Recovering from Ransomware

Ransomware is a malicious computer virus that locks your system and demands a ransom to unlock your files. There are essentially two different types. First PC-Locker which locks the whole machine and Data-Locker which encrypts certain data but allows the machine to work. The main goal is to extract money from the user, which is usually paid in cryptocurrency such as bitcoin.

Identification and decryption

First, you’ll need to know the last name of the ransomware that infected you. This is easier than it seems. Simply search for malwarehunterteam and pass the ransom note. It will reveal the last name and often guide you through the decryption. Once you have the family name, which matches the note, the files can be decrypted using Teslacrypt 4.0. First you need to set the encryption key. Selecting the extension appended to the encrypted files will allow the tool to automatically set the master key. If in doubt, simply choose .

Data Recovery

If this fails, you will have to try to recover the data yourself. The system can often be too damaged to restore much. Success will depend on a number of variables such as operating system, partitioning, file overwrite priority, disk space handling, etc.). Recuva is probably one of the best tools available, but it’s best used on an external hard drive rather than installing it on your own OS drive. Once it’s installed, simply run a deep scan and hopefully the files you’re looking for will be returned.

New encryption ransomware targeting Linux systems

Known as the Linux.Encoder.1 malware, personal and business websites are attacked and a bitcoin payment of around $500 is demanded to decrypt the files.

A vulnerability in the Magento CMS was discovered by attackers who quickly took advantage of the situation. Although a patch for the critical vulnerability has now been released for Magento, it’s too late for those webmasters who woke up to find a message that included the chilling message:

“Your personal files are encrypted! Encryption is produced using a unique public key… to decrypt files you need to get a private key… you need to pay 1 bitcoin (~420 USD)”

It is also believed that other content management systems may have been attacked, so the number affected is currently unknown.

How Malware Hits

The malware goes through execution with administrator levels. All home directories as well as associated website files are affected as the damage is done using 128-bit AES crypto currency. This alone would be enough to cause a lot of damage, but the malware goes further in that it then scans the entire directory structure and encrypts different files of different types. Any directory that it goes into and causes encryption damage, it drops a text file that is the first thing an administrator sees when they log in.

There are certain elements that malware looks for, which are:

  • Apache installations

  • Nginx installations

  • MySQL is installed in the target systems tree

The report also appears that log directories are not immune to attack, nor is the content of individual web pages. The last places it hits – and perhaps the most critical – include:

  • Windows executable files

  • Document files

  • Program libraries

  • Javascript

  • Active Server Pages (.asp) files

The end result is that the system is held to ransom, and businesses know that if they cannot decrypt the files themselves, then they must either give in and pay the claim or suffer serious business disruption for an unknown period of time.

Requests made

In each encrypted directory, malware attackers drop a text file called README_FOR_DECRYPT.txt. The payment request is made so that the only way for decryption to take place is through a hidden page through a gateway.

If the affected person or business decides to pay, the malware is programmed to begin decrypting all files and then begins to undo the damage. It seems to decrypt everything in the same order of encryption, and the parting is that it deletes all encrypted files as well as the ransom message itself.

Contact the specialists

This new ransomware will require the services of a data recovery specialist. Be sure to let them know about any steps you’ve taken to recover the data yourself. This can be important and will undoubtedly affect the success rate.