How to Recover From Ramsonware Attack

  1. Shut down all PCs on the network.
  2. Disconnect all LAN/ethernet cable from all PCs to prevent any LAN or internet connection.
  3. A PC is infected by ramsonware if the files in the PC are encrypted and cannot be opened.
  4. One by one, connect each PC to internet, update virus definition of Windows Defender (or anti-virus software) and run full scan.
  5. Take note of the date and time the files are encrypted on all PCs.
  6. The PC having encrypted files with the earliest date & time is the 1st PC being infected.
  7. On another clean PC that is not connected to the LAN, run full scan on the back-up files and Windows image files that were created by Windows Backup.
    1. If you do not have any back-up of files and a recent copy Windows image file before the attack then recovering from ramsonware attack is impossible.
  8. Once the back-up files are scanned and certified clean, then back up a copy of all back-up files and Windows image onto a separate external hard disk.
    1. In case the back-up files and Windows image files are infected when doing restore, you still have a back up copy.
  9. After all PCs are scanned and cleaned by Windows Defender (or any anti-virus software), one by one:-
    1. restore each PC using Windows image that is dated earlier then the date of ransomware attack.;
    2. run Windows update to update all Windows securities (KB);
    3. using Windows Defender (or any anti-virus software) to run a full scan to ensure that there is no trace of ransomware after Windows has been restored;
    4. then finally restore all files that are encrypted by ransomware from Windows Backup.
  10. DO NOT connect all PCs to the LAN at the same time.
  11. One by one, connect PCs to LAN and internet, monitor if there are any files that are encrypted. If there are none, then connect another PC to the LAN. Repeat until all PCs are connected to LAN and internet.

 

PREVENTION

  1. Usually, ramsonware is an attachment in e-mail and if e-mail has been identified has the entry of attack, then change the e-mail address.
  2. Enable e-mail redirection for non-spam mail to the new e-mail address.
  3. Delete the old e-mail address that is constantly being attacked by spammer when all customers, suppliers, etc. has been notified on the new e-mail address.
  4. Configure e-mail client, e.g. Thunderbird:-
    1. NOT to download or retrieve all contents of e-mail;
    2. set to download e-mail without any attachment or only the header of e-mail only;
    3. if the e-mail is from a known sender, then only download the full message with attachment.

 

BACK-UP

  1. Create a back up policy that back up files and Windows image in these locations:-
    1. external hard disk that is connected on LAN;
    2. cloud or web hosting that is connected via internet;
    3. removable external hard disk that is NOT connected on LAN or internet.
  2. Back up all files using Windows Backup on daily basis to external hard disk that is connected on LAN.
  3. Save Windows Image using Windows Backup on weekly basis or daily basis to external hard disk that is connected on LAN.
  4. Back up all files in external hard disk to cloud (Drop Box, One Drive, etc.) or to web hosting server that is connected via internet.
  5. Back up all files in external hard disk that is connected on LAN to removable external hard disk that is disconnected from LAN and internet.