Solved

Details on how to recover from a Ransomware attack


Userlevel 2
Hello all,

I'm fairly new to Webroot.  I had a couple of questions on what is needed to recover a system that is hit by Ransomware. Sorry, I've searched until i'm sick of looking for answers.  I decided to try posting my questions instead.  If there is a guide for this already, can someone please point me in the right direction?  

 

Say I get hit with Ransomware and my entire system is encrypted and no longer usable.  

1.  What steps do I need to do at that point?  

2.  Do I need to log into my.webrootanywhere.com/ from another PC and try to recover my system?

2.  What information do I need to provide to Webroot support for them to try to remotely restore the system?

 

Basically I want to create an "emergency recovery kit" with details on recovery steps, Webroot contact information, my account info., etc.  I want to keep this information external to my computer so that if it goes down, I have all the information needed to start the attempted recovery of my down system. 

 

Thanks!

 

 

 

 
icon

Best answer by JP_ 17 May 2017, 20:09

View original

28 replies

@ wrote:



Thanks Muddy. But at the end of option #4 it says this;

 

"If you have modern PC with a UEFI BIOS and a fast SSD drive, there's no way you can interrupt the boot procedure with your keypresses. On older PCs, with a classic BIOS and no SSD drive, pressing these keys might still work though."

 

My laptop (which runs Windows 10) is UEFI and also has a SSD. That's the computer I was trying to access 'Safe Mode' on.

Yes, that was the point I was trying to make. That is why I added in my "Edit" paragraph that I was surprised that although I can't successfully execute Safe Mode with the F8 function key from my Windows 10 UEFI+SSD device (as expected), I CAN execute the Select Boot Device and the Go to UEFI function keys (unexpected)! Sorry! It seems my post was not very clear :(

 

Incidentally, on the subject of Ransomware attacks, I found, while browsing Google News, this article with an interesting slant on Microsoft's portion of blame for Wannacry and other malicious hacks: http://newsclick.in/wannacry-nation-states-and-what-president-microsoft-forgot-mention.

 


  • One surprising fact it cites (surprising for me though perhaps not for others better informed on this subject):
    "...calls for banning cyber weapons...have been issued by Russia and China for quite some time. It is the US which has hitherto refused to move in this direction."
  • One disturbing fact (again, for me!):
    "In India, it is estimated that even now, 70% of ATM's are running on old, unsupported XP"
  • And the cental point of the article: the writer's (arguable) contention regarding Microsoft's discontinuing its support for old products:
    "Why should companies, whose products are still very much in the market with significant shares, be allowed to walk away from their products? Should its monopoly over a certain product allow it to force its users to pay again and again for new software licenses, which quite often add very little to the users? Or in the worst case, as in the Microsoft Vista case, even degrades their performance? The time has come to insist that if a company “abandons” its products, it must open source its software and allow others to provide the support."
Userlevel 7
Hi Muddy7

 

No worries...the more the merrier...just let me know when.

 

Regards, Baldrick
@ wrote:
I expect you probably know this already but just in case ... are you aware of point #4 in the following article: http://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10 ?

Thanks Muddy. But at the end of option #4 it says this;

 

"If you have modern PC with a UEFI BIOS and a fast SSD drive, there's no way you can interrupt the boot procedure with your keypresses. On older PCs, with a classic BIOS and no SSD drive, pressing these keys might still work though."

 

My laptop (which runs Windows 10) is UEFI and also has a SSD. That's the computer I was trying to access 'Safe Mode' on. I was finally able to get there in a less-than-optimal way, though. Apparently Windows 10 will boot into "Automatic Repair" mode (which leads to Advanced Mode and Safe mode restart options) after two unsuccessful boots. So this requires doing a 'Hard' reset twice. Seems a little extreme, but so far this is the ONLY way I have found to access 'Safe Mode' from a powered-off state in Windows 10. :@

 

Cheers,

BD
@ wrote:

But you bring up an excellent point and a question I have, which I should actually ask in a new thread, regarding booting into Windows10 'Safe Mode' from a powered off state. (I've been unable to do it.) I will pose this question in the 'Techie' forum, instead. ;)
I expect you probably know this already but just in case ... are you aware of point #4 in the following article: http://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10 ?

 

EDIT: Yes, I know this is only saying what you said in your last post. But is also seems to be saying that there is no other way to Safe Mode boot from powered off state. Also, strangely on my new Win 10 machine, although I can't summon safe mode with F8, I still can successfully use the respective function keys to execute the Select Boot Device and Go to UEFI Setup Screen.
@ wrote:

I built my last PC...my systems boots so fast that the login screen appears even before the little Windows jingle that plays on startup
Wow!

 

Truly, the Jedi unto the rookie speaking

 

😃
@ wrote:

@

Thank you for your helpful comments :D

You're welcome, Muddy. Glad to contibute something useful. ;)
@ wrote:
That's strange! I'm having absolutely no problem with my latest Windows10/UEFI/SSD computer that I bought last August. I just hit the "Choose boot device" function key (F10 for my device) at restart and the selection menu immediately appears. Indeed, after reading your post, I tested with my Acronis bootable rescue DVD media and the process was faultless.

Is it possible that you are talking about entering Safe Mode as that has indeed become a little bit more complicated with Windows 10 quick start?? Or are we perhaps talking about different kinds of machines?

I can access boot order via F12 on my PC, but I need to be fast. I built my last PC and one thing I discovered is that the BIOS on a custom rig has many more granular options, like memory timings and 'fast boot' (Intel). Those along with a SSD, my systems boots so fast that the login screen appears even before the little Windows jingle that plays on startup. This makes logging into BIOS difficult, too, but I can reboot into BIOS directly from Windows which is easier but doesn't help from a powered off state. Like I said, I can do it if I'm fast enough. However, I once worked on a friend's newer laptop that didn't have a DVD drive. I tried booting from USB and was unable to without changing settings in the BIOS. Something I wouldn't recommend to the average user. So it's not impossible, just more difficult, imho.;)
But you bring up an excellent point and a question I have, which I should actually ask in a new thread, regarding booting into Windows10 'Safe Mode' from a powered off state. (I've been unable to do it.) I will pose this question in the 'Techie' forum, instead. ;)
Have a good evening, mud.
BD
 
Userlevel 7
Badge +62
@ wrote:

@ wrote:

Hi Muddy7

 

Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.

 

Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.

 

Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.

 

Regards, Baldrick

Thanks for your generosity, @!

 

I certainly am interested but perhaps not immediately. Rather, when I find time to set apart for dealing with this. It sounds like @ might have similar questions and hesitations as I have been having, so maybe it might be productive to copy us both into this PM exchange?? That, of course, would be for @ to say!

 

Cheers!

 

@

Yes please include me Sir @ if I may get some information as well. Thanks @ for asking for me. 😉
@ wrote:

Hi Muddy7

 

Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.

 

Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.

 

Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.

 

Regards, Baldrick

Thanks for your generosity, @!

 

I certainly am interested but perhaps not immediately. Rather, when I find time to set apart for dealing with this. It sounds like @ might have similar questions and hesitations as I have been having, so maybe it might be productive to copy us both into this PM exchange?? That, of course, would be for @ to say!

 

Cheers!

 

@
@

Thank you for your helpful comments :D

@ BurnDaddy wrote:

I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with.
That's helpful. Thanks :D

 

@ wrote:

However, booting form CD or USB has become more difficult with newer computers/BIOS'.
That's strange! I'm having absolutely no problem with my latest Windows10/UEFI/SSD computer that I bought last August. I just hit the "Choose boot device" function key (F10 for my device) at restart and the selection menu immediately appears. Indeed, after reading your post, I tested with my Acronis bootable rescue DVD media and the process was faultless.

 

Is it possible that you are talking about entering Safe Mode as that has indeed become a little bit more complicated with Windows 10 quick start?? Or are we perhaps talking about different kinds of machines?

@ wrote:

In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).
I find Acronis TI Home 2016 on my Windows 10 SSD(apps)+HDD(data) device way faster than Acronis TI Home 2010/2011 on my other two machines (HDD). Having said that, yesterday's (full) image on aforesaid device did take 30 minutes (I seem to remember that previous full images were rather faster—maybe mistakenly?)

 

Thanks again for your remarks!
Userlevel 7
Hi Muddy7

 

Happy to engage in a PM conversation aabout the relative merits...just let me know what you are interested in understanding and I will see if I can assist.

 

Agree with BD; Macrium is way quicker than Acronis, and much more tailorable to produce the schema that you want, not just what fits the product. And restores are lightening fast in Macrium when compared to Acronis.

 

Having said that, it is true that one needs to be comfortable with the tool that one uses...but whilst Macrium may look daunting taking the plunge does reveal IMHO that it is more straigth forward than people think...all it really requires is a little up front thought/planning as to what schema one wants to set up...and I would not class myself as even moderately technical.

 

Regards, Baldrick
Userlevel 7
Badge +62
@ wrote:

@ wrote:

@

 

It's that little phrase "somewhat more complex than Acronis" that worries me...

I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with. Like Dave said, it's all about personal preference. I think with both it's easy to set up schedules and types of backups and both do a good job of explaining the differences in the types of backups (differential, incremental, etc.) Both allow you to verify backups which I like. I can understand Sherry's statement about recovery procedure. Both allow recovery software to be made for booting into a bad OS. However, booting form CD or USB has become more difficult with newer computers/BIOS'. In that case, for me, It is much easier to remove the Drive and connect it to another PC via USB 3.0 to SATA cable or dock and reimage the drive that way and then return it to the affected PC.
In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).
Cheers,
BD
 ps. As Sherry has stated. Thanks @ for the info you posted HERE. I have bookmarked that for future reference as that info will be very useful to members who are worried about protecting themselves from ransomware. ;)

I really appreciate your say on this @...I use Backupper Pro by AOMEi which I am still learning that one.. because for some reason my image was corrupt. So I'd be up a creek if I was hit by Ransomeware!
@ wrote:

@

 

It's that little phrase "somewhat more complex than Acronis" that worries me...

I would use the term "more robust" rather than complex, to explain the difference between the two. They both require the same learning curve to get familiar with. Like Dave said, it's all about personal preference. I think with both it's easy to set up schedules and types of backups and both do a good job of explaining the differences in the types of backups (differential, incremental, etc.) Both allow you to verify backups which I like. I can understand Sherry's statement about recovery procedure. Both allow recovery software to be made for booting into a bad OS. However, booting form CD or USB has become more difficult with newer computers/BIOS'. In that case, for me, It is much easier to remove the Drive and connect it to another PC via USB 3.0 to SATA cable or dock and reimage the drive that way and then return it to the affected PC.
In my experience Macrium's backups happen WAY faster then they ever did with Acronis (a SSD helps, too). A full backup, which took over 30 minutes with Acronis., now takes around 10 with Macrium ( times can be affected by settings and drive size, too. Your mileage may differ ;)).
Cheers,
BD
 ps. As Sherry has stated. Thanks @ for the info you posted HERE. I have bookmarked that for future reference as that info will be very useful to members who are worried about protecting themselves from ransomware. 😉
Userlevel 7
Badge +62
Aww I'm at a loss for words now. Your welcome my friend! 😉
Userlevel 7
Badge +7
Hi Sherry,

 

It is always nice to be appreciated, especially by someone so golden 😉, so thank you!

 

Always my pleasure,

Dave
Userlevel 7
Badge +62
It's great to hear from you Dave.Also I forgot to thank you for all the back up information you gave us last week I think about protection steps that need to be done.



Anyways it is a preference. 😉 Happy to know your backup image saved the day! 🙂
Userlevel 7
Badge +7
I think is a matter of preference and each application has it’s weak and strong points.

 

For me, I find Acronis easy to use, but I will admit that I have been using it since 2002 and that may have some bearing on my position.

 

Acronis has its flaws but I can live with them because the times that I really needed it, I was never let down.

 

I used it just yesterday when an app upgrade wiped out all of my settings and profiles.  When a current restore point taken just before the upgrade failed, Acronis to the rescue… Using the differential image from the night before plus copying my current email and other documents to a different drive to copy back after the restore and in 20 minutes I was back to where I was before the upgrade.

 

I think Macrum is a fine product but as I said, it is a matter of preference. 

 

Always the best,

Dave
Userlevel 7
Badge +62
Sorry for being off topic @ but I do find for myself that Macrium to be less user friendly. I've tried to understand the workings of the free version of Macrium left to no avail. Uncertainty has been an issue for me. So to restore an image backup after a Ransomware attack or loss from other issues I would need to know how to understand the process better with this program. Bottom line I feel it is more challenging.....:@
@

 

It's that little phrase "somewhat more complex than Acronis" that worries me. The weakest point in an image backup system, for a rookie like me, is the ability of same rookie to screw up the backup setup and, equally if not more important, the restore process. Several times in the past, I have had to restore from an image (failed hard disk or other key hardware for example) and it already stretched me towards the limit to study and master the basic principles of the restore process in order not to create a second disaster!!!

 

If you think Macrium is possibly not beyond my humble abilities, yes I certainly would be interested in entering into a PM exchange with you.
Userlevel 7
Hi Muddy7

 

I was of the same view as you, and so used Acronis...until it became a resource hog/bloatware, and so decided to take another look a Macrium v6 (had dabbled with AX64 Time Machine...but unfortunately that came to nothing).

 

Macrium is now relatively easy to set up...if somewhat more complex than Acronis...but it is far more flexible IMHO...can really be tailored to give you an imaging schedule that suits you.

 

Note though that the free version is of course less functional that the paid version and some key features only appear in the latter (obviously)...so it depends on what you want your back schema be/do as to whether the free is sufficent or if you need to fork out for the paid.

 

Happy to discuss further via PM if useful...so that we don't take this thread off topic.

 

Regards, Baldrick
@ wrote:

Backups of backups are good...just be careful!

Nah! That's too fancy for me, being a semi-idiot computer-wise. At the moment, I just use one portable external drive so I'm talking of adding a second and simply alternating between the two.

@ wrote:

...store the oldest one somewhere safe.:

Yeah, that's another weakness of mine. With a job where I'm living over the shop (and anyway I'm now almost completely retired), that's kinda difficult. So it means, if I have a theft or the house burns down, I'm snookered. But all of my data is remotely backed up with Crashplan, so only my systems and apps would be snookered and as it's best to start from scratch with a new computer, that's not so bad.

@ wrote:

I use a portable external drive for weekly backups that I only have connected during backup. I disconnect from the Internet while doing backups so I think the chances of a ransomware attack happening during backup is remote.

Remote but not impossible. You could have been infected before imaging and the infection activate during imaging. Of course, your other point about disconnecting from the Internet while imaging is a very good one, and one that came to mind while I was reading mightymo's post. Something I haven't done up till now but I am now going to try to practise.

@ wrote:

I used Acronis for my backups for many years but they have gone downhill, in my opinion.

I totally agree. Having said that, I find if you just keep to imaging and nothing more, it still seems pretty sound (so far... :S)

@ wrote:

I now use Macrium Reflect (Thanks Baldrick).

I've often thought of changing to Macrium (not least because it's free!!). But I've always been worried that it might prove less user-friendly for a computer noobie like me. Any thought on this, @?? Or @? EDIT: or anyone else??

 

 
I used Acronis for my backups for many years but they have gone downhill, in my opinion. I now use Macrium Reflect (Thanks Baldrick). It allows for many types of backups. Incremental, differential, full, etc. I can also easily mount images of previous backups with ease. Especially helpful if you only need to recover certain files and not everything. I can also boot into Macrium to mount any backups should the need arise due to a corrupt Windows OS. ;)

 

I use a portable external drive for weekly backups that I only have connected during backup. I disconnect from the Internet while doing backups so I think the chances of a ransomware attack happening during backup is remote. I also periodically copy an image to my NAS, which is normally set as read-only, to avoid encryption. I also, of course, use the Webroot Cloud and Backup & Sync to backup all of my photos, personal videos, and documents. Then, just to be safe in case of catastrophic failure at home (fire, flood, tornado, etc.) I have a 1TB 2.5" internal HDD that I had replaced with a SSD that I keep at work. I occasionally bring it home to update the backups of all of my home PCs, and then return it to my desk at work.

 

Hopefully I have the bases covered. :S

 

BD
Userlevel 7
Just get hold of a good imaging application that allows one to set up a decent schedule along the lines of (i) full image once a week; keeping up to 4 including the current, (ii) differential image once a day between the full image; keeping up to 6 including current & (iii) hourly incrementals between the daily differentials; keeping up to a number that mirrors ones 'working' day or daily period your system is used.

 

Rotate 2 external SSDs or HDDs until each is full or close to full, formatting the oldest one just the current one is full or close to full, and on the day that a full image is scheduled to be taken.

 

Of course, store the oldest one somewhere safe.

 

Hope that helps as an alternative approach. ;)
Userlevel 2
No problem Muddy7, glad to have helped. 

 

I did actually have disaster strike when doing my backup from one drive to the other drive.  I've always just done incremental backups.  On the day I decided to clean up my system and do a mirrored backup, the master drive died right in the middle of the backup!!  Of course the target drive wasn't seeing files any longer and started deleting everything!  I basically ended up a dead master drive and half empty target drive.  I was able to recover quite a bit of deleted stuff off the target drive, but the file names and folder structures were all screwed up.  Haven't done another mirrored backup since!  Kind of scares the hell out of me now.  Backups of backups are good...just be careful!      

 
Userlevel 7
@ wrote:
Thanks for your post, @!!  By sharing your backup methods with us, you have drawn my attention to a potentially fatal flaw in my current backup system!

Sharing is caring!!!!!!! :catvery-happy:

 

@ wrote:

I have two external 5TB drives that I use for backups ... every other week I back the first external drive over to the second drive.

Good point! My first line of backup defence is my imaging of my hard disks with Acronis*. But I only use one external hard disk.

 

Your post has got me thinking. I have great confidence in Webroot, nevertheless—if ever, by some terrible twist of fortune, a ransomware was to attack me at the exact moment in time that I was making an image of my disk, I would be completely snookered as the nasty little critter would presumably have merrily skipped over to my connected external disk and encrypted all my lovely images :S

 

So I think I should from now on alternate between two external hard disks for my imaging (the gaps in data would not be too serious as I have other backup methods I use that would allow me in this disaster scenario to successfully fill in those gaps).

 

Thanks for your post, @!!  By sharing your backup methods with us, you have drawn my attention to a potentially fatal flaw in my current backup system!

 

*EDIT: Not Acronis 2017

Reply