Perhaps one of the most annoying security issues you need to guard against are those "viruses" which encrypt many of the files on your computer and which then advise you to visit a specified address to pay for the key to decrypt them again. The biggest problem with this is that when the web pages that these scripts are attached to are referenced by a link in an email that your antivirus software may not detect it in time to prevent it from running.

So the first rule of making sure this doesn't happen to you is to never click links in emails - something you shouldn't be doing anyway.

If your computer does end up "infected" with ransomeware then the first thing you need to do is to get the "virus" itself removed from the computer - otherwise trying to do anything with the computer will just make things worse. Do NOT run any programs already installed on the computer as these have already been compromised. Instead you need to use an uninfected computer to obtain a fresh copy of a scanning program such as Malware bytes (if you only have the one computer then I recommend downloading a copy before you get hit with this problem and save it to somewhere such as a USB stick where it will not be connected to the computer when the problem occurs.

Once all of the "infected" executable files have been removed from your computer it should then be safe to run programs that were already installed before the problem occurred.

The next step is to attempt to recover the files that were encrypted. The best way to do this is if you have a backup copy of the files that can be copied back in place of the encrypted versions. If you don't have a backup then you might try using ShadowExplorer which can restore files from shadow copies that Windows may have made. If you still can't get your files back after that then you are basically out of luck - your files have been stolen.

One thing NOT to do at any point in this process is to visit the site that they claim that you can visit to pay to have your files decrypted (hopefully your security software will block you from accessing that site). The owners of that site are already known to have created pages that will install ransomeware on your computer so who knows what they might install next. Even if you do manage to visit that site without having other nasties installed (which will probably hide themselves for a while so that you don't know they are there until later), do you really want to give your bank account or credit card details to a thief. They have already stolen your files so stealing all of the money they can access using the details you can give them seems the next likely step, Anyway, they have no incentive to actually provide a real decryption key for your data as all they obviously want is financial details to clean out your account. You might be lucky to get a valid key to get all your files back at the cost of having your bank account cleaned out but is your data really worth that much that you'd spend everything in your account in the hope that you get a decryption key that works. Anyway the only reason that they targetted you is that enough idiots already paid them to make it worth their while to continue sending their ransomware emails out.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow