What To Do When Ransomware Holds a PC Hostage

Linda Musthaler
By | July 23, 2013

Posted in: Network Security Trends

In my previous post, I talked about ransomware locking a user out from his PC. This article is geared toward the IT professional who may be called upon to attempt to unlock the PC and clean up the mess the malware leaves behind.

For the advice below, I consulted with John Harrison, Group Manager at Symantec Security Response. His team is in the trenches, researching and gaining insight about who is behind this growing wave of ransomware and how the malware affects endpoint devices, which now includes smartphones as well as laptop and desktop PCs.

Harrison says that ransomware is not pervasive in the enterprise but it does crop up. He suspects that instances are vastly under reported and stresses how important it is to get users to come forward to enlist the aid of the IT group. “Think about the worker who turns on his PC and up comes a warning that appears to be from the FBI,” says Harrison. “The web cam turns on, takes a picture of him and incorporates the photo into the warning, which says ‘We know you have child pornography on your computer and your computer has been frozen by the FBI.’ Do you think this worker is going to come to the IT department and say ‘I have child porn on my computer—I need you to help me remove it.’?” Some people might feel that their job is in jeopardy if there truly is porn on their computer and this is against company policy.

Malware computer security

So, end user education about ransomware is the first step. “The people who are sending these messages are trying to scare the heck out of you and make you freak out so that you will pay the money to have the porn removed or get the files unlocked or whatever they are holding hostage,” says Harrison. “This is one of those cases where the threat landscape has changed. You need to let your users know that this is really a scam, and yes, there is hope to clean the PC or get it unlocked. The key is not to pay the ransom because that is just falling for the scam and it does no good.”

End users shouldn't deal with ransomware on their own. “The worst thing that can happen to an enterprise is that an end user goes out to the Internet and does a search on how to remove ransomware and child pornography from their computer and then all they do is pick up more malware that puts the enterprise in further jeopardy,” says Harrison. He adds that IT professionals have access to the tools and other resources that can effectively remove the malware and undo the damage that may have been done.

IT managers also need to understand how the ransomware got on the computer. Was the person surfing the web and he picked up a drive-by download? Did the person download infected files from some website or email attachment? Did this happen through search engine spoofing? The company’s IT specialists will want to uncover the attack vector if possible so they can plug that hole and prevent others from getting infected. It’s also important to thoroughly inspect the machine for other malware and Trojans that might have accompanied the ransomware onto the device.

Some ransomware attacks claim that the user’s data or entire hard disk has been encrypted and the user must pay a fee to obtain a key to decrypt the data. I asked Harrison whether the malware really encrypts the data or if this is basically just a bluff. “The majority of ransomware that Symantec sees doesn’t do that, so that is really the exception and not the mainstream,” according to Harrison. “Some ransomware may lock your system and say that it has encrypted all of your files but we have found that they may encrypt just one file or a couple of key files. This is one instance where a professional malware removal service can really help you. Symantec has built a tool that is able to decrypt those files.”

There are numerous steps you can take to try to recover from a ransomware attack before you just re-image the PC and move on. Some of the options include rebooting the machine into safe mode and restoring to a previously known good state. According to Harrison, there are many different options and it depends on which variant of ransomware is on the device. Symantec has a website that offers details on known variants of ransomware and recommended actions to remove these programs.

Of course, Harrison says that from an enterprise perspective, the best thing is to keep this kind of stuff off the system in the first place. “Modern Internet security solutions do have a lot of proactive preventative measures that keep these kinds of things that might exploit a Java vulnerability or a PDF vulnerability from operating on your system,” he says. User education is important, too. “We find that people may install a ‘free’ version of a photo editing program or some other app, but as we know, free is never free. It may come laden with a key-logger and ransomware,” warns Harrison.

Ransomware has shown up in both enterprise and consumer environments. Symantec provides a number of free tools and steps to clean up an infected computer. The vendor also has a couple of videos that show you how to remove this type of malware. Check out these resources to help you get rid of ransomware.

Free Tools for Ransomware Removal 

Norton Power Eraser and Norton Bootable Recovery Tool

Videos showing how to remove this for free: (3 Videos)

Paid Malware Removal Service

Removal Instructions and Whitepaper: Ransomware: A Growing Menace

You May Also Be Interested In: