Here you can learn more about how to remove and recover from ransomware. What current tools are available to help when you're experiencing a ransomware event. And how ransomware affects different operating systems.
Though prevention is always best, a stray click may one day be met with that dreaded “hijacked” screen demanding payment. The question then becomes: How to remove ransomware once it’s too late and you have a drive full of encrypted files? Is there any way to recover without paying a hefty ransom?
How To Remove Ransomware
A ransomware trojan is never easy to remedy because of how deeply it embeds itself into your operating system. Decryption after the fact isn’t always possible, and removal isn’t always practical, in which case the only option left is to completely wipe the machine and reset it to factory settings. Some ransomware variants can be removed, however, with enough time and effort.
Your first step is to disconnect ...
... from the Internet and any external storage devices immediately upon detecting an attack. This contains the damage by preventing the malware from “phoning home,” and the damage from spreading to any backups that may reside on an external drive or cloud storage.
Investigate via your security software next. This will vary significantly depending on your operating system.
If you're on a Windows machine, always...
... boot into Safe Mode (without Internet access) as a prerequisite to scanning. Booting into safe mode essentially boots you into a bare-bones instance of Windows in which most services not essential to the OS are prevented from starting. This is key because any nefarious service running in the background will likely do all it can to prevent you from reliably installing and running your removal tools.
Linux infections such as KillDisk and macOS infections such as FBI/MoneyPak require very different approaches, of course, but the broader principle nonetheless applies: immediately take the machine offline, disconnect external storage, and investigate using your choice of security tools.
Once offline, download your tools from another machine, then copy them to the infected machine (such as via a USB drive). Install and run them to identify and fully remove the ransomware trojan itself and all its components. (Take care to select the right tool for the job and keep reading for some suggestions on how to do so.)
Note that many ransomware programs ...
... hijack your desktop background and replace it with “instructions” on how to send the attacker money. This background, though rendered benign and harmless by now, may still be in place even after removing the malware; if so, simply manually change your background to set it back to normal.
Ransom note left on systems infected by 2017's WannaCry ransomware.
Once complete, verify beyond any shadow of a doubt that the machine is now fully clean. Ransomware typically digs itself into the very inner workings of the victim’s operating system, so you must trust that the OS is no longer compromised before any further recovery efforts be taken, lest a secondary attack begin anew.
Fortiguard Labs estimated a sevenfold increase in ransomware attacks between July and December 2020, at one point reaching a count of 17,200 devices reporting attacks in a single day. It’s thus important to understand ransomware by operating system, and how vulnerable each can be (or not).
Variants observed included Egregor ...
... Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING, and BazarLoader. Of that count, one variant in particular, SMAUG, served as a Ransomware as a Service (RaaS) that offered attacks on Windows, macOS, and even Linux .
All operating systems are vulnerable to ransomware, though Windows is currently the most common target by far. According to AV-Test, 83.45% of ransomware attacks hit Windows machines as of Q1 2020 .
Ransomware Attacks During 2019 User Study
MacOS has thus far been a much smaller ...
... target; nonetheless, such attacks have been no less severe. 2013’s FBI Ransom, while arguably not “true” ransomware, hijacked Safari browsers to convince users that paying a ransom was required to regain control.
In 2016, KeyRanger utilized legitimate developer certificates to ransom unlucky Mac OS X systems via the popular BitTorrent client, Transmission. 2017 introduced yet another ransomware attack, Patcher, which encrypted data on macOS machines.
Linux admins shouldn’t assume safety, either, mainly because it’s the most used operating system for web-facing computers, accounting for 74.2% of web servers as of 2019. Ransomware attacks that targeted Linux machines between 2017 and 2021 include RansomEXX, Tycoon, Erebus, QNAPCrypt, and KillDisk.
Recovering from a ransomware attack is never easy, but it is necessary. There’s a right way to do it right—and a wrong way to do it.
To start with, never begin recovery ...
... activities until after all traces of ransomware have been identified and verified as wholly removed from all systems. Some emergency situations, however, may demand immediate recovery to restore critical business operations. In such a scenario, perform all recovery steps on a separate system that’s in no way connected to the compromised system (i.e., on the same network). Failing to abide by one of these two options will simply result in compromising the data a second time.
Ideally, data can be restored without decrypting anything. Always keep important data backed up, either to an external device or synced with a cloud storage service. Then you can simply recover the original, unencrypted data from backup. The major caveat here is that any external devices or cloud services must be immediately disconnected once a machine is determined compromised, to ensure the attack doesn’t spread to those backups, as well.
In especially severe attacks ...
... the ransomware may be so pervasive—against all efforts to remove it—that restoring decrypted data back to its original location will in fact trigger a second attack that re-encrypts it and sets all efforts back to square one. This can be avoided by restoring unencrypted data to a new, isolated location.
Full recovery may nonetheless require decryption. Some decryption methods do exist for a limited number of known ransomware variants.
Recovery will likely never be a simple or concise process, so any recovery plan should anticipate needing at minimum a few hours to complete. Such a plan should consider worst-case scenarios in which multiple machines or even the entire network is taken down by an attack. Prioritize which applications and services to restore first in such a scenario, so that the most critical of business operations can resume with haste while further recovery efforts continue.
An ideal ransomware tool should both detect and remove the malware the bad guys are trying to wreck your life with. Thankfully, ransomware removal and detection are built into many of the most popular broader security software tools.
For example, Malwarebytes focuses on ...
... detecting and removing various forms of malware in general, but includes detection and removal of ransomware specifically. Similarly, many of the big-name security software suites (McAfee, Kaspersky, TrendMicro, and so on) include ransomware solutions.
Whatever solution you opt for, the ideal tool should first prevent ransomware, detect existing ransomware (via comprehensive and continually updated definitions), completely remove ransomware, and verify a clean system afterward.
As a bonus, some tools may additionally attempt to decrypt encrypted data, though successful decryption is never a guarantee once attacked.