Dealing with a Ransomware Attack: A full guide

Sharing buttons:

all right so you've been attacked by

around somewhere every week I get

Twitter messages Facebook messages

emails from people saying hey I've been

infected or my friend has been infected

here's a picture of the encrypted files

what can I do about it so this video is

gonna be a full guide of dealing with

ransomware we're gonna go step by step

and I'll tell you everything you need to

know about what you should be doing if

you're attacked by ransomware everything

shown in this video is gonna be

absolutely free so these are all the

steps that you should take before you

resort to any kind of professional help

the very first thing you'll want to do

is lock down infected computers in the

network because a lot of ransomware I'd

say 90% of the threats I see these days

will encrypt your network on drives so

even if one of the machines on your

network gets infected it's very likely

that it will encrypt files on all your

systems so the first thing you want to

isolate that system you can obviously

block now where traffic using your

firewall you can disconnect it from your

network or you can just go the most

old-fashioned route just pull the plug

out okay that's fine but do whatever you

have to do stop the ransomware from

causing further damage while you're

watching this video another thing to

keep in mind is a lot of friends and

where encrypts in real time so whatever

new falls you transfer onto the system

will be encrypted as well this is again

a classic mistake that some people do

they try to restore from backup and the

ransomware is still active and it

encrypts the files that they restore so

the very first thing you want to stop

the ransomware from running it's great

if you can go in there and stop the

process itself but if all you can think

of is unplugging the system that's fine

just do that you want to get rid of the

active ransomware executable on the

system you can do it with anti-malware

software but again I advise caution when

you're going through the step because

some scanners are not very good when it

comes to removing just the ransom or

executable they might remove crucial

data or your key file making your falls

on decrypt able forever so be careful

when you're running your scans and don't

remove any key files or text files or

ransom notes any of that stuff just

remove the ransom executable you can

obviously use any number of second

opinion scanners for this

I've got hitman Pro and MC soft


get here I know what you're thinking

right now all this is good but hey my

files are encrypted what do I do about

that leo and don't worry we're gonna

talk about that right now and I'm gonna

give you a live demonstration so we're

gonna go ahead and in fact this system

let's um around somewhere and we will

talk about what you can do about your

encrypted files so the very first thing

you want to do is check if your faults

are decrypted because a lot of

ransomware has been broken into by

security researchers and they have made

decrypt erza vailable publicly for free

that you can use to restore your false

now there's an amazing site that allows

you to identify what ransomware you have

whether or not it's decrypted and it's

called ID ransomware so you can just go

ahead and search for it it's ID -

ransomware don't malware hunter team.com

this website was developed by daemon

slave who's one of my colleagues and

it's very easy to use so you can either

upload your ransom note over here so

that's the text file that tells you that

you're infected by ransomware it could

be an HTML file or something like that

essentially the visual thing that you

see or you can go ahead and upload a

sample encrypted file so to kick things

off I'm gonna infect the system with

ransomware that I know is decrypted so

we're just gonna go ahead and try and

run Jiggs on the system now this is

obviously a very old ransomware it uses

a static key and thus can be easily

broken into I've also made a video

showing you exactly how you can retrieve

the static key and decrypt around

somewhere you can go ahead and watch

that if you like but in this video I'm

just gonna run it on the system we'll

get our files encrypted and we'll see

what happens from there so I've executed

the ransomware and as you can see the

data in our Documents folder is now

encrypted and we've got a dolphin

extension so what I'm gonna do is go to

ID around somewhere we're going to

browse for a sample encrypted file just

go ahead and select this one and we'll

click on upload and boom there you go

immediately you get the result it

identifies the ransomware house jigsaw

and it says this ransomware is decrypted

all at this point if you figured out

that the runs more you have HD crypt

able do not pay the ransom don't do

anything because there is a tool out

there that can decrypt your files for

free now this is likely going to be the

fastest method to restore your data so

you can go ahead and click here for more

information about jigsaw and as you can

see we directly have a link to download

the jigsaw decryptor here can go ahead

and download that and these are very

easy tools to operate just need to scan

the folders for encrypted files you can

just add a custom folder like so and

then you can just go ahead and click on

decrypt now once this is done as you can

see our data is restored now you have to

keep in mind that this is a best-case

scenario so all the ransomware out there

isn't d cryptical in fact the majority

of the big hitters aren't that's why

they're so successful so now I'm going

to show you what happens if we're hit by

ransomware that's not decrypted so we'll

go ahead and run spora which I know for

a fact isn't decrypted and as you can

see now our computer is infected

you've got this HTML ransom note file so

what you want to do again on ID

ransomware is either provide a sample

encrypted fall or the ransom notes since

I used this option last time I'll just

show you what it does with the ransom


so we'll just go to the desktop and

select the HTML file and click on upload

and as you can see here it tells you

that this ransomware has no way of

decrypting the data at this time so at

this point your best bet is your backup

so if you have backups of your data

offline those should be protected again

if you took the first advice

disconnected the computer at the moment

you figured out that your files are

being encrypted the damage should be

fairly contained and you should be able

to restore from backup now funnily

enough a lot of people do contact me who

say that they don't particularly care

about their data but they just want

their system to be operational they just

want to get rid of the ransomware now in

that case ransomware it's not

particularly hard to remove again you

can use any kind of second opinion

scanners like the ones on the desktop

there are plenty of perfectly

serviceable scanners they'll detect and

remove ransomware and no problem the

only issue is you'll just have to delete

the encrypted data and replace it with

new copies assuming you have them

obviously if you don't store a lot of


information on your desktop maybe you

just have them on a Google Drive or you

just use Apple iCloud then obviously

this is not too much of an issue

programs and things like that can just

be replaced I mean you can just download

them if they're encrypted most of the

time around somewhere it doesn't target

things like that anyway but now let's

talk about the worst case scenario so

the worst case scenario is you have a

lot of valuable data on your system

you've been attacked by ransomware like

this which is not decrypt able and you

don't have backups backups were stored

in some kind of connected network drive

and those have been encrypted as well so

in this particular case you can just

click here to be notified if there's any

development regarding this around

somewhere so if you just go ahead and

provide your an email address

essentially you're going to get notified

if let's say you're a pole or some

police agency manages to crack down on

the around somewhere find the command

and control servers and obtain the keys

that way of course the likelihood of

such an event cannot be speculated a lot

of these rounds and where attacks come

from Russia and from countries that

might be outside the jurisdiction of a

lot of the agencies that crack down on

ransomware as I said it's the worst case

scenario for a reason at this point all

you can do is just hope that at some

point the ransomware has cracked into

the only other choice you have is

obviously paying the ransom if you go

ahead with that root a lot of people

advise actually negotiating with the

ransomware authors because a lot of the

time they will come down from the price

that they quote you first you can ask

them for demo you can pay them a small

amount upfront and they will send your

decryptor and then maybe you can get a

security researcher to save you a lot of

time and money when it comes to

restoring your systems now I would

definitely not recommend doing that

please don't pay the ransom because

that's what fuels this industry I know

in some situations people have no choice

and they do it anyway so if you are

doing it it's much better if you consult

with security researchers upfront rather

than just try and hide the fact that

you're doing it and then get into more

trouble that way but once again I do not

recommend paying the ransom please don't

do it if you can help it that's going to

be it for this video I hope you found it

useful I hope it answers all your

questions about ransomware if I've

missed out anything important feel free

to point it out in the

once below or if you have any questions

let me know please like and share the

video if you enjoyed it a lot of people

who get hit by ransomware have no idea

that these services exist or that you

have a lot of free decryptor Zout their

and their sites like ID ransomware that

you can use on your own and without any

professional help a lot of people just

don't have access to good advice

regarding cyber security threats so

please share the video the objective

here is to have a high quality guide for

people who get attacked by ransomware

just give them all the help they need to

get started everything that they can do

on their own for free before they need

to consult professional help and I think

in a lot of cases it can help out

massively so thank you so much for

watching don't forget to subscribe to

the PC security Channel and as always

stay informed stay secure