Decrypting ransomware encrypted files
Encrypted by ransomware
Ransomwareis a specific type ofmalware. It encrypts your files so you’re unable to access or use them, and thenoffers to decrypt them if you pay the ransom.Unfortunately, the technology used — “public key encryption” — is generallygood. It’s the same encryption technology you and I use to keep our datasecure and our internet conversations private.When done right, a file encrypted using public-key cryptography is essentiallyunrecoverable, unless you have the matching private key.And needless to say, the hackers do it right. It’s essentially impossible todecrypt files encrypted by ransomware without their private key.
Cures for ransomware
The best possible cure is to avoid having your files encrypted by ransomwarein the first place. That means using the internet safely and all that entails.Avoid malware, phishing schemes, and all the other ways that hackers getransomware on to your machine.The second best cure is to have a backup. If you find your computer afflictedwith ransomware and your files encrypted, restoring them from a backup is theonly 100% reliable recovery method.And since ransomware can, in some (fortunately infrequent) cases, even encryptyour backups, you need to understand and plan for a robust solution thatallows you to recover. Normally this means automated daily backups andperiodically making an offline copy, out of ransomware’s reach.
Recovering from ransomware
By far, the simplest, fastest, most reliable solution to recovering filesencrypted by ransomware is to restore them from a backup taken before theransomware took hold. You restore the backup image of your entire machine toits state prior to the infection, and it’s as if the ransomware neverhappened.Hopefully, once restored, you’ll know not to do whatever it caused theinfection in the first place.If you don’t have a complete image backup of your machine, but you do have abackup of your data, recovery is possible, albeit somewhat more work. Irecommend that you: * Take an image backup of the infected machine. This is to preserve a copy of the machine in its current state, in case it becomes necessary to recover something from it in the future. * Wipe the machine and install Windows from scratch. * Install your applications from scratch. * Restore your data.If you have no backup of your data, things are significantly more dire.
Decrypting ransomware-encrypted files
There’s no magical solution for decrypting a strongly encrypted file. If youdon’t find the decryption key in a service like No More Ransom, then you’reseverely out of luck.Which leaves the ultimate question: should you pay?First, let’s be clear: these are criminals you’re thinking of dealing with.There’s no guarantee they’ll follow through, should you elect to make payment.It could be the equivalent of simply throwing your money away.Or … it could recover your files.Only you can decide whether or not to pay criminals the ransom.My position is: don’t. Doing so only encourages their criminal enterprise, andputs even more people at risk of finding their files encrypted by ransomware.Instead, learn from the experience. Most importantly, start backing up so thisnever has to happen to you again.If you found this article helpful, I’m sure you’ll also love ConfidentComputing! My weekly email newsletter is full of articles that help you solveproblems, stay safe, and give you more confidence with technology. Subscribenow and I’ll see you there soon,
Implications of how long you keep backups
Think of each backup as a representation of your computer as it was when thebackup was taken. As a result: * Yesterday’s backup: your machine and everything on it as it was yesterday. * The day before yesterday’s backup: your machine as it was two days ago. * The day before that: your machine as it was three days ago. * And so on…Let’s look at some examples of what that implies.Let’s say your machine becomes infected with malware. As I’ve stated manytimes, restoring to a recent backup taken prior to the malware’s arrival isprobably the fastest and most reliable way to completely remove it.Ideally, you would notice the infection quickly, and restore the previousday’s backup.But what happens if you fail to notice for, say, a week? Perhaps you don’t useyour computer for a while. Maybe it takes a week to figure out that the oddbehavior you’re experiencing is, indeed, malware.If you keep only few days of backups — say three days — all you have is abackup of your machine as it was three days ago, which is after the malwarearrived. That backup, and all backups since, are infected. You no longer havea clean backup you can restore to.
I consider regularly-scheduled backups to be the single most important way toprotect yourself from data loss.My recommendation is to automate a monthly full-image backup of your machinewith intervening daily incremental backups. While I’ve made a suggestionabove, the specifics — monthly and daily — are less important than havingsomething happen automatically, with no need for you to remember and takeaction.There’s no set answer as to how long you should keep these, as it reallydepends on your own configuration, needs, and storage capacity. You mightdiscard backups older than a month, or perhaps a year. You might decide tokeep specific snapshots for longer, “just in case”, but discard the majority.As just one example, here’s my retention schedule for backing up the PC I useas my primary work machine. I keep: * Daily incremental backups for a month, until the next full backup occurs. * Monthly full-image backups for at least three months. * The full backup images for each quarter for an additional year. * The first full backup image of each year pretty much forever.As I said, that’s just an example, and my needs might well be consideredextraordinary compared to yours. (I use something from my backups perhaps oncea year or so. Totally worth it.)
I want to mention one additional type of backup that many might not beconsidered to be a backup at all: what I call an archive.An archive, to me, is a collection of data intended to be kept forever, eventhough it’s not necessarily needed now, or needed daily. For example, thosebackups that I keep “pretty much forever” (mentioned above), might beconsidered archive copies of the long-defunct machines they represent.Similarly, the fact that I copy my photographs to cloud storage in addition tobacking them up locally might also be considered archival.The concept of archiving is truly data-dependent. There’s no need to archiveyour operating system updates for posterity, but your correspondence,photographs, and other more personal items might be appropriate for archival.
So, how long should you keep backups?
There’s no general rule I can apply that would make sense for everyone.Clearly, the first few days are important. Things like lost files, malware,and the like are often discovered quickly, and typically you’ll need to goback only a day or two when that’s the case. Of course, a sudden and totalhard disk failure makes itself known quite quickly.The questions I’d have you consider are: * How confident are you that you’ll discover whatever you might want from your backup within the amount of time you keep your backups? * What would be the cost — be it money, emotion, or just time to re-create it — should you be unable to recover something because you didn’t discover you needed it before your retention period passed? * Is there any reason you can’t just throw more disk space at it and increase the number of backups you keep?These questions apply for any time period you might choose to keep backups, beit three days, three months, or three years. For various reasons and invarious situations, the proper retention period could be any of those, or evenlonger.If you found this article helpful, I’m sure you’ll also love ConfidentComputing! My weekly email newsletter is full of articles that help you solveproblems, stay safe, and give you more confidence with technology. Subscribenow and I’ll see you there soon,
Windows configures itself for your machine
When you install an operating system, the setup program goes through whatappears to be the same sequence on every machine: you enter the product key,type in a little information, tell it what machine name you want, set the timezone, and pick an administrator password. Then, setup goes to work, showing aprogress bar or some~~propaganda~~information about the benefits of the operating system you’re installing, andhow wonderful your life together will be.What happens behind the scenes is significantly more complex.Every machine is different from every other machine, and it’s duringinstallation that those differences are accounted for.Once it’s set up, Windows has been highly customized to the characteristics ofyour specific computer.
What your backup image contains
The problem is that a backup image of any machine contains that version ofWindows specifically configured for the computer on which the backup wastaken.It has drivers and settings and customizations for that hardware. Attemptingto restore Windows to a different machine means it won’t have the properconfiguration it needs to run on that different hardware. Depending on justhow different the hardware turns out to be, you may experience any of thefollowing: * Windows won’t even boot. This is fairly common. * Windows may run, but will be unstable or present an assortment of error messages. * Windows may appear to run, but later you discover instability or other problems that defy explanation.In some cases appears to work… but it’s not something you should count on.
Restoring to a different machine might work if….
It is possible for the scenario to work, but several conditions must be met. * The motherboard on the two machines must be similar. What does “similar” mean? There’s no real definition; motherboards often have a variety of hardware that require a specific set of drivers in order to work properly. Ideally, the motherboards would be identical. * For individual devices that are not identical, they, too, must be “similar enough”. Once again, the degree of similarity depends on the specific device and the capabilities of the driver installed. * Those individual devices that are not similar must be optional, meaning that the system will run properly without the device.If those conditions are met, maybe it’ll work.And it’s a huge if.It’s possible that Windows will be able to boot, notice that some non-criticalhardware has “changed”, go through the process of updating itself, and run.What you’re suggesting is actually a very common approach to installationsthat have a large number of identical machines, but the further you stray fromtruly identical machines, the lower the chances are of this approach working.
Restore from a backup
Honestly, if this were my machine and I wasn’t lucky enough to have adifferent mouse/keyboard combination that worked, I’d restore my machine to animage backuptaken prior to the problem. That way, I’d effectively “undo” the damage, andwould know not to run that tool again without understanding why it disabledthe input devices.This is another case in which a recent image backup can save you a lot ofhassle.If you haven’t been taking image backups, or don’t have one recent enough togo back to without a lot of loss, then things get uglier.