Your options may be few, unless you’re lucky or prepared
That was a question I received in my morning email from a friend.
While there are a few straws to grasp at, the news is really not good. The whole point of ransomware is that there’s no easy, simple way to undo the damage. If there were, ransomware wouldn’t be a thing.
I’ll look at the few options you have, and then how prevention before ransomware happens, can give you peace of mind.
Become a Patron of Ask Leo! and go ad-free!
Ransomware is malware that encrypts your files, making them unusable. They promise to decrypt the files if you pay a fee (or ransom). You may get lucky and find decryption keys for the ransomware you face in a public collection, but it’s unlikely. Backing up properly is the only sure-fire way to be able to recover from ransomware, next to avoiding it in the first place.
Encrypted by ransomware
Ransomware is a specific type of malware. It encrypts your files so you’re unable to access or use them, and then offers to decrypt them if you pay the ransom.
Unfortunately, the technology used — “public key encryption” — is generally good. It’s the same encryption technology you and I use to keep our data secure and our internet conversations private.
When done right, a file encrypted using public-key cryptography is essentially unrecoverable, unless you have the matching private key.
And needless to say, the hackers do it right. It’s essentially impossible to decrypt files encrypted by ransomware without their private key.
Ransomware private key collections
As the threat and impact of ransomware has grown, security pros and authorities have been working to track down the hackers and take down their operations. On occasion, they succeed, and that specific ransomware threat is stopped.
When this happens, the private keys the hackers had are sometimes, though not always, discovered, and made available to the public.
The No More Ransom Project maintains a database of known ransomware keys. Quoting their site:
… it is sometimes possible to help infected users to regain access to their encrypted files or locked systems without having to pay. We have created a repository of keys and applications that can decrypt data locked by different types of ransomware.
I’ve emphasized the word “sometimes” on purpose. There are no guarantees. In fact, in my experience, “sometimes” should really be “on rare occasions”.
If your files are encrypted by ransomware, that’s a straw worth grasping. In fact, if you haven’t prepared ahead of time, it’s really your only option.
Cures for ransomware
The best possible cure is to avoid having your files encrypted by ransomware in the first place. That means using the internet safely and all that entails. Avoid malware, phishing schemes, and all the other ways that hackers get ransomware on to your machine.
The second best cure is to have a backup. If you find your computer afflicted with ransomware and your files encrypted, restoring them from a backup is the only 100% reliable recovery method.
And since ransomware can, in some (fortunately infrequent) cases, even encrypt your backups, you need to understand and plan for a robust solution that allows you to recover. Normally this means automated daily backups and periodically making an offline copy, out of ransomware’s reach.
Recovering from ransomware
By far, the simplest, fastest, most reliable solution to recovering files encrypted by ransomware is to restore them from a backup taken before the ransomware took hold. You restore the backup image of your entire machine to its state prior to the infection, and it’s as if the ransomware never happened.
Hopefully, once restored, you’ll know not to do whatever it caused the infection in the first place.
If you don’t have a complete image backup of your machine, but you do have a backup of your data, recovery is possible, albeit somewhat more work. I recommend that you:
- Take an image backup of the infected machine. This is to preserve a copy of the machine in its current state, in case it becomes necessary to recover something from it in the future.
- Wipe the machine and install Windows from scratch.
- Install your applications from scratch.
- Restore your data.
If you have no backup of your data, things are significantly more dire.
Decrypting ransomware-encrypted files
Which leaves the ultimate question: should you pay?
First, let’s be clear: these are criminals you’re thinking of dealing with. There’s no guarantee they’ll follow through, should you elect to make payment. It could be the equivalent of simply throwing your money away.
Or … it could recover your files.
Only you can decide whether or not to pay criminals the ransom.
My position is: don’t. Doing so only encourages their criminal enterprise, and puts even more people at risk of finding their files encrypted by ransomware.
Instead, learn from the experience. Most importantly, start backing up so this never has to happen to you again.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: Of course, you may believe that the NSA or other government agencies might feel otherwise. I don’t, but it doesn’t matter: they’re not going to help you here anyway.