Recovering from Ransomware

teslacryptYou have trained your staff and improved your defenses.  In spite of your best efforts, you have an active case of crypto-malware running on a system in your business.  How do you recover?

Here are the steps to recovery:

  • Disconnect the affected system from the network by removing the Ethernet network cable connection or turning off the Wi-Fi connection.
  • Determine if the encryption process has completed.
    • If so, leave the system running, but disconnected from the network.  The best course of action is to leave the computer running.  The purpose of leaving the computer running is to preserve the memory and system for forensic analysis.  In some cases, it may be possible to reverse the encryption process and restore the files.
      • System Restore in Windows is a waste of time.  In my experience, this has not worked because the malware deleted all the restore points.  Anyway, System Restore does not alter files, so while the malware may be removed, the effects are not.
    • If not, turn off the system and attempt file recovery of unencrypted files.  In most cases this will not be possible.  If the computer is displaying a screen like the ones we have illustrated this week, the encryption process is over.  However, if the encryption process has not completed, recovering at least some of the files may be possible.  In this case, turn off the computer, remove the hard drive, and mount it as an external drive to a computer that is dedicated to this sort of task.  In my business this computer is called a “sheep dip” and is used for scanning flash drives for malware before letting them on this network.  Unencrypted files can be safely copied to other removable media and saved for later in the recovery process.
  • Determine if the infection has spread to other systems on the network.
    • If so, consider disconnecting your Internet connection so the attacker’s command and control system can no longer download exploits to other systems.
    • Repeat the above process with other affected systems.
  • Depending on your computer incident response plan, now would be a good time to notify the response team, senior management, and make a police report if required.  You might want to report the incident to the IC3.
  • Determine the crypto-malware variant you have.  The easy way is to look at the ransom notice, since each variant has a distinctive ransom page.  You can also see what the new file extension has become, since this identifies the variant as well.  For instance the Locky variant is so named because the file extensions are all changed to “.locky.”  For a comprehensive list see
  • Decryption may be possible depending on the variant.  Jada Cyrus, a cybersecurity professional, has put together a great collection of tools on BitBucket.  Sometimes the encryption key can be found on the system memory (RAM), or in other configuration files, which is why we left the computer on at the start of this process.
  • Determine if the system needs to be preserved for legal evidence or regulatory reasons.
  • If the tools don’t help and you don’t need to preserve evidence, then there is noting left but to wipe the drive and reinstall the operating system and applications from scratch or a prepared system image.
  • Then restore the missing files from the most recent backup.  You do have a backup, right?

So this concludes our three part series on encryption ransomware.  Hopefully you got something out of it.  I know these posts were a little longer than usual, and my apologies for that, but this exploit is becoming more common, and more expensive to mitigate.  I have included some useful links below.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.