How To: Re­move ran­somware from a PC

A com­bi­na­tion of com­mon sense, back­ups and pro­tec­tion, plus au­to­mated re­moval tools are a solid de­fence, says MARK HACH­MAN

Tech Advisor - - How To -

Ran­somware doesn’t sneak into your PC like or­di­nary mal­ware. It bursts in, points a gun at your data, and screams for cash. And if you don’t learn to de­fend your­self, it could hap­pen again and again, as the Petya (or NotPetya) out­break is demon­strat­ing.

A form of ran­somware sim­i­lar to a piece of mal­ware called Petya has at­tacked the Ukraine and other sites around the globe, en­crypt­ing files un­til a ran­som has been paid. Re­searchers, though, have moved quickly to block the spread of the ran­somware, also known as Petr­wrap, exPetr, Petna and Sor­taPetya. There’s no real way to re­move the Petya ran­somware, but re­searchers have come up with a way to ‘im­mu­nize’ your PC, and mal­ware com­pa­nies are al­ready work­ing to block it.

Petya is the sec­ond ma­jor ran­somware out­break in the last few months, fol­low­ing Wan­naCry, which ap­peared to lever­age soft­ware the Na­tional Se­cu­rity Agency (NSA) de­vel­oped, and was then turned into mal­ware. It struck the NHS and sev­eral other banks and or­ga­ni­za­tions.

Armed gangs of dig­i­tal thieves roam­ing the in­for­ma­tion su­per­high­way sounds like an over­wrought ac­tion movie, but the num­bers say it’s true: ran­somware at­tacks rose from 3.8 mil­lion in 2015 to 638 mil­lion in 2016, an in­crease of 167 times year over year, ac­cord­ing to Son­icwall.

For the first time, the re­cent RSA se­cu­rity con­fer­ence held a com­pre­hen­sive one-day sem­i­nar on ran­somware, de­tail­ing who’s be­ing at­tacked, how much they’re tak­ing – and, more im­por­tantly, how to block, re­move and even ne­go­ti­ate with the crooks hold­ing your data hostage. We came away with a trove of in­for­ma­tion that you can use to for­mu­late an anti-ran­somware strat­egy.

Pre­par­ing for Petya

Ac­cord­ing to Bleep­ingCom­, the Petya/ NotPetya/Kin­daPetya ran­somware won’t ac­tu­ally en­crypt your PC’s files if it dis­cov­ers the pres­ence of a par­tic­u­lar lo­cal file, known as ‘perfc’. For­tu­nately, if you cre­ate that file, Petya won’t run.

Bleep­ing Com­puter goes into ex­actly how to cre­ate the perfc file (ba­si­cally, mak­ing a copy of notepad. exe, re­nam­ing it perfc, and then mak­ing it read-only) and also in­cludes a link to a batch file that will do it for you. For­tu­nately, man­u­ally cre­at­ing the perfc file should take you all of a minute, though the batch file does cre­ate an as­so­ci­ated .dat and .dll file to pro­vide some added as­sur­ances that Petya won’t in­fect your PC.

Be pre­pared

Three years ago, my wife’s com­puter was in­vaded by ran­somware, im­per­illing baby pho­tos, tax doc­u­ments,

and other per­sonal data. My heart sank: would we have to pay out hun­dreds of dol­lars to avoid los­ing our en­tire dig­i­tal lives? Thank good­ness, no – be­cause we had al­ready taken most of the steps that the ex­perts rec­om­mend.

The first step: un­der­stand your en­emy. Ac­cord­ing to Raj Sa­mani, the chief tech­nol­ogy of­fi­cer of In­tel Se­cu­rity’s EMEA busi­ness, there are over 400 fam­i­lies of ran­somware in the wild – even some for macOS and Linux. A sur­vey by Datto found that Cryp­toLocker, which hunts down and im­pris­ons your per­sonal doc­u­ments via time-locked en­cryp­tion, was by far the most preva­lent. But they vary. One took over a vic­tim’s we­b­cam and caught em­bar­rass­ing footage, threat­en­ing to post it on­line, ac­cord­ing to Jeremiah Gross­man, chief of se­cu­rity strat­egy at Sen­tinelOne.

A few com­mon-sense habits can help mit­i­gate your ex­po­sure to mal­ware and ran­somware, ex­perts say:

• Keep your PC up to date via Win­dows Up­date. Wan­naCry doesn’t even try to at­tack Win­dows 10, choos­ing in­stead Win­dows XP and other older Win­dows op­er­at­ing sys­tems.

• En­sure you have an ac­tive fire­wall and an­ti­mal­ware so­lu­tion in place. Win­dows Fire­wall and Win­dows De­fender are barely ad­e­quate, and a good third­party an­ti­mal­ware so­lu­tion is far bet­ter. Wan­naCry patches are al­ready avail­able, how­ever, even for Win­dows 8 and Win­dows XP.

• Don’t rely on an­ti­mal­ware to save you, how­ever. Ex­perts speak­ing at the RSA ses­sion re­minded at­ten­dees that an­tivirus com­pa­nies were only just

get­ting around to ad­dress­ing ran­somware, and their pro­tec­tion isn’t guar­an­teed.

• En­sure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by de­fault.

• Turn off Of­fice macros, if they’re en­abled. (In Of­fice 2016, you can en­sure they’re off from the Trust Cen­tre > Macro Set­tings, or just type ‘macros’ in the search box at the top, then open the ‘Se­cu­rity’ box.)

• Don’t open ques­tion­able links, ei­ther on a web page or es­pe­cially in an email. The most com­mon way you’ll en­counter ran­somware is by click­ing on a bad link. Worse still, about two-thirds of the in­fec­tions that Datto tracked were on more than one ma­chine, im­ply­ing that in­fected users for­warded the link and ex­posed more peo­ple.

• Like­wise, stay out of the bad cor­ners of the In­ter­net. A bad ad on a le­git­i­mate site can still in­ject mal­ware if you’re not care­ful, but the risks in­crease if you’re surf­ing where you shouldn’t.

For ded­i­cated an­ti­mal­ware pro­tec­tion, con­sider Mal­ware­bytes 3.0 (£29 from, which is ad­ver­tised as be­ing ca­pa­ble of fight­ing ran­somware. Ran­somFree (­fvLh6) has also de­vel­oped what it calls anti-ran­somware pro­tec­tion. Typ­i­cally, how­ever, an­ti­mal­ware pro­grams re­serve anti-ran­somware for their paid com­mer­cial suites. You can down­load free anti-ran­somware pro­tec­tion like BitDe­fender’s Anti-Ran­somware Tool (­az2s), but you’re pro­tected from only four com­mon vari­ants of ran­somware. Kasper­sky also claims that it can block Petya or Petr­wrap (or what­ever it ends up be­ing called) by sim­ply rolling back changes via its Sys­tem Watcher com­po­nent.

A good, but not per­fect, de­fence: backup

Ran­somware en­crypts and locks up the files that are most pre­cious to you, so there’s no rea­son to leave them vul­ner­a­ble. Back­ing them up is a good strat­egy.

Take ad­van­tage of the free stor­age pro­vided by Box, OneDrive, Google Drive, and oth­ers, and back up your data fre­quently. (But be­ware – your cloud ser­vice may back up in­fected files if you don’t act quickly enough.) Bet­ter yet, in­vest in an ex­ter­nal hard drive – a Sea­gate 1TB ex­ter­nal hard drive is only £49 from – to add some less-fre­quently ac­cessed ‘cold stor­age’. Per­form an in­cre­men­tal

backup ev­ery so of­ten, then de­tach the drive to iso­late that copy of your data.

If you are in­fected, ran­somware may al­low you to see ex­actly which files it’s hold­ing hostage via File Ex­plorer. One clue may be or­di­nary .DOC or .DOCX files with strange ex­ten­sions at­tached. On­drej Vl­cek, the chief tech­ni­cal of­fi­cer of Avast, of­fered an un­in­tu­itive piece of ad­vice: If the ran­somware isn’t time-locked, and you don’t need the files right away, con­sider leav­ing them alone. (Work on an­other PC, though.) It’s pos­si­ble that your an­tivirus so­lu­tion may be able to un­lock them later as it de­vel­ops coun­ter­mea­sures.

Backup isn’t fool­proof, how­ever. For one thing, you may need to re­search how to back up saved games

and other files that don’t fit neatly into ‘Doc­u­ments’ or ‘Pho­tos’. Ditto for util­i­ties and other cus­tom apps.

What to do if you’re in­fected

How do you know you have ran­somware? Trust us, you’ll know. Ran­somware like the busted Citadel ring ‘warned’ that your PC was as­so­ci­ated with child pornog­ra­phy, and the im­agery as­so­ci­ated with most ran­somware is de­signed to in­voke stress and fear.

Don’t panic. Your first move should be to con­tact the au­thor­i­ties, in­clud­ing the po­lice. Then as­cer­tain the scope of the prob­lem, by go­ing through your di­rec­to­ries and de­ter­min­ing which of your user files is in­fected. (If you do find your doc­u­ments now have

odd ex­ten­sion names, try chang­ing them back – some ran­somware uses ‘fake’ en­cryp­tion, merely chang­ing the file names with­out ac­tu­ally en­crypt­ing them.)

The next step? Iden­ti­fi­ca­tion and re­moval. If you have a paid an­ti­mal­ware so­lu­tion, scan your hard drive and try con­tact­ing your ven­dor’s tech sup­port and help fo­rums. An­other ex­cel­lent re­source is NoMoreRan­’s Crypto-Sher­iff ( kn­q5x8t), a col­lec­tion of re­sources and ran­somware unin­stallers from In­tel, In­ter­pol, and Kasper­sky Lab that can help you iden­tify and be­gin erad­i­cat­ing the ran­somware from your sys­tem with free re­moval tools.

If all else fails

Un­for­tu­nately, ex­perts say that the key ques­tion – should we pay up, or risk los­ing ev­ery­thing? – is of­ten an­swered by pulling out one’s wal­let. If you can’t re­move the ran­somware, you’ll be forced to con­sider how much your data is worth, and how quickly you need it. Datto’s 2016 sur­vey showed that 42 per­cent of those small busi­nesses hit by ran­somware paid up.

Keep in mind that there’s a per­son on the other end of that piece of mal­ware that’s ru­in­ing your life. If there’s a way to mes­sage the ran­somware au­thors, ex­perts rec­om­mend that you try it. Don’t ex­pect to be able to per­suade them to un­en­crypt your files for free. But as crooked as they are, ran­somware writ­ers are busi­ness­men, and you can al­ways try ask­ing for more time or ne­go­ti­at­ing a lower ran­som. If noth­ing else, Gross­man said there’s no harm in ask­ing for a so-called ‘proof of life’ what guar­an­tee can the crim­i­nal of­fer that you’ll ac­tu­ally get your data back?

(Of the com­pa­nies that Datto sur­veyed, about a quar­ter didn’t get their data back.)

Re­mem­ber, though, that the point of the preven­tion, du­pli­ca­tion, and backup steps are to give you op­tions. If you have pris­tine copies of your data saved else­where, all you may need to do is re­set your PC, re­in­stall your apps, and re­store your data from the backup. Don’t let this hap­pen to you In my sit­u­a­tion, my wife and I dis­cov­ered that we had al­ready backed up ev­ery­thing im­por­tant to both a cloud ser­vice and an ex­ter­nal drive. All we lost was a few hours of our evening, in­clud­ing re­set­ting her PC.

Ran­somware can in­fect your PC in any num­ber of ways: a new app, a Flash-based gam­ing site, an ac­ci­den­tal click on a bad ad. In our case, it was a sharp re­minder not to go click­ing willy-nilly be­cause a ‘friend’ had rec­om­mended some bar­gain shop­ping site. We’re teach­ing those same lessons to our chil­dren, too.

Ran­somware is an un­set­tling re­minder that peo­ple mean you harm, and that mis­for­tune may strike at any time. If you treat your PC as part of your home, how­ever – clean­ing, main­tain­ing, and se­cur­ing it from out­side threats – you’ll rest eas­ier know­ing you’ve pre­pared for the worst.

The front page of NoMoreRan­’s Crypto-Sher­iff site in­cludes an easy tool to dis­cover what kind of ran­somware may be af­fect­ing your PC

You’ll feel a lot bet­ter if you have your data backed up on­line and off

Anti-ran­somware so­lu­tions such as Mal­ware­bytes are a re­li­able go-to for ex­tra pro­tec­tion from un­savoury soft­ware, but they’re not fool­proof

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.