Ransomware – All Hope is Not Lost

Russell W. Gilmore, CISSP, CISM, EnCEComputer Forensics, Electronic Data Recovery, News

ransomware noticeRecently Protus3 was asked to assist someone who had fallen prey to ransomware. The person had clicked on an attachment in an email. It wasn’t too long before the message, shown here, popped up on their screen that the ransomware had encrypted all of the files in their My Documents folder.

Remembering a recent news article about the identification of ransomware encryption algorithms, we decided to do some research. The victim sent us one of the encrypted files. We uploaded the encrypted file to: id-ransomware.malwarehunterteam.com

We identified the ransomware as the Nemucod variant. With some research we found a site that would assist with decrypting the files. We went to the below site and followed the instructions: www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware

We started the computer and downloaded the EMSISOFT Decrypter software from the Bleeping Computer website. Once downloaded, we had to drag and drop both an original file and encrypted file into the EMSISOFT application. We could not find an original file on the computer since the ransomware had encrypted all files on the computer. Instead, we searched the Outlook sent box and found a file sent before the ransomware activated. We copied and pasted the original file from Outlook to the computer’s desktop. Once on the desktop, we selected the two files and dragged them over to the EMSISOFT Decrypter Icon.

The EMSISOFT application generated a message box which contained the encryption key. We confirmed the encryption key which then opened the EMSISOFT Decrypter application. Once opened, the application showed the drives attached to the computer, and we selected the decrypt icon. The files started to decrypt which lasted a little over an hour. When finished, we saved a log of the decrypted file that.

After that, we downloaded the RKill software and ran a scan on the computer. When the scan finished, the RKill said that no infections were left on the computer. We then downloaded the free version of AVG and ran a virus scan. This came back as clean also. When this finished, we downloaded MalwareBytes and ran a scan. This came back with 15 infections which we successfully quarantined and removed.

Once we completed these steps, we deleted all of the encrypted files.

There are many variations of ransomware, and they are constantly changing. To prevent ransomware attacks on your computer or network, be cautious about clicking on any attachment on any email. Cyber criminals are getting better at crafting what appear to be legitimate emails. If you are not expecting to receive an email with an attachment from someone, don’t click on the attachment. If you know who the email is from, pick up the phone and call them. We have to assume in this age that any attachment could be a virus.

The second step to protecting yourself from ransomware is to back up your computer or at a minimum your My Documents folder. Should you ever get attacked by ransomware, you would not have to worry about paying the ransom or decrypting the files. You would only have to clean the virus off your computer and restore the backup.

Plan. Protect. Prosper.

Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.

919-834-8584 or 800-775-8584