/2014/01/fakeav_example-100222097-orig.jpghttp://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html#ericgeierhttp://www.pcworld.com/article/2060640/cryptolocker-creators-try-to-extort-even-more-money-from-victims-with-new-service.htmlhttp://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html


2/12

he 7o'ter ranso!#are "ocs %o#n yo$r co!p$ter, %isp"aying a )ae notice c"ai!ing to e )ro! se'era" go'ern!ent$thorities-

e5t is the ranso!#are 'ariety / ca"" "ocscreen 'ir$ses, #hich %on(t a""o# yo$ to $se yo$r 6C in any #ay- hey

isp"ay a )$""sie #in%o# a)ter Win%o#s starts $p&$s$a""y #ith an 9+/ or epart!ent o) J$stice "ogo&saying thatio"ate% the "a# an% that yo$ !$st pay a )ine-

The really nasty stuff
http://images.techhive.com/images/article/2014/01/kovtor-ransomware-100222098-orig.png


3/12

Ma"#areytes

ryptoLocer encrypts yo$r )i"es an% tosses o$t the ey i) yo$ %on(t han% o'er itcoins #ithin a short span o) ti!e-

ncrypting !a"#are&s$ch as CryptoLocer&is the #orst 'ariant, eca$se it encrypts an% "ocs yo$r persona" )i"es o$ pay $p- +$t e'en i) yo$ ha'en(t ace% $p yo$r )i"es, yo$ !ay ha'e a chance to reco'er yo$r %ata-

Removing ransomwaree)ore yo$ can )ree yo$r hostage 6C, yo$ ha'e to e"i!inate the hostage taer-

) yo$ ha'e the si!p"est in% o) ranso!#are, s$ch as a )ae anti'ir$s progra! or a og$s c"ean$p too", yo$ can $s$ae!o'e it y )o""o#ing the steps in !y pre'io$s !a"#are re!o'a" g$i%e- his proce%$re inc"$%es entering Win%o#sa)e Mo%e an% r$nning an on%e!an% 'ir$s scanner s$ch as Ma"#areytes-
http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html?page=0http://www.pcworld.com/article/188005/malwarebytes_antimalware_free_detects_and_removes_malware_on_command.htmlhttp://www.pcworld.com/article/188005/malwarebytes_antimalware_free_detects_and_removes_malware_on_command.htmlhttp://images.techhive.com/images/article/2014/01/system-properties-restore-100222102-orig.pnghttp://images.techhive.com/images/article/2014/01/cryptolocker-100222101-orig.pnghttp://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html?page=0http://www.pcworld.com/article/188005/malwarebytes_antimalware_free_detects_and_removes_malware_on_command.html


4/12

o$ can )in% the yste! ;estore settings in yo$r 6C(s yste! 6roperties there, se"ectRepair Your Computeran% press Enter- 8e5t yo$("" "ie"y ha'e to "og on as a $ser> se"ect yo$rWin%o#s acco$nt na!e-


5/12

'ira(s anti'ir$s oot %is in action-

) yo$ sti"" ha'e no "$c a)ter trying a)e Mo%e an% an on%e!an% scanner, per)or!ing a yste! ;estore, an% r$nnin))"ine 'ir$s scanner, yo$r "ast resort is "ie"y to per)or! a )actory restore-Most ranso!#are isn(t that tenacio$s,o#e'er-

Recovering hidden and encrypted files

With that o$t o) the #ay, it(s ti!e to repair the %a!age- /) yo$(re "$cy, yo$r 6C #as in)ecte% y !a"#are that %i%n(ncrypt yo$r %ata, $t !ere"y hi% yo$r icons, shortc$ts, an% )i"es-

o$ can easi"y sho# hi%%en )i"es: pen Computer,press the A"t ey, se"ect Tools, an% c"icFolder Options- n theie# ta, se"ect Show hidden files, folders, and drives, an% then c"ic OK-
http://www.pcworld.com/article/155995/reinstall_windows.htmlhttp://www.pcworld.com/article/155995/reinstall_windows.htmlhttp://images.techhive.com/images/article/2014/01/unhidding_files-100222104-orig.pnghttp://images.techhive.com/images/article/2013/10/avboot-avira-2-100057984-orig.jpghttp://www.pcworld.com/article/155995/reinstall_windows.html


6/12

) yo$r %ata reappears a)ter yo$ e"ect to sho# hi%%en )i"es, that(s great&it !eans there(s an easy )i5 )or yo$r #oes- omputer, na'igate to C:sers, an% open the )o"%er o) yo$r Win%o#s acco$nt na!e- hen rightc"ic each )o"%er thi%%en, openProperties, $nchec theHiddenattri$te, an% c"ic OK +oo!D one-

) yo$ sti"" can(t )in% yo$r %ata, an% yo$r )i"es rea""y ha'e een !a"#areencrypte%, yo$(re in tro$"e: s$a""y it isn(tossi"e to $st %ecrypt or $n"oc yo$r hostage )i"es, eca$se the %ecryption ey is typica""y store% on theyercri!ina"(s ser'er- o!e 'icti!ie% $sers ha'e reporte% that so!e pieces o) !a"#are #i"" eep their pro!ise,ecrypting an% ret$rning yo$r )i"es once yo$ pay


7/12

a! not as positi'e as yo$ are ao$t not eing a"e to encrypt o'er an encryption-

a'e yo$ teste% this hypothesisK Against crypto"ocerK

ata is %ata encrypte% or not- A"" those ones an% eros "oo the sa!e to an encryption engine- / g$ess it %epen%s on tngine, #hat it can see an% ho# it %oes its %ee%- /t(s certain"y possi"e #hat yo$ say is tr$e ase% on the crypto"ocerngine, $t eep in !in% %ata is o)ten %o$"y, e'en trip"y encrypte% o'er so!e net#or paths-


8/12

ha'e seen this co!e $p se'era" ti!es o'er the past year or so- here is a 'ery si!p"e #ay to get right ac to #hat yre %oing- D it ctr"a"t%e" 2 hen te"" it to c"ose internet e5p"orer 3 .o$r 'ir$s progra! can e r$n yo$ i) yo$ #anha'e a"#ays een a"e to go right ac to the internet #itho$t e'en %oing a 'ir$s scan- +$t it is sa)er to r$n the 'ir$can any#ay- this is $se"ess )or those #ho ha'e ranso!#are- C;L AL EL #i"" %o nothing #hen ranso!#are is ))ect-

eah, /E is not a 'ir$s, that(s $st yo$r ro#ser, the on"y #ay this #ors is i) yo$ act$a""y no# the process contro""inhe 'ir$s, an% en% it, in #hich case it"" !ost "ie"y restart itse") right a#ay- i""ing processes is the "east e))ecti'e #ayop a 'ir$s-

a!ian'incent

112014 0?:41 6M 6

'e c"eane% 'ir$ses o$t that act$a""y %e"ete% the registry entry )or the ra%io $tton, or checo5, %epen%ing on ho# yet to sho#ing yo$r hi%%en )i"es- a% to )in%, an% )i5 the registry entry contro""ing the %isp"ay o) the $tton, then co$ean o$t the in)ecte% )i"es that #here hi%%en-

oninHHP2

112014 0H:21 6M 6

he aso"$te )estranso!#are artic"e 6CW has p$"ishe%D

0What

112014 02:0N 6M 6

Mo'e yo$r %oc$!ents to a %i))erent )o"%er an% partition than the %e)a$"t- 7eep yo$r on a %i))erentartitionhar%%ri'e, than yo$r progra!s an% %oc$!ents-

o$ can a"so r$n an% #or in 'irt$a" co!p$ter-

he cri!ina"s are going )or "o# hanging )r$it- hey !ay encrypt C: My oc$!ents $t #ho cares i) that isnt #hereo$r %oc$!ents are-

321

112014 11:0H AM 6

est #ay to protect %ata is to partition the an% $se the ne#"y create% %ri'e to store a"" yo$r )i"es- Go to yo$rrogra!s set$p, %irect it to sa'e )i"es in yo$r ne# partitione%


9/12

lot of good info, )ut there is more yu can do System Restore - .ood idea, '/T, you never know when or wh

ou got your virusm so 0 never recommend this 0f you can, SL"12 your hard drive to another PC using a ha

rive dock They are appro3 4$# - 4# on newegg, depending on connection and how many hard drives you c

ave docked Slaving the hard drive and then running a scan through another PC, helps to get rid of the )oot

iruses that still linger after running a scan from the infected hard drive Slaving has a higher degree of cleani

fi3 PCs for a living, and there is nothing )etter than a good ol said

$se to %o the sa!e thing, $t !ore as a si%e o, eca$se / ha% a )$""ti!e o an% / #as going to schoo" )$""ti!e tooes, / #as 'ery $sy- he est piece o) a%'ice / can gi'e is stay a#ay )ro! the )ree porn- / cant te"" yo$ ho# !any

yste!s /'e c"eane%, eca$se so!eone pice% $p Ma"#are an% other type o) 'ir$ses )ro! $st #atching I9;EEI poro! the so ca""e% )ree sites-

rossyro

112014 0N:1H AM 6

n% $st #here the is o$r 9+/ %$ring a"" these )ra$%$"ent trans)ersK

sa"aar

112014 0N:0N AM 6

Howard'illson said8EBE;, EBE; open a I-ipI or I-e5eI )ro! an $nno#n so$rceD hats $st an open in'itationisaster-

he iggest pro"e! #ith this train o) tho$ght is ho# %o yo$ no# e'eryone yo$ no# is as %i"igent ao$t !aintainihe 6C an% sec$rity as yo$ are- / cannot te"" yo$ ho# !any ti!es /'e r$n into peop"e #ho sho$"% ha'e no#n ettereca$se they #ore% in the / )ie"%, $t they !a%e a% %ecisions an% got their syste!s in)ecte% an% it 'ery easi"y co$a'e e))ecte% others-

o, / %ont a$to!atica""y tr$st anyo%y #hen it co!es to co!p$tersD

Woo%#ar%

112014 0H:11 AM 6

eeping yo$r an% progra!s $p%ate% is essentia"- / a! shoce% that there are sti"" co!p$ter Ig$r$sI o$t there te""isers not to insta"" $p%ates an% patches $n"ess they ha'e "ooe% the! o'er an% %eci%e% they are $se)$"- Cas$a" $sers he i%ea $p%ates arent a ig %ea" an% )orget to chec ac #ith the g$r$ #ho a%'ise% the! to Iho"% o))I on an $p%ateheir syste!s go $npatche%-

er5

112014 0:PN AM 6

reat artic"e- ha% to $se so!e o) the in)o once


10/12

atagious said

he on"y tr$"y sa)e 6C is one that is ne'er t$rne% on-

6C can e ept 'ir$s )ree i) not a""o#e% access to the internet- .o$ sho$"%nt ha'e to #orry e5cept )or any so)t#arehat !ay get "oa%e% $t i) it ne'er sees a net#orKK

isco7y%%

112014 0P:24 AM 6

o# ao$t 8 $sing an A%!inistrator acco$nt


11/12

ay+$s$tti"ePta

1132014 04:1? 6M 6

mham)ric said/ ha'e seen this co!e $p se'era" ti!e o'er the past year or so- here is a 'ery si!p"e #ay to get rigac to #hat yo$ are %oing- D it ctr"a"t%e" 2 hen te"" it to c"ose internet e5p"orer 3 .o$r 'ir$s progra! can e ro$ i) yo$ #ant 4 / ha'e a"#ays een a"e to go right ac to the internet #itho$t e'en %oing a 'ir$s scan- +$t it is so r$n the 'ir$s scan any#ay-

his is $se"ess )or those #ho ha'e ranso!#are- C;L"#T EL #i"" %o nothing #hen ranso!#are is in e))ect-

nonan%on

1132014 02:20 6M 6

ee!s o'ery si!p"istic $t so!e o) the ILocscreen 'ir$sesI i%enti)ie% y the a$thor %o not si!$"taneo$s"y e))ect a

ser acco$nts- here)ore i) yo$ ABE another acco$nt, si!p"y "og into that acco$nt a)ter reoot an% r$n yo$r 'ir$so)t#are )ro! there-

)in% syste! restore se"%o! c$res this ai"!ent ---

atagio$s

1132014 12:41 6M 6

he on"y tr$"y sa)e 6C is one that is ne'er t$rne% on-

reFAr!y

1132014 10:4 AM 6

mroel(5 saidLin$5 is yo$r )rien%

p to a point- App"e $se to screa!, We ont Get Bir$ses, $t then they got s$e% an% cannot say that- With tea!shing Lin$5 no#, / see !ore ga!ers !o'ing o'er, / !aye one, $t #ith any , the !ore peop"e that !o'e to it, t

!ore the 'ir$s!a"#are !aers !o'e to it as #e""-

othing is tr$"y sa)e, e'en o))"ine 6Cs are not sa)e-

!e!egan?1

1132014 0?:3H AM 6

ather than going )or Win%o#s yste! ;estore / #o$"% "ie reco!!en% here the eep 9reee ;estore so)t#are Q A5ec$ta"e-

o!e ti!e ranso!#are !ay e corr$pt yo$r syste! restore point- o rather than taing a ris $st yo$ can try theseo)t#are #hich #i"" a"e to so"'e yo$r !ost the !a"#are re"ate% pro"e!s- /! $sing this so)t#are )ro! "ast 3 years-reat too"s- An% thans )or the in)or!ation-


12/12

o#ar%+i""son

1132014 0?:0P AM 6

EBE;, EBE; open a I-ipI or I-e5eI )ro! an $nno#n so$rceD hats $st an open in'itation )or %isaster-

!roe"PN

1132014 0H:P AM 6

in$5 is yo$r )rien%

!ha!ric

1132014 0P:P3 AM 6

ha'e seen this co!e $p se'era" ti!es o'er the past year or so- here is a 'ery si!p"e #ay to get right ac to #hat yre %oing-

it ctr"a"t%e"

hen te"" it to c"ose internet e5p"orer

.o$r 'ir$s progra! can e r$n yo$ i) yo$ #ant

/ ha'e a"#ays een a"e to go right ac to the internet #itho$t e'en %oing a 'ir$s scan- +$t it is sa)er to r$n the 'ican any#ay-

reFAr!y 01132014 0P:P1 AM 6 A"ot o) goo% in)o, $t there is !ore yo$ can %o-

yste! ;estore Goo% i%ea, +, yo$ ne'er no# #hen or #here yo$ got yo$r 'ir$s! so / ne'er reco!!en% this-

) yo$ can, LABE yo$r har% %ri'e to another 6C $sing a har% %ri'e %oc- hey are appro5- *30 *100 on ne#egg,epen%ing on connection an% ho# !any har% %ri'es yo$ can ha'e %oce%-

"a'ing the har% %ri'e an% then r$nning a scan thro$gh another 6C, he"ps to get ri% o) the oot 'ir$ses that sti"" "inge)ter r$nning a scan )ro! the in)ecte% har% %ri'e- "a'ing has a higher %egree o) c"eaning-

ncrypt yo$r har% %ri'e- /) yo$ ha'e WinH 6;, WinH "ti!ate, or Win? 6;, yo$ get it"ocer )or 9;EE- 8o#, yi"" nee% to enter a 6/8 e'eryti!e yo$ "og into yo$r 6C an% yo$ #i"" 8EE to set$p a reco'ery ey, + encryting

ir$ses cannot encrypt o'er an encryption-

When in %o$t, ALWA. see / pro)essiona"s that yo$ ;- .o$ can goto Cross"oop-co! an% )in% pro)essionhat #i"" %o as !$ch as they can re!ote"y )or yo$ an% are nor!a""y cheaper than Gee $a%- +, yo$ !ay nee% too!eone, so a"#ays $i"% a re"ationship #ith so!eone that %ea"s in / a"" the ti!e- oyists !ay not e on top o) thtest in)o an% so)t#are- / sho$"% no#, / #as a hoyist t$rne% pro)essiona"-

oi!o2

1132014 0P:04 AM 6

) % % %%i " ))

How to Rescue Your PC From Ransomware

Documents

Transcript of How to Rescue Your PC From Ransomware