Recovering from ransomware has two major components: (1) Removing the malware that caused the ransom and (2) restoring your files. In this article, we’re going to discuss the removal of ransomware.
Note: While this article explains methods to find and eradicate ransomware, we can’t cover every possible use case for all ransomware. Coalition recommends complete re-installations and restoration from backup whenever possible. The steps listed in this document can cause further damage. We recommend professional assistance.
Stop the spread
Modern ransomware is designed to spread across the network to infect as many machines as possible For that reason, remove the affected machine from the network immediately! Encryption of files will still continue on the affected machine until stopped, but this will halt the further spread to other local computers.
Find and remove the Infection
Next, we want to try to find the file(s) and process(es) responsible for the ransomware infection.
(Tip: Insert a USB thumbdrive into your computer with a few sample files. If the ransomware is still active, it will likely encrypt those files as well. If you find that the ransomware is still active)
-
Scan your system with the antivirus software of your choosing, (i.e. MalwareBytes, ESET, etc.)
-
Open your task manager to see if you can find the malware running. If you see it, attempt to kill it in the task manager or by using “taskkill /f /im [MalwareFileName]” in a command prompt.
-
Check your registry for files set to run at startup by looking in the following registry hives:
i. HKLM\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
ii. HKLM\Software\Microsoft\Windows\CurrentVersion\Run -
Check your services to make sure that there aren’t any malicious executables installed as a service on the system from control panel as well as the registry at HKLM\SYSTEM\CurrentControlSet\Services
-
Check your scheduled tasks to make sure that the ransomware is not set to re-trigger at a specified time or date at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
-
Check the filesystem for suspicious executables or ransom notes. The filenames of ransomware may vary between attacks, but you’ll want to look for files like: AAAAA.exe, jo173.exe, MeBBf.exe, window.bat, psecex.exe and 1.exe. Some of these files may be hidden on the filesystem, so be sure your Windows Explorer view settings allow you to view hidden files.
i. C:\Windows\Temp
ii. C:\share$
iii. C:\Users\Public
iv. C:\Users\[usernames]\Desktop
v. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
vi. C:\Users\[usernames]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup -
If you found and removed suspicious files or services, run your antivirus again.
At Coalition, we generally advise against attempting to find and remove ransomware on systems. In the event that you miss something, a reinfection could occur and potentially put you in a worse position. We always recommend complete re-installation of computers and servers either from backups (when available) or from source media.
For more information on this topic please reach out to us; we’re here to help!