Don't Reboot Your Computer After You've Been Infected With Ransomware, Experts Say (zdnet.com) 56
Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances. From a report: Instead, experts recommend that victims power down the computer, disconnect it from their network, and reach out to a professional IT support firm. Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection. But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.
"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week. "If you reboot the machine, it will start back up and try to finish the job," Siegel said.
"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week. "If you reboot the machine, it will start back up and try to finish the job," Siegel said.
at no point (Score:2)
at no point did it explain how any additional damage comes from rebooting. "It will attempt to keep going" ... yeah... just like it does when it's normally running.
Re:at no point (Score:4, Informative)
at no point did it explain how any additional damage comes from rebooting. "It will attempt to keep going" ... yeah... just like it does when it's normally running.
The full article has more information than the summary. And it also links to some guides.
Re: (Score:3)
Rebooting used to be the standard advice for malware, but these things now run in Safe Mode and as auto-StartUp items, so basically rebooting is SOL for ransomware.
Re: (Score:2)
.... you know what, you're fucked no matter what you do.
Re: (Score:2)
Re: (Score:1)
Hibernate, because the key is in memory! (Score:5, Informative)
> Let's face it if you're dumb enough to be infected with ransomware, you're too dumb to stop it anyway.
True 99.9% of the time. Also, if you're breathing, there is a 99.9% certainty that you aren't a ransomware expert.
If you have perfect backups, such that the ransomware wasn't able to encrypt your backups, you're in good shape. Pull, the plug, wipe the machine. Check which ia the latest un-infected backup and off you go.
If you DON'T have suitable backups, it's a very delicate situation. If the ransomware is actively running, two facts are true:
The situation is getting worse
The key needed to decrypt your files is in your computer's RAM!
Ransomware can use asymmetric cryptography to encrypt the key on disk, but the actual files are encrypted using symmetric cryptography. That means the key being used to encrypt them is the same key you need to decrypt them. You are everything needed to decrypt your files, other than the expertise.
If you pull the network cable and then hibernate the machine (suspend to disk), that will save the all-important key, while stopping the encryption process. I can then mount the drive in my forensic machine, grab the key from the RAM image, and decrypt your files.
In the worst case, if for some reason I can't get the key, you've saves any files that weren't encrypted yet and preserved all of the information about which processes were running, etc so that an expert can work with it.
So bottom line:
Remove the network cable
Hibernate (suspend to disk)
Call an expert
Suppose the files aren't that valuable and you're broke, so you decide not to call an expert. There are free and easy to use tools available for some types of ransomware. Make a disk image of the infected disk. Then try the tool on the extra image you made. Do not try the tool against the original disk, because you could easily lose all of your data. All data recovery work is always done against a disk image, an extra copy of the drive.
Re: (Score:3)
So bottom line: Remove the network cable Hibernate (suspend to disk) Call an expert
I prefer the following solution: Back up the very few things I think are critical, and be prepared to write off the rest. Oh I know this wouldn't work for an enterprise-sized outfit - but then again they're supposed to have an entire department for dealing with shit like this. For me it's wipe/reformat and re-install. My wedding pictures are on a couple different flash drives. Some other important stuff somewhere else, burned onto DVDs, etc. This is enough of an adequate solution for 99.9% of the population
I wish I'd known to do this. (Score:2, Interesting)
A year or so ago, my Mac laptop got infected watching a pirated video stream earlier in the day (yes - VERY dumb). The infection started working hours later when I rebooted, which was going at a glacial crawl (30-40+ minutes just to get to a login screen) and the laptop was getting physically hot. By the time macOS finally came up it was practically unusable. I knew I was probably screwed, and a repeated ps command in a macOS terminal verified my fear: I could see random processes copying various files (jpg
Re: (Score:2)
"Can't see the video? Check your SuperViewer (click here) version update to watch Sportsball, Premium TV, and more!"
Re: (Score:2)
"The situation is getting worse
The key needed to decrypt your files is in your computer's RAM!"
1. Suspend to disk!
2. Remove drive, mount read-only in clean machine.
3. Recover what you can.
4. Restore what you can from backups.
5. Assess if the remainder is sufficiently valuable to justify hiring a specialist you can recover that key from the suspend-to-RAM file and decrypt the files. As a very high-skill process, this is sure to be expensive.
Expensive per hour, takes me an hour, but middleme (Score:2)
> As a very high-skill process, this is sure to be expensive.
$200-ish. It'll take me an hour or two of actual work (aside from just letting the files copy overnight). Plus getting the drive to me safely - shipping or bring it by.
However, if your company calls HP for help, HP will call the company they have subcontracted. That company will call me. You might pay $1,000 for the service because the middle men make money, maybe more if HP sent sales reps to spend a day with your CIO first - flying sales
Re: (Score:2)
>True 99.9% of the time. Also, if you're breathing, there is a 99.9% certainty that you aren't a ransomware expert.
It though the ransomware victims were, 99.9% of the time, dentists.
Re: (Score:2)
Whoa. I didn't realize there was still intelligent life on /.
Would seriously like to have your email address or a link to a service you trust for such recovery. While I certainly don't anticipate it, this is the kind of thing it would be good to have a contact lined up for as an immediate step 4 (step 3 after hibernating disk would be changing my pants).
Re: (Score:2)
Thanks. I've been studying and professionally practicing information security for a little over 20 years now, so it's kinda my thing. I really enjoy "teaching" it, or informing people.
I don't think I'm going to post my email address here, but you might be able to find it. If you don't find it, you can post your public gpg key and I'll reply with my encrypted email address.
Re: (Score:2)
Re: (Score:2)
Never reboot. Uptime is life.
Bad advice (Score:2)
Just disconnect it from the network. If the malware is effecting a shared drive, then you've stopped the functionality of the malware. If the PC itself has been affected, then rebooting won't add to the damage. Your IT people should have a nice backup of your data ...somewhere. If not, they can at least assist with paying the ransom to get your data decrypted.
If your IT people are able to decrypt your data without having to pay a ransom, then you just found your problem.
Re: (Score:2)
Re: (Score:2)
If your IT people are able to decrypt your data without having to pay a ransom, then you just found your problem.
Well that’s highly wishful thinking. While not ransomware are equal, it doesn’t take a great deal of skill to encrypt data with strong encryption.
Re: (Score:3)
Re:Bad advice (Score:4, Insightful)
I know, from experience, that backups/fail-overs are the most important aspects of IT today. If you're not doing that, or making sure that it gets done, DAILY, then you hardly count as an IT person.
You'll spend 100x as long fighting malware/viri than you will restoring a backup.
NUKE and PAVE (Score:3)
Honestly need to do this anyways.
Re: (Score:2)
Then call Liam Neeson to hunt them down with his particular set of skills and shoot them in the junk.
Re: (Score:2, Funny)
..."If you reboot the machine, it will start back up and try to finish the job," Siegel said....
... of systemd's tendency to restart crashed daemons. ...
Ya, but if you consider the cost/effort of freeing your system from it, systemd is ransomware... :-)
Here's an even better strategy (Score:2)
Re: (Score:2)
Re: (Score:2)
Dude, like, your OS sucks.
Re: (Score:2)
Win10 Pro has Windows Sandbox -- a lightweight VM disconnected from the regular file system, except for two folders I mapped as shared, one read only and one writable for the Sandbox. I do all my browsing there, except for a couple "trusted" sites that I do on my regular system, with NoScript on.
Killing and restarting the entire Sandbox is fast. My startup script for the Sandbox installs Chrome from the read-only folder, after which I install AdBlock Plus online and it's ready to go. My passwords etc. to si
what about this (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
power it off, remove drive, mount it with a non ms-windows PC like Linux so the malware wont be in its running environment
Even if you power it off, remove drive, and mount it with a Windows PC, the malware won't be running. There's no need to drag Linux into it.
Additionally, you'll probably need to add file permissions to access some files under the \User hierarchy. It make may be advisable to make such changes using a native NTFS client.
Hibernate it, to save the decryption key (Score:2)
Shutting down, or yanking the power cord, aren't the worst things you can do. They also aren't the very best.
Using hibernate (suspend to disk) will preserve important things like the encryption key, which can be used to decrypt the files that have already been decrypted.
Well, ideally you'd (Score:3)
A friend is the accountant for her family business. Her computer got hit with ransomware. (She gets daily reports from their salesmen in the form of a spreadsheet emailed to her, and this particular ransomware disguised itself as an email fr
Re: (Score:2)
power it off, remove drive, mount it with a non ms-windows PC like Linux so the malware wont be in its running environment
What person who is likely to get hit by randsomeware would have the capability to do this?
Time To Retrain The Helpdesk (Score:3)
Also: Stop downloading porn (Score:2, Insightful)
Don't download porn and drop your personal Ransomware risk to nearly zero.
Re: (Score:2)
You're right Dallas!
Debbie did that!
Re:Also: Stop downloading porn (Score:5, Informative)
Re: (Score:2)
Wait, elaborate.
Even if there are exposed vulnerabilities, those have to arrive somehow - how did that happen ?
Compromised passwords lead to ransomware? Were the machine credentials compromised? A service they were using? Was it because of password re-use?
Seriously curious -
Not machine credentials that were compromised. User login credentials. In one case, the compromised account was a member of the domain administrators group. If someone steals login credentials for an account with remote access to a network, yes it can lead to ransomware. Presumably the bad guy simply logs in and and launches his malware. Don't know how the passwords were obtained. Maybe logging in from an infected machine? That's why I personally won't setup any kind of remote access or vpn connectivity wit
Re: (Score:1)
Re: (Score:3)
Wishful thinking. Ransomware has many attack vectors and is profit-driven to be creative in finding new ones.
The best security comes in layers and good working backups.
Don't cut out the middleman (Score:2)
LIES!!! (Score:3, Funny)
C'mon Slashdot.... everyone in IT knows that a reboot fixes 99.99% of all computer issues.
Re: (Score:2)
Problem: 0.01% of files on the system weren't encrypted. Solution: Turn it off and on again.
It is all a matter of perspective.
Of course (Score:2)
I remember when the OS started stopping you from deleting open files or executables running, thus greatly making it harder to manually clobber running malware.
One trick was to clobber it then replace the file with a read-only folder with the same name. Malware was usually too stupid to figure that out and create the file.
Advice Violates Windows Orthodoxy (Score:1)
Burn it. (Score:2)
Better burn it immediately. Never buy another one.
Depends on the user... (Score:2)
If I'm stupid or hapless enough to get ransomware, first thing I'm doing is reaching for the power switch, so nobody else gets infected. Second thing will be booting from recovery media I made so I can erase the boot SSD completely (ensuring that there is nothing remaining), and reloading from a backup.
I have to ask this... why are backups so hard? $10/month/PC gets you continuous protection with CrashPlan. Backblaze is $6/month. If you add to that a NAS, you now have local and remote recovery of ransom