1

My laptop got infected with ransomware, files got encrypted and it tells me to pay to them.

As I know I have a few options:

  • Pay the ransom and hope the cybercriminals keep their word and decrypt the data.
  • Try to remove the malware using available tools.
  • Reset the computer to factory settings.

I'm not going to pay and wonder, what is the proper way to start getting my data back?

  1. Should I first try to use ransomware decryption tool? Does it even work? I guess it will take much time right?

2. If I try to remove the ransomware, after that can I still use ransomware decryption tool or I will make data unusable? that means if I want to get data back I mustn't remove the virus right?

  1. What free tool do you recommend or any paid software?

Thanks

George G.
  • 182
  • 4
  • 17
  • generally call the police first, then you can try to decompile the virus and check how does it encrypt your data to decrypt it - there is no software that will do it for you – Flash Thunder Jan 04 '22 at 11:40
  • 3
    *Never pay the ransom.* If they can't make money out of it they'll stop doing it eventually. First. Stop using that machine. For a few ransomwares the keys have escaped into the public domain, the majority haven't. Google the specific ransomware or file extension. Otherwise, nuke & pave, then restore from your last good backup. Nothing on that machine is recoverable or re-usable. – Tetsujin Jan 04 '22 at 11:45
  • 2
    @FlashThunder Do you actually think a random person on the internet that asks a question such as this has the skills to reverse engineer ransomware before the ransom timer runs out? – gronostaj Jan 04 '22 at 11:45
  • Option #4 is to haggle. Oftentimes criminals will accept lower ransom if you can convince them that you can't afford the full amount. It still sucks, but at least it's cheaper (and you get your data back or not, but at least you're burning less money). This is also a good opportunity to figure out your backup strategy. It's cheaper. – gronostaj Jan 04 '22 at 11:51
  • 3
    The only way those tools will work is if there was a flaw in the randsomware itself that resulted in the leak of the key required to decrypt your key. The key was either leaked allowing for a white hat hacker to release a tool or it wasn’t which means you either pay the fee or restore from a cold backup. Those are your only choices in a case like this – Ramhound Jan 04 '22 at 12:14
  • What about II question - If I try to remove the ransomware, after that can I still use ransomware decryption tool or I will make data unusable? that means if I want to get data back I mustn't remove the virus right? – George G. Jan 04 '22 at 12:16
  • @GeorgeG. - If you remove the infection your only choice is a format and restore from backup – Ramhound Jan 04 '22 at 12:17
  • 2
    You're still assuming there is a decryption tool. There most probably isn't. Don't pay the attackers. – Tetsujin Jan 04 '22 at 12:50

1 Answers1

2

Pay the ransom and hope the cybercriminals keep their word and decrypt the data.

It is generally considered to be a bad idea to pay ransom. (a) No reason to believe you will get your data back. (b) Payment promotes more ransomware by criminals.

Try to remove the malware using available tools.

"Decent" encryption of files cannot be broken by available tools. Try, but little chance of success.

Reset the computer to factory settings.

This is the best approach. Starting fresh removes the virus. Then restore data from a backup that was not corrupted by the virus.

John
  • 46,167
  • 4
  • 33
  • 54
  • _"It is generally considered to be a bad idea to pay ransom"_ - by whom? Can you back this up with reputable sources? _"Then restore data from a backup […]"_ - I'm afraid there's a false premise here that makes this approach unavailable. – gronostaj Jan 04 '22 at 11:54
  • 3
    Reasonable source: https://www.nbcnews.com/nightly-news/security-experts-you-should-never-pay-ransomware-hackers-n299511 .... I would put "don't pay ransom" in the body of common knowledge at this point. – John Jan 04 '22 at 12:21
  • I know what you mean, but here's a quote from the same article: _"The sheriff’s office had no choice but to pay the ransom to get back access to its files, said Detective Jeff McCliss. «It really came down to a choice between losing all of that data and being unable to provide the vital services […]»"_. Unfortunately criminals know very well that oftentimes losing the files is not an option - often enough to make this scheme profitable and worth the risk. Saying "don't pay the ransom" is not helpful if there are no alternatives. – gronostaj Jan 04 '22 at 12:32
  • @gronostaj - I can see where you're coming from - but if an official govt department hasn't figured out yet what backups are for, there's little hope. Whoever runs/ran their IT I hope will never work in the industry again. – Tetsujin Jan 04 '22 at 12:53
  • I think that if you pay the ransom they should decrypt your files, as it allow them to redo the same think again, knowing that user paid, it is also profitable for them to give your files back. If they don't give the files back then you won't pay again. So saying to you mustn't pay to attackers is only good for prevent spreading the rensomwere attacks. If you don't pay, there is no change (very low I think) you get your files. So generally if the data is important it is worth paying or talking to the attacker, but it isn't good for fighting cyper-crimes of course. – George G. Jan 04 '22 at 14:10
  • 1
    George - they're not running this as a legitimate business to get customers coming back for more because they were so pleased with the service last time. They don't give a monkey's if you get your data back. They only want your money. If people keep paying, they'll keep doing it. There are 7 billion people on this planet - they don't need a particularly high success-rate to make it profitable. – Tetsujin Jan 04 '22 at 14:55