Ransomware Prevention & Defense – Part 2: Windows Recovery

When you’re hit by ransomware, the first thing many folks think of is – CRAP!  My pictures/videos/school work/data!  What am I going to do?!

To be honest, there’s not much you CAN do – IF you haven’t prepared.  In order to prepare for the worst, you need to take the steps I’ve outlined in part one of this multi-part series – Ransomware Prevention & Defense – Part 1: Prevention.  If you haven’t prepared, not only are you going to be potentially out of some money, but your data (your pictures, your videos, your school work, tax returns, work files, etc.) is gonna be gone, too.

An ounce of prevention is worth a pound of cure.  This is doubly true with ransomware. If you’ve set everything up correctly, then the recovery process won’t take TOO long.  However, if you haven’t prepared, then its gonna hurt more.

Notice, I said, “hurt more.” If you get ransomware, it’s gonna hurt. Regardless of whether or not you’ve prepared, you’re gonna lose something. Hopefully, it will just be the time needed to recover. However, it could be much worse.

But enough with the gloom and doom.  If you get hit with ransomware, follow these steps to recover your computer.

Recovery – Retake Control of Your PC

  1. Realize your Data is GONE and Get Over It – Ransomware will encrypt your entire hard drive. Once the encryption process starts, you can’t stop it. So as soon as you see the screen that tells you your drive is encrypted, you should accept the fact that your data is gone. Don’t try to stop the process, it’s too late. A word to the wise – the police, FBI, Department of Justice or other legal body will NOT reach out and electronically encrypt or lock down your computer.  They cannot legally do that to you.  The Fourth Amendment of the US Constitution prevents illegal search and seizure.  Encrypting your hard drive and locking you out of it without first presenting you with a search warrant, violates the Fourth Amendment.
    .
    To address the gorilla in the room, why wouldn’t you pay the ransom, get access to your data, back it up and THEN move on?
    .
    To be blunt, I wouldn’t trust it.
    .
    Your data has been held hostage by a known malicious agent. At this point, I would treat it as though it were infected with every bug known to man, including trojan horses, keyloggers, worms, and the Black Plague. It’s not to be trusted. At all…Who knows what those data thieves may have done to it while it was under their control? I would also think your OS would be infected with something as well. Your virus scanner (if you have one at this point) wasn’t smart or savvy enough to catch and prevent the ransomware attack before it encrypted your drive.  I wouldn’t trust it to clean your drive, post infection.  Expect part of your clean up activities to include the purchase of a new anti-virus/anti-malware (AV/AM) package.
    .
    So… your data is gone; and I would consider it – and your computer – to be an infected mess.  Get over it and move on. The quicker you accept this, the faster your recovery will be and the quicker you’re going to be up and running.
  2. Make a list of your Applications – any backup disks connected to your machine during infection or after its been infected are likely encrypted, and a point of potential REINFECTION. When you blow your drive, you’ll need to blow the back up disk as well.

    Make a list of your MUST HAVE applications and keep that list handy.  You may need the list to help insure you reinstall all of your programs after you have the PC rebuilt.

  3. Nuke Your PC and Rebuild – This section is going to be a bit long.
    .
    Please be aware that there’s a step by step how-to in this section. It covers Windows steps to address the objective – putting your OS back on your computer.  There are 3 main desktop operating systems – Windows, macOS and Linux.  Linux has the smallest user base; and to be honest, I’m not a Linux expert. I will be covering rebuild instructions for both Windows 10 and macOS. This is going to be long and drawn out, and in the case of some infections, may require more drastic measures.
    .
    Windows, like macOS, splits your drive into a number of different volumes. You should think of each volume as a mini-Las Vegas – what happens on the volume, stays on the volume.  If this is TRULY the case, and the ransomware you got doesn’t infect very volume on the drive, then recovery is easier, at least it cold be on your Mac.  On your Windows machine, I would assume the worst and consider not just the boot volume infect, but the ENTIRE drive.
    .
    Unfortunately, accessing the Windows Recovery partition isn’t as easy as it is to access the recovery partition on a Mac.  For Windows users, we’re going to blow the drive and reinstall Windows from Recovery Media.  This is an easier method, won’t touch the system files (and potentially the ransomware on your Windows PC) and should remove the infection with the least amount of stress.
    .
    Please note – creating recovery media should be done BEFORE you realize your computer is infected with ransomware.
    .
    If you’re coming to this article AFTER you’ve been infected, needing a miracle to clean your computer, you’re going to be disapointed. Please remember, by this point, your data is gone, and you’re STILL going to need to use the following instructions on a CLEAN PC to create a bootable USB drive.
    .
    Please remember that the computer is infected with malware that is preventing you from starting your computer normally or in Safe Mode.  The Windows Recovery Partition can’t be trusted and shouldn’t be used.

    1. Using Recovery Media to Completely Rebuild Your Windows PC – Honestly, there are a couple options here. Windows itself does, with some Signature PC’s (like the Microsoft Surface line) as well as some other Windows 10 PC’s, provide for a process to create a Recover USB drive. In my experience, the process is long, and prone to issues.  Its so issue prone that I’ve lost both a Surface Pro 1 and a Surface Pro 2 to bricking issues encountered while using the Recovery USB drive created by Windows.  After an issue as stressful as a ransomware infection, I’d much rather use a method that I know hasn’t caused any issues.
      .
      So, instead, I’d much rather download the latest released version Windows 10 ISO and use the Microsoft Media Creation Tool (download link, below) to burn the image to a USB stick.  After that, boot the PC with that flash drive and then wipe and rebuild the PC.  I have used the Microsoft Media Creation Tool to complete this process before, and its the easiest way to get the job done. To use the Microsoft Media Creation Tool method, follow these steps:

      1. Download the Microsoft Media Creation Tool.  After the tool downloads, run it.
      2. Accept the license agreement that is presented
      3. Post acceptance, Windows prepares to download the ISO from microsoft.com
      4. Once prepared, the tool will ask you what you want to do. Choose to download the ISO. Again, these steps must be completed BEFORE your computer is infected with ransomware. Post infection, you won’t have the ability to run the Microsoft Media Creation Tool on the infected PC.
      5. After selecting what you want to do, you’ll need to finalize a few options.  Unchecking the check box labeld, “Use the recommended options for this PC,” you can choose which Windows edition and language you download.
      6. Once you have the ISO language and edition selected and confirmed, you need to specify how you wanted to create the installation media – burned directly to a USB drive or download a ISO.  Choose the ISO option. It provides you with the greatest options (including keeping the ISO as a backup, if needed later).
      7. Choose where to save your ISO. The Downloads folder is likely the best place…
      8. Download the ISO. It make take a bit depending on the speed of your internet connection.
      9. Once completed, you’ll have the opportunity to burn a copy of the ISO to a DVD or to view the location of the ISO.

        To be honest, don’t use the Windows Media Creation Tool to burn the ISO to DVD. The Tool makes use of the Windows DVD burner, and most PC’s no longer have an optical drive.  Instead, as I mentioned above, we’re going to use Rufus to burn the ISO to a USB stick.
      10. Download Rufus.  Rufus is an app that will take any ISO file you have and burn it to a USB stick.  There’s no installation file.  You’re going to download the executable and run it from whatever directory you store it in.  You will need an 8GB or larger USB stick to complete this process.
      11. Insert the USB stick into a USB port.  Run Rufus. The program window will display.
      12. Hit the Device dropdown arrow and select the USB stick from the list. If its the only removable drive you have in the PC, it will be automatically selected.
      13. Modify the Boot Selection section. Click the drop down and insure that Disk or ISO image is selected.  Click the Select button and browse to the Downloads folder. Select the Windows ISO we just downloaded, above.  Rufus will automatically determine the Image Option, Partition Scheme and Target System.  Accept the defaults unless you have specific needs that require other available options (very uncommon).
      14. Name the volume in the Volume Label field.  Select the file system by clicking the File System drop down. Choose NTFS as the file system.  The Windows 10 installation program will require it.  Leave the default Cluster Size alone (4096 bytes).
      15. When all is set, click the Start button.  Rufus Informs you it will destroy everything on the USB stick you’ve chosen to work with. Click the OK button to allow the USB stick to be built.
        .
        .
        Please Note:  The following steps, 16-18,  are too diverse to publish specific step by step instructions for.  The processes referenced in those steps will differ by model and manufacturer; and are none the less, important to getting your computer back up and running.
      16. You’ll need to disable secure boot in your UEFI before you can use this or ANY USB boot device.  Secure boot is a security feature of Windows 10.  Please make certain you understand how to get into your UEFI or BIOS to address this issue BEFORE you find yourself needing to complete this procedure.
      17. Boot from the USB and reinstall Windows.  When you boot from the USB stick, make certain you erase YOUR ENTIRE DRIVE, deleting every single partition on your computer’s HDD/SSD to insure that you remove the ransomware.
      18. Reinstall your computer’s drivers.  Many computers – like Dell’s and HP’s use drivers that may or may not be available on the Windows installation ISO we downloaded. Make certain you surf to your manufacturer’s support site, post installation, and either have the web site install all of your drivers with their auto install tool (Dell and Lenovo do this, very well); or download the driver install apps and install them yourself.  Simply running Windows Update again – which normally handles driver installation for many PC’s – will not be enough on these PC’s. If Windows didn’t have the drivers to begin with, Windows Update won’t have them, post install.  After you have completed this last step, you’re done restoring your Windows system and can move to the next full step, Restore Your Data.

Summary

You’ve got ransomware and you don’t want to pay the ransom.  Good news – you don’t have to; but… you have to accept that your data is gone. Even if you pay the ransom, there’s no guarantee that the thieves haven’t left trojan horses (that will reencrypt your PC) or other malware (key loggers, worms, viruses) littered throughout your hard drive.

If you’ve done your homework – for your Windows machine – you can build a USB stick that can get you back up and running.  Let’s recap this process very quickly. It’s going to be a bit different for our friends running macOS.

  1. Download the Media Creation Tool from Microsoft. Use it to download the latest version of the Windows 10 installation media.  Save the ISO to your hard drive.
  2. Download Rufus.  Rufus is a tool that will help you burn that Window 10 ISO you downloaded to a bootable USB Stick.
  3. Disable Secure Boot on your Windows 10 PC.  After the USB stick is prepared, disable Secure Boot.  Secure Boot is a security feature of UEFI based PC’s.  You must disable Secure Boot to be able to boot from any other drive other than your C:\ drive (including the USB media we created in this article).
  4. Boot from the USB stick and reinstall Windows. During the Windows installation process, make certain you delete EACH. AND. EVERY. VOLUME on your PC’s hard drive or SSD.  Format over the drive more than once.
  5. Reinstall your computer’s drivers.  Dell (especially) and other manufacturers may use non-standard drivers on their PC’s and as such, while your PC will boot, many of its internal components will show up in Device Manager as needing a driver.  Go to the support page for your make and model of PC and download/ install all of the drivers you need to run your computer.

If you got ransomware on your Windows PC and you’re back up and running now, hang tight. I have to get our macOS friends back to this same spot you’re at. The fun part begins for PC users in restoring your data.

%d bloggers like this: