#Cryptors: emergency measures to save business data<\/p>Tweet<\/a><\/blockquote>\n 1. Diagnose the state of emergency<\/strong><\/p>\n Ransomware has several obvious symptoms. Upon system infection, most popular files fail to open \u2014 documents, images, and so forth. All or almost all folders teem with txt\/html\/hta\/bmp\/png files carrying such eloquent names as help_decrypt, recover, and the like. Those files contain the demands of the criminals \u2014 the ransom note.<\/p>\n Some cryptors change file extensions (VVV, XXX, ABC, etc.), but others do not.<\/p>\n Sometimes the Windows desktop wallpaper is changed and replaced with an image containing the criminals\u2019 demands. Sometimes the malware blocks access to the system completely, and the preboot screen displays the ransom note.<\/p>\n If you are very lucky, you may see the malware \u201cworking,\u201d and that is when you may be able to stop the encryption before it\u2019s complete. In that case you\u2019re going to need\u2026<\/p>\n 2. Quarantine and anesthesia<\/strong><\/p>\n Immediately isolate the attacked system: Disconnect it from the local network and unplug the computer. There is a chance that the malware has not yet spread to other machines. However, you may have to unplug and disconnect all workstations and servers from the network at once.<\/p>\n Why unplug? Well, it\u2019s the only surefire way to prevent the cryptor from working and ruining all of the files on your computer.<\/p>\n It is worth noting that the new version of Kaspersky Security for Windows Server<\/a> includes a component called \u201cProtection from encryption.\u201d It employs heuristic detection to stop network-based attempts to encrypt data on the server. As soon as such an attempt is detected, the infected computer is instantly blocked from accessing shared folders on the server.<\/p>\n 3. Surgery<\/strong><\/p>\n OK, so you\u2019ve unplugged the affected system. Now comes the task of getting access to its disk without compromising other machines.<\/p>\n The procedure is simple: Remove the drive and prepare to connect it to another machine \u2014 but first, disable autorun on the computer that you are about to connect the drive to. Also, you will need a file manager other than the standard Windows Explorer to see the drive\u2019s contents.<\/p>\n You should certainly not run anything on the infected system. Using a virtual machine might be a good idea, too, as an additional safety measure.<\/p>\n Copy all of the files you need from the infected drive. Do not rush to uninstall the operating system and format the drive. There have been some cases when artifacts helped to decode files.<\/p>\n Another option is to start up an infected system with the help of a Kaspersky Rescue Disk<\/a>.<\/p>\n In any case, your next step is contacting experts, who will find out what, exactly, you are dealing with.<\/p>\n 4. Diagnosis<\/strong><\/p>\n Eventually, experts should analyze the malware. Kaspersky Lab\u2019s support team has already defined the most common varieties of ransomware. Anything more exotic will go to our virus analysts for investigation.<\/p>\n 5. Medication<\/strong><\/p>\n The likelihood of regaining access to the encrypted data greatly depends on getting an exact diagnosis. Many pieces of malware today use strong cryptosystems, so decoding them is improbable without the key from the cybercriminals.<\/p>\n However, some ransomware uses less-powerful algorithms or contain errors that allow the recovery of encrypted files without having to pay the ransom. If it\u2019s at all possible to restore the original data, Kaspersky Lab deploys data recovery utilities such as ScatterDecryptor<\/a> and RannohDecryptor<\/a>.<\/p>\n Even when decryption is \u00a0not possible, there\u2019s still a chance you can get your data back. For example, files processed by the third and fourth versions of TeslaCrypt did not yield to decoding at all \u2014 but then, for some reason, the creators of the malware suddenly ceased their operations and published a master key<\/a> that can be used to decrypt all files encrypted by TeslaCrypt. That was a unique case, though. You shouldn\u2019t count on criminals suddenly growing a conscience.<\/p>\n If the \u201cmedicine\u201d already exists that enables you to restore the data, that\u2019s very good news. If not, then you\u2019re down to two options:<\/p>\n In the latter case, we aren\u2019t talking about promptly restoring access to the data, unfortunately.<\/p>\n![\"main\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2017\/05\/06020528\/main-2.jpg\")
<\/p>\n\n
\n