Cryptors: emergency measures to save business data

Theoretically, every business should have already learned how to protect itself against ransomware. Actually it’s not the case.

We have all been talking about ransomware for some time now. Theoretically, every business should have already learned how to protect itself against this type of threat. However, we continue to see new threads appearing on specialized sites where people request help with decoding the files affected by some cryptor. And the number of people and companies hit by these malicious programs keeps growing, too.

Moreover, it is mostly small and medium-size businesses at risk. Criminals are well aware that cybersecurity issues are seldom a priority for small business managers. At the same time, small and midsize companies may have enough money to draw cybercriminals’ interest.

So, let us suppose your company has had the misfortune of contractingransomware. What urgent measures should you take to minimize the damage to your business without missing a step?

1. Diagnose the state of emergency

Ransomware has several obvious symptoms. Upon system infection, most popular files fail to open — documents, images, and so forth. All or almost all folders teem with txt/html/hta/bmp/png files carrying such eloquent names as help_decrypt, recover, and the like. Those files contain the demands of the criminals — the ransom note.

Some cryptors change file extensions (VVV, XXX, ABC, etc.), but others do not.

Sometimes the Windows desktop wallpaper is changed and replaced with an image containing the criminals’ demands. Sometimes the malware blocks access to the system completely, and the preboot screen displays the ransom note.

If you are very lucky, you may see the malware “working,” and that is when you may be able to stop the encryption before it’s complete. In that case you’re going to need…

2. Quarantine and anesthesia

Immediately isolate the attacked system: Disconnect it from the local network and unplug the computer. There is a chance that the malware has not yet spread to other machines. However, you may have to unplug and disconnect all workstations and servers from the network at once.

Why unplug? Well, it’s the only surefire way to prevent the cryptor from working and ruining all of the files on your computer.

It is worth noting that the new version of Kaspersky Security for Windows Server includes a component called “Protection from encryption.” It employs heuristic detection to stop network-based attempts to encrypt data on the server. As soon as such an attempt is detected, the infected computer is instantly blocked from accessing shared folders on the server.

3. Surgery

OK, so you’ve unplugged the affected system. Now comes the task of getting access to its disk without compromising other machines.

The procedure is simple: Remove the drive and prepare to connect it to another machine — but first, disable autorun on the computer that you are about to connect the drive to. Also, you will need a file manager other than the standard Windows Explorer to see the drive’s contents.

You should certainly not run anything on the infected system. Using a virtual machine might be a good idea, too, as an additional safety measure.

Copy all of the files you need from the infected drive. Do not rush to uninstall the operating system and format the drive. There have been some cases when artifacts helped to decode files.

Another option is to start up an infected system with the help of a Kaspersky Rescue Disk.

In any case, your next step is contacting experts, who will find out what, exactly, you are dealing with.


4. Diagnosis

Eventually, experts should analyze the malware. Kaspersky Lab’s support team has already defined the most common varieties of ransomware. Anything more exotic will go to our virus analysts for investigation.

5. Medication

The likelihood of regaining access to the encrypted data greatly depends on getting an exact diagnosis. Many pieces of malware today use strong cryptosystems, so decoding them is improbable without the key from the cybercriminals.

However, some ransomware uses less-powerful algorithms or contain errors that allow the recovery of encrypted files without having to pay the ransom. If it’s at all possible to restore the original data, Kaspersky Lab deploys data recovery utilities such as ScatterDecryptor and RannohDecryptor.

Even when decryption is  not possible, there’s still a chance you can get your data back. For example, files processed by the third and fourth versions of TeslaCrypt did not yield to decoding at all — but then, for some reason, the creators of the malware suddenly ceased their operations and published a master key that can be used to decrypt all files encrypted by TeslaCrypt. That was a unique case, though. You shouldn’t count on criminals suddenly growing a conscience.

If the “medicine” already exists that enables you to restore the data, that’s very good news. If not, then you’re down to two options:

  1. The “blood transfusion” — aka recovering the data from backup storage. That’s assuming you have a backup.
  1. “Cryonics,” or putting the encrypted data away for an indefinitely long time. There is always a tiny, but real, chance that we will discover technical means to crack the encryption — or that the attackers will be found and jailed, and their master keys made public.

In the latter case, we aren’t talking about promptly restoring access to the data, unfortunately.

6. Preventive measures

The best modus vivendi, of course, is implementing security solutions that protect your company’s workstations and servers from all kinds of cyberthreats, including ransomware. And we cannot stress enough the importance of regular data backup.

We’ll talk about this in more depth next time.