Jump to content

Recovering from Ransomeware


Elmer Fudd

Recommended Posts

I would appreciate some enlightenment from the experts of the community on recovering from ransomware. I know that backups are the main necessity when using a computer and have done that since the days of Win95. My practice is to clone the drive after “Patch Tuesday” when the system has proved itself to be stable by using Acronis Boot Disc. The clone is stored on a separate internal hard drive and then physically disconnected from the computer. This procedure has saved my “bacon” a few times and helped to avoid a time consuming complete rebuild with Win 10 and associated installed software.

If one is confronted with the “red screen” or whatever indicating all files have been encrypted, is it sufficient to format the infected hard drive via a boot disc, and does this method eradicate the problem completely or is the dastardly bug capable of surviving somewhere else?

I tend to employ “safe surfing” but one never knows these days. One hopes to never find oneself in this predicament, but as we all know, sometimes “that which can’t go wrong will”.

Thanks in advance for any information provided.

Link to comment
Share on other sites


  • Replies 4
  • Views 1k
  • Created
  • Last Reply
42 minutes ago, Elmer Fudd said:

.... all files have been encrypted, is it sufficient to format the infected hard drive via a boot disc, and does this method eradicate the problem completely or is the dastardly bug capable of surviving somewhere else?

Formatting a disk means configuring the disk with a file system so that Windows can store information on the disk.
This is the rule only, and not something else. How it can protect You if nothing will not removed, only You dont see them there, but You can restore everything. You must shred all files, it means overwrite or like sometimes said - wipe (also wash) disk or partition. 

Link to comment
Share on other sites


1 hour ago, Elmer Fudd said:

I would appreciate some enlightenment from the experts of the community on recovering from ransomware. I know that backups are the main necessity when using a computer and have done that since the days of Win95. My practice is to clone the drive after “Patch Tuesday” when the system has proved itself to be stable by using Acronis Boot Disc. The clone is stored on a separate internal hard drive and then physically disconnected from the computer. This procedure has saved my “bacon” a few times and helped to avoid a time consuming complete rebuild with Win 10 and associated installed software.

If one is confronted with the “red screen” or whatever indicating all files have been encrypted, is it sufficient to format the infected hard drive via a boot disc, and does this method eradicate the problem completely or is the dastardly bug capable of surviving somewhere else?

I tend to employ “safe surfing” but one never knows these days. One hopes to never find oneself in this predicament, but as we all know, sometimes “that which can’t go wrong will”.

Thanks in advance for any information provided.

 

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

Link to comment
Share on other sites


5 hours ago, psyko666 said:

 

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

A quicker fix (and I mean perform these steps quickly) I discovered which works really well is the following...

Immediately upon seeing such a ransom page,

1. Open Windows Task Manager by pressing/holding Control+Alt+Delete.

2. You'll see the ransom page listed, so quickly put cursor arrow over the listing, right click, then click End Task.

3. A new window opens requesting verification of End Task. Click it.

Note, when I've seen this ransom page in Task Manager, there's almost always a second page (duplicate), so repeat the above steps until the two pages are fully deleted, or closed.

I've noticed upon completing the removal, a new default browser window opens, which I simply close.

Remember, this process needs to happen fairly fast, as the ransom page seems to try to prevent itself from being deleted, so move quickly (don't pause), and on both ransom pages, if two are present.

I always back everything up, especially after having to reformat a few times due to this scourge, so buy yourself a 2 or 3TB external hard drive to back-up your files with (around $100 in 2015), just in case this method doesn't work on a truly nasty virus , and you do have to reformat your PC.

I'd add to get that multi-TB drive and keep multiple versions of your backups.  In other words, keep a 2 month old b/up, 1 month backup, 2 week, 1 week, and let Acronis do an incremental or differential. 

 

Also, if you can manage it, I'd make that image before running the MSFT updates.  That'll help you roll back if need be it ransomware or MSFT at fault.

 

If you have to restore, I personally would nuke the drive by deleting the partitions and then restore my image.  Acronis will step on everything that way. 

 

Finally, don't get cheap and pirate Acronis - it's too important.  Watch or a sale at Frys if you're in the US and you can pick it up legit for $20 3-4 times a year.

Link to comment
Share on other sites


in another way, to prevent these attacks:

 

1- Do a Full backup of C:\ From time to time 

2- Keep your browser and AV updated

3- Install DSNcrypt for Windows and Choose OpenDNS as an another security layer (If you have a rooted android phone you can install DNS manager app)

4- If once attacked, as said before keyboard shortcuts may help to kill the process using task manager then reopen the browser and clear browsing data

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...