How to remove ransomware: Use this battle plan to fight back
A combination of common sense, backup, proactive protection, and automated removal tools is a solid defense against the growing scourge of ransomware, even the recent Petya attacks.
By Mark Hachman
PCWorldJun 28, 2017 9:43 am PDT
Ransomware doesn’t sneak into your PC like ordinary malware. It bursts in, points a gun at your data, and screams for cash—or else. And if you don’t learn to defend yourself, it could happen again and again, as the Petya (or NotPetya) outbreak is demonstrating.
A form of ransomware similar to a piece of malware called Petya has attacked the Ukraine and other sites around the globe, encrypting files until a ransom has been paid. Researchers, though, have moved quickly to block the spread of the ransomware, also known as Petrwrap, exPetr, Petna, and SortaPetya. There’s no real way to remove the Petya ransomware, but researchers have come up with a way to “immunize” your PC, and malware companies are already working to block it.
Petya is the second major ransomware outbreak in the last two months, following WannaCry, which appeared to leverage software the National Security Agency developed, and was then turned into malware. It struck the U.K. National Health Service and several other banks and organizations.
Armed gangs of digital thieves roaming the information superhighway sounds like an overwrought action movie, but the numbers say it’s true: Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016, an increase of 167 times year over year, according to Sonicwall—even as the number of malware attacks declined. Why steal data when you can simply demand cash?
For the first time ever, the reent RSA security conference in San Francisco held a comprehensive one-day seminar on ransomware, detailing who’s being attacked, how much they’re taking—and, more importantly, how to block, remove and even negotiate with the crooks holding your data hostage. We came away with a trove of information that you can use to formulate an anti-ransomware strategy.
Preparing for Petya
According to BleepingComputer.com, the Petya / NotPetya / KindaPetya ransomware won’t actually encrypt your PC’s files if it discovers the presence of a particular local file, known as “perfc”. Fortunately, if you create that file, Petya won’t run.
BleepingComputer goes into exactly how to create the perfc file (basically, making a copy of notepad.exe, renaming it perfc, and then making it read-only) and also includes a link to a batch file that will do it for you. Fortunately, manually creating the perfc file should take you all of a minute, though the batch file does create an associated .dat and .dll file to provide some added assurances that Petya won’t infect your PC.
Ransomware hits you where it hurts—so prepare
Three years ago, my wife’s computer was invaded by ransomware, imperiling baby photos, tax documents, and other personal data. My heart sank: Would we have to pay out hundreds of dollars to avoid losing our entire digital lives? Thank goodness, no—because we had already taken most of the steps that the experts recommend.
The first step: Understand your enemy. According to Raj Samani, the chief technology officer of Intel Security’s EMEA business, there are over 400 families of ransomware in the wild—even some for Mac OS and Linux. A survey by Datto found that CryptoLocker, which hunts down and imprisons your personal documents via time-locked encryption, was by far the most prevalent. But they vary. One took over a victim’s webcam and caught embarrassing footage, threatening to post it online, according to Jeremiah Grossman, chief of security strategy at SentinelOne.
A few common-sense habits can help mitigate your exposure to malware and ransomware, experts say:
Keep your PC up to date via Windows Update. WannaCry doesn’t even try to attack Windows 10, choosing instead Windows XP and other older Windows operating systems.
Ensure you have an active firewall and antimalware solution in place. Windows Firewall and Windows Defender are barely adequate, and a good third-party antimalware solution is far better. WannaCry patches are already available, however, even for Windows 8 and Windows XP.
Don’t rely on antimalware to save you, however. Experts speaking at the RSA session reminded attendees that antivirus companies were only just getting around to addressing ransomware, and their protection isn’t guaranteed.
Ensure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by default.
Turn off Office macros, if they’re enabled. (In Office 2016, you can ensure they’re off from the Trust Center > Macro Settings, or just type “macros” in the search box at the top, then open the “Security” box.)
Don’t open questionable links, either on a webpage or especially in an email. The most common way you’ll encounter ransomware is by clicking on a bad link. Worse still, about two-thirds of the infections that Datto tracked were on more than one machine, implying that infected users forwarded the link and exposed more people.
Likewise, stay out of the bad corners of the Internet. A bad ad on a legitimate site can still inject malware if you’re not careful, but the risks increase if you’re surfing where you shouldn’t.
For dedicated antimalware protection, consider Malwarebytes 3.0, which is advertised as being capable of fighting ransomware. RansomFree has also developed what it calls anti-ransomware protection. Typically, however, antimalware programs reserve anti-ransomware for their paid commercial suites. You can download free anti-ransomware protection like Bitdefender’s Anti-Ransomware Tool, but you’re protected from only four common variants of ransomware. Kaspersky also claims that it can block Petya or Petrwrap (or whatever it ends up being called) by simply rolling back changes via its System Watcher component.
A good, but not perfect, defense: Backup
Ransomware encrypts and locks up the files that are most precious to you—so there’s no reason to leave them vulnerable. Backing them up is a good strategy.
Take advantage of the free storage provided by Box, OneDrive, Google Drive, and others, and back up your data frequently. (But beware—your cloud service may back up infected files if you don’t act quickly enough.) Better yet, invest in an external hard drive—a Seagate 1TB external hard drive is only $55 or so—to add some less-frequently accessed “cold storage.” Perform an incremental backup every so often, then detach the drive to isolate that copy of your data. (CIO.com has some additional backup advice to help defeat ransomware, as does our earlier story.)
If you are infected, ransomware may allow you to see exactly which files it’s holding hostage via File Explorer. One clue may be ordinary .DOC or .DOCX files with strange extensions attached. Ondrej Vlcek, the chief technical officer of Avast, offered an unintuitive piece of advice: If the ransomware isn’t time-locked, and you don’t need the files right away, consider leaving them alone. (Work on another PC, though.) It’s possible that your antivirus solution may be able to unlock them later as it develops countermeasures.
Backup isn’t foolproof, however. For one thing, you may need to research how to back up saved games and other files that don’t fit neatly into “Documents” or “Photos.” Ditto for utilities and other custom apps.
What to do if you’re infected by ransomware
How do you know you have ransomware? Trust us, you’ll know. Ransomware like the busted Citadel ring “warned” that your PC was associated with child pornography, and the imagery associated with most ransomware is designed to invoke stress and fear.
Don’t panic. Your first move should be to contact the authorities, including the police and the FBI’s Internet Crime Complaint Center. Then ascertain the scope of the problem, by going through your directories and determining which of your user files is infected. (If you do find your documents now have odd extension names, try changing them back—some ransomware uses “fake” encryption, merely changing the file names without actually encrypting them.)
The next step? Identification and removal. If you have a paid antimalware solution, scan your hard drive and try contacting your vendor’s tech support and help forums. Another excellent resource is NoMoreRansom.com’s Crypto-Sheriff, a collection of resources and ransomware uninstallers from Intel, Interpol, and Kaspersky Lab that can help you identify and begin eradicating the ransomware from your system with free removal tools.
If all else fails
Unfortunately, experts say that the key question—should we pay up, or risk losing everything?—is often answered by pulling out one’s wallet. If you can’t remove the ransomware, you’ll be forced to consider how much your data is worth, and how quickly you need it. Datto’s 2016 survey showed that 42 percent of those small businesses hit by ransomware paid up.
Keep in mind that there’s a person on the other end of that piece of malware that’s ruining your life. If there’s a way to message the ransomware authors, experts recommend that you try it. Don’t expect to be able to persuade them to unencrypt your files for free. But as crooked as they are, ransomware writers are businessmen, and you can always try asking for more time or negotiating a lower ransom. If nothing else, Grossman said there’s no harm in asking for a so-called “proof of life”—what guarantee can the criminal offer that you’ll actually get your data back? (Of the companies that Datto surveyed, about a quarter didn’t get their data back.)
Remember, though, that the point of the prevention, duplication, and backup steps are to give you options. If you have pristine copies of your data saved elsewhere, all you may need to do is reset your PC, reinstall your apps, and restore your data from the backup.
Don’t let this happen to you
In my situation, my wife and I discovered that we had already backed up everything important to both a cloud service and an external drive. All we lost was a few hours of our evening, including resetting her PC.
Ransomware can infect your PC in any number of ways: a new app, a Flash-based gaming site, an accidental click on a bad ad. In our case, it was a sharp reminder not to go clicking willy-nilly because a “friend” had recommended some bargain shopping site. We’re teaching those same lessons to our kids, too.
Ransomware is an unsettling reminder that people mean you harm, and that misfortune may strike at any time. If you treat your PC as part of your home, however—cleaning, maintaining, and securing it from outside threats—you’ll rest easier knowing you’ve prepared for the worst.
This story was updated on June 28 to add new details about the Petya / NotPetya / Petrwrap / exPetr ransomware.