Is This a FULLY Reliable Method to Recover from Ransomware?

Chuck7 · 10 Dec 2017

Hello Everyone,
I have lately read several websites that talk about the possible destruction of my computer resulting from a ransomware infection . . . which made me wonder if the method I have long expected to use would Actually be reliable!
So I would really appreciate for any Security Gurus among you to please let me know whether my expectation is based on real-world facts::

So, let's say that the Next Time I boot up my computer (Win10 x64) . . . a message immediately pops onto the screen informing me that ALL key files have been Encrypted, --That I must now pay $850 worth of bitcoins to the posted URL, --And that any attempt to use any recovery tool will result in the immediate wiping of the drives.

"Oh, Shoot!", I think, "The exact thing I was so worried about has happened!, And I haven't even had my coffee yet!"
And then I remember that it has been nearly TWO Weeks since my last image-backup. "Oh well," I console myself, "Better late than never!"
{{ I should mention here that I do save my image backups to a USB hard drive which I only plug in when I'm actually Doing a backup . . . And that my Macrium backup software had assisted me to make my USB drive bootable [<--but that was STILL an error-fraught struggle!]. }}

So ... I shutdown my computer, plug the external drive into the USB port--which boots up to the WinPE version of Macrium;
THEN, I Click the desired Image-File, Click on Restore, the Software warns me that the drives will now be erased . . . and Boom! The Flowers are blooming, the birds are sweetly singing in a nearby tree, and all is right with the world!

Does the described result have a very high (>86%) probability of actually happening? And if Not, please let me know of anything that would improve the reliability of my response! --I have some extremely valuable stuff on this PC, and would Strongly Desire for my recovery plan to have a VERY high chance of actually working!
Thanks a lot for your replies!

- Chuck

rqt · 10 Dec 2017

A couple of thoughts for you:-

1) If I had some "some extremely valuable stuff" on a PC I would be wanting several back up copies on separate devices & stored in different places - preferably not all in the same building.

2) I would never consider connecting my backup disk to the PC until I was absolutely sure that the ransomware was totally removed from the PC.

jimbo45 · 10 Dec 2017

Hi there
@Chuck7

100% failsafe method

1) Immediately power off --don't even shut down computer via software -- POWER OFF IMMEDIATELY -- Just pull the plug out. !!. Ignore any scamsters telling you not to switch your machine off. !!!
2) Unplug internet connectors and any other external peripherals
3) insert bootable partition manager and boot to computer.
4) Format offending HDD (usually the one where the Windows OS is stored on).
5) now re-boot computer with backup / recovery software --e.g Free Macrium or equivalent
6) Restore from CLEAN SAFE BACKUP.

Only re-connect back to the Internet if you are sure restored computer is clean. Do a full scan before re-connecting to the Internet again.

Job done

NEVER PAY ANY MONEY to those a--holes or even waste any money with a 1-off Ransomware "cleaner".
Always ensure you have clean backups.

I'd almost go so far to say if your machine ever gets infected with a virus simply do the same thing --it's usually FAR FAR quicker than spending hours running A/V cleansing software which won't necessarily be 100% effective anyway -- especially when you run it on an infected machine.

It's like telling a Pilot that the plane on the ground is seriously defective but here's how to repair it --but you have to do it while the plane is flying !!!!!!

Cheers
jimbo

Caledon Ken · 10 Dec 2017

Agree with both members.

If your PC is on a network I would also be checking them before re-installing.

Myself I would reset entire HDD, not just the offending partition and likely I would do all drives.

I too believe it is essential to have multiple versions of backups on multiple disks. You can read that some ransomware lies in wait for long periods to infect backups. Have I seen no, is it possible, I'm sure.

While your question was specific to ransomware I back up my data to an encrypted drive and store off site. I have multiple separate drives.

Finally I would also be talking prevention. The newest Windows 10 has controlled access folders and I believe Bitdender has same. Some overhead to get use too but if you can't write to data then you can't encrypt. It would also give you a very early heads up. I would read this entire thread, I think there is lots of good info.

Change Windows Defender Controlled Folder Access Settings - Windows 10

Chuck7 · 10 Dec 2017

Thank You to All of you who replied!! That was Very helpful. My original plan was certainly incomplete!!
- Chuck

Chuck7 · 10 Dec 2017

jimbo45 said:

3) insert bootable partition manager . . ..

Thank you, Jimbo45:

About the bootable partition manager:: You would not even Believe what I went thru to make my external drive bootable!! I think that that headache had something to do with UEFI, perhaps? (I'm not very technically oriented.) Anyways, when I look at that external drive in File Manager, there is absolutely ZERO about "boot"--& also ZERO Mention of "Macrium" . . . So it Appears that, when Macrium prepared that drive to boot, they must have put _ALL_ of that stuff into its HIDDEN Folder "System Volume Information" (perhaps).

Therefore, I just wondered: If I get a thumb drive on which to put the "bootable partition manager", what will be the first couple steps to take in order to make that thumb drive bootable (show up in the list when I press F8)? And could you give me the name of a "bootable partition manager"?

Thank You
- Chuck

P.S. Just noticed that you're from Iceland! Have you ever seen Bjork? (I really like her music.)

jimbo45 · 11 Dec 2017

Chuck7 said:

Thank you, Jimbo45:

About the bootable partition manager:: You would not even Believe what I went thru to make my external drive bootable!! I think that that headache had something to do with UEFI, perhaps? (I'm not very technically oriented.) Anyways, when I look at that external drive in File Manager, there is absolutely ZERO about "boot"--& also ZERO Mention of "Macrium" . . . So it Appears that, when Macrium prepared that drive to boot, they must have put _ALL_ of that stuff into its HIDDEN Folder "System Volume Information" (perhaps).

Therefore, I just wondered: If I get a thumb drive on which to put the "bootable partition manager", what will be the first couple steps to take in order to make that thumb drive bootable (show up in the list when I press F8)? And could you give me the name of a "bootable partition manager"?

Thank You
- Chuck

P.S. Just noticed that you're from Iceland! Have you ever seen Bjork? (I really like her music.)

Hi
@chuck

Góðan daginn
Hafðu góða viku !!!

For Partition manager (Bootable) you can use a bootable version GPARTED --it's Linux based but interface looks so like Windows you won't have any trouble with it or the Free version of Partition Wizard.

For both tools download the isos and then use RUFUS to create a bootable usb. It's by far the easiest way of creating bootable USB's and it will create a joint MBR / UEFI boot system so you don't have to worry about that part of the exercise.

Partition Wizard here

MiniTool Partition Wizard | Best partition magic alternative for Windows PC and Server

Gparted here

GParted -- Download

Rufus here

Rufus - Create bootable USB drives the easy way

I should have mentioned in the post you should have bootable versions of a partition manager and a backup / restore program like Free Macrium.

What also can work is to DISCONNECT from the net and install your Windows media creation tool . At the point it presents disks to install; windows on just delete and format the HDD. THEN EXIT.

As for Music I prefer the Classical variety --I find a bit of the modern club type stuff a bit like listening to a load of Road drills or heavy civil Engineering plant !!!

Cheers
jimbo

Chuck7 · 11 Dec 2017

That's Really Helpful! Thank You Very Much, Jimbo45 ! !
I'm going to add that bootable partition-component to my recovery drive very soon.
I hope you will have good week too! :)
- Chuck

MeAndMyComputer · 19 Jan 2018

jimbo45 said:

3) insert bootable partition manager and boot to computer.
4) Format offending HDD (usually the one where the Windows OS is stored on).
Cheers jimbo

I have a friend who got a new Win10 computer about 4 months ago and it has been ransomwared. I don't know which version and haven't seen it yet. When he first got it and showed it to I created a USB Recovery Drive and included system files.
--- Will the USB Recovery Drive with included system files cover those steps #3 & 4?
--- He doesn't have data to save.

Caledon Ken · 19 Jan 2018

Yes it should. On his first screen he would hold shift down and press f10. This starts command prompt. Then enter these commands.

diskpart
List disk
Select disk 0
clean
convert gpt
exit
exit

The above assumes in the select command that he wants to install windows on disk 0 (list command shows what disk are available) and that he is booting UEFI (convert gpt).

Diskpart doesn't ask questions, if you clean wrong disk you will be in recovery mode. You said he didn't have data.

Ken

Is This a FULLY Reliable Method to Recover from Ransomware?

Is This a FULLY Reliable Method to Recover from Ransomware?

Very helpful!!