The best way to stay safe in today’s world is to know the equipment that your using. Mostly, good common sense is all that is needed. But if you’ve been infected with RansomWare, you’re probably doomed and need to restore from backup. The keyword here is “probably“.
In cases where a cryptographic hashing function has been used, it may be possible to derive the key from comparison of a valid source document and it’s encrypted equivalent. These algorithms are such that the byte count is the same between Clear-Text Source documents and the Encrypted documents. Of course, this assumes you can tell what file is what on your computer (or what’s left of it).
In other cases, where a true cryptographic function has been used and a hacking entity’s key server has been confiscated, it may be possible to recover your files.
I generally refer people to the following sites for information.
- Bleeping Computer
This site has been around for about as long as Windows XP has (a long time) and one of my favorite stomping grounds. It is useful for diagnosing all kinds of computer-related Malware issues, not just RansomWare. This is probably a good place to start to find out about the type of Malware or RansomWare you’ve got.
- No More Ransom
This is the long-awaited collaborative project between Europol’s EC3 Center and the Netherland’s High-Tech Crime Unit, with assistance from Kaspersky Labs, and Intel Security. They are an aggregator of sorts, for decryptor programs.
Now, more bad news. I’ve found that even if you pay the ransom, or even find a decryptor online, you will still be in for some trouble. These hackers encrypt everything they can; it’s all automated. Whether you’ve just got one file or 500 Thousand files, they don’t care. Often times, these decryption programs will only decrypt one file at a time, or a directory at a time. You may need to seek out some scripting help to automate the process.