Solved

Details on how to recover from a Ransomware attack


Userlevel 2
Hello all,
I'm fairly new to Webroot.  I had a couple of questions on what is needed to recover a system that is hit by Ransomware. Sorry, I've searched until i'm sick of looking for answers.  I decided to try posting my questions instead.  If there is a guide for this already, can someone please point me in the right direction?  
 
Say I get hit with Ransomware and my entire system is encrypted and no longer usable.  
1.  What steps do I need to do at that point?  
2.  Do I need to log into my.webrootanywhere.com/ from another PC and try to recover my system?
2.  What information do I need to provide to Webroot support for them to try to remotely restore the system?
 
Basically I want to create an "emergency recovery kit" with details on recovery steps, Webroot contact information, my account info., etc.  I want to keep this information external to my computer so that if it goes down, I have all the information needed to start the attempted recovery of my down system. 
 
Thanks!
 
 
 
 
icon

Best answer by JP_ 17 May 2017, 20:09

Greetings, @. Happy to have you on our Community :robotvery-happy:
 
The best recommendation for not recovering from a Ransomware attack but preventing one rather is always Backups, Backups, and maybe just a few more Backups.
(Keeping them disconnected and offline is crucial)
 
The steps in this Article are probably going to about the best if you do happen to find yourself in that situation. If you have a Backup, then you have nothing to worry about.
 
Our Support Team should always be involved for all issues related to Threats. They'll get all the information they need be remoting onto your System.
 
For more information about Ransomware, visit our Webroot Threat Blog.
 
View original

28 replies

Userlevel 7
Greetings, @. Happy to have you on our Community :robotvery-happy:
 
The best recommendation for not recovering from a Ransomware attack but preventing one rather is always Backups, Backups, and maybe just a few more Backups.
(Keeping them disconnected and offline is crucial)
 
The steps in this Article are probably going to about the best if you do happen to find yourself in that situation. If you have a Backup, then you have nothing to worry about.
 
Our Support Team should always be involved for all issues related to Threats. They'll get all the information they need be remoting onto your System.
 
For more information about Ransomware, visit our Webroot Threat Blog.
 
Userlevel 2
Hi JP, thanks for the reply.
 
I try to be pretty strict on my backups.  I have two external 5TB drives that I use for backups.  They are plugged into a power strip and stay of 95% of the time.  Every weekend, I do a fresh virus and malware scan on my system  If everything's okay, I power up the external drives and then do a data backup to one of the drives.  Then every other week I back the first external drive over to the second drive.  I hope to one day have a tornado shelter and to be able to store one of the drives in a fireproof safe inside it.  just as a added physical layer of protection against some type of home damage.
 
Guess it sound like I will just need to contact support from another computer if something happens.  Thought there would be steps that I needed to do before contacting them.  Sorry, was trying to be prepared up front. I didn't want information I needed to supply to the tech support group to be trapped inside an inaccessible PC.  Thanks again for the reply.
 
 
Userlevel 7
@ wrote:
Hi JP, thanks for the reply.
 
I try to be pretty strict on my backups.  I have two external 5TB drives that I use for backups.  They are plugged into a power strip and stay of 95% of the time.  Every weekend, I do a fresh virus and malware scan on my system  If everything's okay, I power up the external drives and then do a data backup to one of the drives.  Then every other week I back the first external drive over to the second drive.  I hope to one day have a tornado shelter and to be able to store one of the drives in a fireproof safe inside it.  just as a added physical layer of protection against some type of home damage.
 
Guess it sound like I will just need to contact support from another computer if something happens.  Thought there would be steps that I needed to do before contacting them.  Sorry, was trying to be prepared up front. I didn't want information I needed to supply to the tech support group to be trapped inside an inaccessible PC.  Thanks again for the reply.
 
 
No apologies needed! You can never look down on someone who wants to be well prepared :cathappy:
 
It sounds like you already have an excellent plan in place for protecting/restoring your data.
 
Yep, pretty much all you'll need to do if anything does happen is reach out to our Support Team. They'll walk you through all the steps then.
 
If we can help address any other questions or concerns, all of our super-helpful Community members will be happy to do so!
 
Cheers,
@ wrote:
I have two external 5TB drives that I use for backups ... every other week I back the first external drive over to the second drive.
Good point! My first line of backup defence is my imaging of my hard disks with Acronis*. But I only use one external hard disk.
 
Your post has got me thinking. I have great confidence in Webroot, nevertheless—if ever, by some terrible twist of fortune, a ransomware was to attack me at the exact moment in time that I was making an image of my disk, I would be completely snookered as the nasty little critter would presumably have merrily skipped over to my connected external disk and encrypted all my lovely images :S
 
So I think I should from now on alternate between two external hard disks for my imaging (the gaps in data would not be too serious as I have other backup methods I use that would allow me in this disaster scenario to successfully fill in those gaps).
 
Thanks for your post, @!!  By sharing your backup methods with us, you have drawn my attention to a potentially fatal flaw in my current backup system!
 
*EDIT: Not Acronis 2017
Userlevel 7
@ wrote:Thanks for your post, @!!  By sharing your backup methods with us, you have drawn my attention to a potentially fatal flaw in my current backup system!
Sharing is caring!!!!!!! :catvery-happy:
 

Userlevel 2
No problem Muddy7, glad to have helped. 
 
I did actually have disaster strike when doing my backup from one drive to the other drive.  I've always just done incremental backups.  On the day I decided to clean up my system and do a mirrored backup, the master drive died right in the middle of the backup!!  Of course the target drive wasn't seeing files any longer and started deleting everything!  I basically ended up a dead master drive and half empty target drive.  I was able to recover quite a bit of deleted stuff off the target drive, but the file names and folder structures were all screwed up.  Haven't done another mirrored backup since!  Kind of scares the hell out of me now.  Backups of backups are good...just be careful!      
 
Userlevel 7
Just get hold of a good imaging application that allows one to set up a decent schedule along the lines of (i) full image once a week; keeping up to 4 including the current, (ii) differential image once a day between the full image; keeping up to 6 including current & (iii) hourly incrementals between the daily differentials; keeping up to a number that mirrors ones 'working' day or daily period your system is used.
 
Rotate 2 external SSDs or HDDs until each is full or close to full, formatting the oldest one just the current one is full or close to full, and on the day that a full image is scheduled to be taken.
 
Of course, store the oldest one somewhere safe.
 
Hope that helps as an alternative approach. ;)
I used Acronis for my backups for many years but they have gone downhill, in my opinion. I now use Macrium Reflect (Thanks Baldrick). It allows for many types of backups. Incremental, differential, full, etc. I can also easily mount images of previous backups with ease. Especially helpful if you only need to recover certain files and not everything. I can also boot into Macrium to mount any backups should the need arise due to a corrupt Windows OS. ;)
 
I use a portable external drive for weekly backups that I only have connected during backup. I disconnect from the Internet while doing backups so I think the chances of a ransomware attack happening during backup is remote. I also periodically copy an image to my NAS, which is normally set as read-only, to avoid encryption. I also, of course, use the Webroot Cloud and Backup & Sync to backup all of my photos, personal videos, and documents. Then, just to be safe in case of catastrophic failure at home (fire, flood, tornado, etc.) I have a 1TB 2.5" internal HDD that I had replaced with a SSD that I keep at work. I occasionally bring it home to update the backups of all of my home PCs, and then return it to my desk at work.
 
Hopefully I have the bases covered. :S
 
BD
@ wrote:
Backups of backups are good...just be careful!
Nah! That's too fancy for me, being a semi-idiot computer-wise. At the moment, I just use one portable external drive so I'm talking of adding a second and simply alternating between the two.
@ wrote:
...store the oldest one somewhere safe.:
Yeah, that's another weakness of mine. With a job where I'm living over the shop (and anyway I'm now almost completely retired), that's kinda difficult. So it means, if I have a theft or the house burns down, I'm snookered. But all of my data is remotely backed up with Crashplan, so only my systems and apps would be snookered and as it's best to start from scratch with a new computer, that's not so bad.
@ wrote:
I use a portable external drive for weekly backups that I only have connected during backup. I disconnect from the Internet while doing backups so I think the chances of a ransomware attack happening during backup is remote.
Remote but not impossible. You could have been infected before imaging and the infection activate during imaging. Of course, your other point about disconnecting from the Internet while imaging is a very good one, and one that came to mind while I was reading mightymo's post. Something I haven't done up till now but I am now going to try to practise.
@ wrote:
I used Acronis for my backups for many years but they have gone downhill, in my opinion.
I totally agree. Having said that, I find if you just keep to imaging and nothing more, it still seems pretty sound (so far... :S)
@ wrote:
I now use Macrium Reflect (Thanks Baldrick).
I've often thought of changing to Macrium (not least because it's free!!). But I've always been worried that it might prove less user-friendly for a computer noobie like me. Any thought on this, @?? Or @? EDIT: or anyone else??
 
 
Userlevel 7
Hi Muddy7
 
I was of the same view as you, and so used Acronis...until it became a resource hog/bloatware, and so decided to take another look a Macrium v6 (had dabbled with AX64 Time Machine...but unfortunately that came to nothing).
 
Macrium is now relatively easy to set up...if somewhat more complex than Acronis...but it is far more flexible IMHO...can really be tailored to give you an imaging schedule that suits you.
 
Note though that the free version is of course less functional that the paid version and some key features only appear in the latter (obviously)...so it depends on what you want your back schema be/do as to whether the free is sufficent or if you need to fork out for the paid.
 
Happy to discuss further via PM if useful...so that we don't take this thread off topic.
 
Regards, Baldrick
@
 
It's that little phrase "somewhat more complex than Acronis" that worries me. The weakest point in an image backup system, for a rookie like me, is the ability of same rookie to screw up the backup setup and, equally if not more important, the restore process. Several times in the past, I have had to restore from an image (failed hard disk or other key hardware for example) and it already stretched me towards the limit to study and master the basic principles of the restore process in order not to create a second disaster!!!
 
If you think Macrium is possibly not beyond my humble abilities, yes I certainly would be interested in entering into a PM exchange with you.
Userlevel 7
Badge +55
Sorry for being off topic @ but I do find for myself that Macrium to be less user friendly. I've tried to understand the workings of the free version of Macrium left to no avail. Uncertainty has been an issue for me. So to restore an image backup after a Ransomware attack or loss from other issues I would need to know how to understand the process better with this program. Bottom line I feel it is more challenging.....:@
Userlevel 7
Badge +7
I think is a matter of preference and each application has it’s weak and strong points.
 
For me, I find Acronis easy to use, but I will admit that I have been using it since 2002 and that may have some bearing on my position.
 
Acronis has its flaws but I can live with them because the times that I really needed it, I was never let down.
 
I used it just yesterday when an app upgrade wiped out all of my settings and profiles.  When a current restore point taken just before the upgrade failed, Acronis to the rescue… Using the differential image from the night before plus copying my current email and other documents to a different drive to copy back after the restore and in 20 minutes I was back to where I was before the upgrade.
 
I think Macrum is a fine product but as I said, it is a matter of preference. 
 
Always the best,
Dave
Userlevel 7
Badge +55
It's great to hear from you Dave.Also I forgot to thank you for all the back up information you gave us last week I think about protection steps that need to be done.

Anyways it is a preference. 😉 Happy to know your backup image saved the day! 🙂
Userlevel 7
Badge +7
Hi Sherry,
 
It is always nice to be appreciated, especially by someone so golden 😉, so thank you!
 
Always my pleasure,
Dave
Userlevel 7
Badge +55
Aww I'm at a loss for words now. Your welcome my friend! 😉
@ wrote:
@
 
It's that little phrase "somewhat more complex than Acronis" that worries me...
I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with. Like Dave said, it's all about personal preference. I think with both it's easy to set up schedules and types of backups and both do a good job of explaining the differences in the types of backups (differential, incremental, etc.) Both allow you to verify backups which I like. I can understand Sherry's statement about recovery procedure. Both allow recovery software to be made for booting into a bad OS. However, booting form CD or USB has become more difficult with newer computers/BIOS'. In that case, for me, It is much easier to remove the Drive and connect it to another PC via USB 3.0 to SATA cable or dock and reimage the drive that way and then return it to the affected PC.
In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).Cheers,BD ps. As Sherry has stated. Thanks @ for the info you posted HERE. I have bookmarked that for future reference as that info will be very useful to members who are worried about protecting themselves from ransomware. 😉
Userlevel 7
Badge +55
@ wrote:
@ wrote:
@
 
It's that little phrase "somewhat more complex than Acronis" that worries me...
I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with. Like Dave said, it's all about personal preference. I think with both it's easy to set up schedules and types of backups and both do a good job of explaining the differences in the types of backups (differential, incremental, etc.) Both allow you to verify backups which I like. I can understand Sherry's statement about recovery procedure. Both allow recovery software to be made for booting into a bad OS. However, booting form CD or USB has become more difficult with newer computers/BIOS'. In that case, for me, It is much easier to remove the Drive and connect it to another PC via USB 3.0 to SATA cable or dock and reimage the drive that way and then return it to the affected PC.
In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).Cheers,BD ps. As Sherry has stated. Thanks @ for the info you posted HERE. I have bookmarked that for future reference as that info will be very useful to members who are worried about protecting themselves from ransomware. ;)
I really appreciate your say on this @...I use Backupper Pro by AOMEi which I am still learning that one.. because for some reason my image was corrupt. So I'd be up a creek if I was hit by Ransomeware!
Userlevel 7
Hi Muddy7
 
Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.
 
Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.
 
Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.
 
Regards, Baldrick
@
Thank you for your helpful comments :D
@ BurnDaddy wrote:
I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with.
That's helpful. Thanks :D
 
@ wrote:
However, booting form CD or USB has become more difficult with newer computers/BIOS'.
That's strange! I'm having absolutely no problem with my latest Windows10/UEFI/SSD computer that I bought last August. I just hit the "Choose boot device" function key (F10 for my device) at restart and the selection menu immediately appears. Indeed, after reading your post, I tested with my Acronis bootable rescue DVD media and the process was faultless.
 
Is it possible that you are talking about entering Safe Mode as that has indeed become a little bit more complicated with Windows 10 quick start?? Or are we perhaps talking about different kinds of machines?
@ wrote:
In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).
I find Acronis TI Home 2016 on my Windows 10 SSD(apps)+HDD(data) device way faster than Acronis TI Home 2010/2011 on my other two machines (HDD). Having said that, yesterday's (full) image on aforesaid device did take 30 minutes (I seem to remember that previous full images were rather faster—maybe mistakenly?)
 
Thanks again for your remarks!
@ wrote:
Hi Muddy7
 
Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.
 
Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.
 
Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.
 
Regards, Baldrick
Thanks for your generosity, @!
 
I certainly am interested but perhaps not immediately. Rather, when I find time to set apart for dealing with this. It sounds like @ might have similar questions and hesitations as I have been having, so maybe it might be productive to copy us both into this PM exchange?? That, of course, would be for @ to say!
 
Cheers!
 
@
Userlevel 7
Badge +55
@ wrote:
@ wrote:
Hi Muddy7
 
Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.
 
Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.
 
Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.
 
Regards, Baldrick
Thanks for your generosity, @!
 
I certainly am interested but perhaps not immediately. Rather, when I find time to set apart for dealing with this. It sounds like @ might have similar questions and hesitations as I have been having, so maybe it might be productive to copy us both into this PM exchange?? That, of course, would be for @ to say!
 
Cheers!
 
@
Yes please include me Sir @ if I may get some information as well. Thanks @ for asking for me. 😉
@ wrote:
@
Thank you for your helpful comments :D
You're welcome, Muddy. Glad to contibute something useful. ;)
@ wrote:That's strange! I'm having absolutely no problem with my latest Windows10/UEFI/SSD computer that I bought last August. I just hit the "Choose boot device" function key (F10 for my device) at restart and the selection menu immediately appears. Indeed, after reading your post, I tested with my Acronis bootable rescue DVD media and the process was faultless.
Is it possible that you are talking about entering Safe Mode as that has indeed become a little bit more complicated with Windows 10 quick start?? Or are we perhaps talking about different kinds of machines?
I can access boot order via F12 on my PC, but I need to be fast. I built my last PC and one thing I discovered is that the BIOS on a custom rig has many more granular options, like memory timings and 'fast boot' (Intel). Those along with a SSD, my systems boots so fast that the login screen appears even before the little Windows jingle that plays on startup. This makes logging into BIOS difficult, too, but I can reboot into BIOS directly from Windows which is easier but doesn't help from a powered off state. Like I said, I can do it if I'm fast enough. However, I once worked on a friend's newer laptop that didn't have a DVD drive. I tried booting from USB and was unable to without changing settings in the BIOS. Something I wouldn't recommend to the average user. So it's not impossible, just more difficult, imho.;)But you bring up an excellent point and a question I have, which I should actually ask in a new thread, regarding booting into Windows10 'Safe Mode' from a powered off state. (I've been unable to do it.) I will pose this question in the 'Techie' forum, instead. ;)Have a good evening, mud.BD
 
@ wrote:
I built my last PC...my systems boots so fast that the login screen appears even before the little Windows jingle that plays on startup
Wow!
 
Truly, the Jedi unto the rookie speaking
 
😃
@ wrote:
But you bring up an excellent point and a question I have, which I should actually ask in a new thread, regarding booting into Windows10 'Safe Mode' from a powered off state. (I've been unable to do it.) I will pose this question in the 'Techie' forum, instead. ;)
I expect you probably know this already but just in case ... are you aware of point #4 in the following article: http://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10 ?
 
EDIT: Yes, I know this is only saying what you said in your last post. But is also seems to be saying that there is no other way to Safe Mode boot from powered off state. Also, strangely on my new Win 10 machine, although I can't summon safe mode with F8, I still can successfully use the respective function keys to execute the Select Boot Device and Go to UEFI Setup Screen.

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings