Skip to content
Naked Security Naked Security

Got ransomware? What are your options?

Is there a secret shortcut to unscramble ransomware? Or are you stuck with paying up? We take a dispassionate look at the options...

As you can imagine, one of the most common questions we get asked about ransomware is, “What do I do now?”

It’s easy to be wise after the event: could’a, would’a, should’a.

Could have ignored the instructions to “Enable Macros”; would have been smart just to delete the email in the first place; should have bought that USB backup drive last week when they were on special at $45.

But what if the worst has happened, all your files are encrypted, and you’re staring down the barrel of a pay page where the crooks are calmly demanding $300 in Bitcoin for the key to unlock your precious files?

We’re assuming that you have no offline backups, and that the only copies of the files you want to preserve are sitting there in scrambled form on your hard disk, so near but yet so far.

Can you get your files back without paying?

As usual with IT-related questions, the answer is, “It depends.”

Shortcuts to recovery

Sometimes, the crooks make programming mistakes and there is a sneaky shortcut to recover for free.

For example, in the first ever ransomware attack, back in 1989/1990 (true!) the crook behind the scam wanted you to send a bank draft for $378 to an accommodation address in Panama.

However, he took the cryptographic shortcut of using the same encryption key on every computer, so free tools to unscramble the malware, known as the AIDS Information Trojan, soon appeared.

Similarly, in a recent case of Linux-based ransomware, the programmers chose a unique sequence of encryption keys for each server that they attacked, so that even two identical copies of a file would end up scrambled differently.

But they generated their keys using an algorithmic sequence known as a pseudo-random number generator, or PRNG, that was kickstarted using the timestamp of the first file that was scrambled.

Therefore, with a little guesswork, you could reconstruct the list of decryption keys yourself.

There are other ways you might be able to get some or all of your data back without a proper, offline backup, for example on a removable disk or in the cloud.

For example, Windows lets you make shadow copies of your files: a sort of rolling, on-line backup that keeps earlier versions of files handy.

Shadow copies are stored in aptly-named Volume Snapshot Service (VSS) files.

VSS files may therefore provide a quick fix against some ransomware, but that’s not very likely these days, because most ransomware deliberately triggers system commands to remove all your VSS files before scrambling the data that’s left.

So, if you’ve been hit by ransomware, and you can identify the malware strain involved, it’s worth asking around just in case there are any shortcuts that might let you recover without paying.

Nevertheless, we have to be blunt here, and tell you, “These days, it’s unlikely, so expect the worst.”

Longcuts to recovery

When a legitimate program modifies an existing file, it usually makes a copy of the file first, modifies the copy, and only then deletes the original.

This is a handy programming precaution to give you a chance of recovery in case something goes wrong and the program crashes in the middle of processing the file.

If the crooks use this sort of process when scrambling your files, there’s a slim chance of undeleting some of your old files, assuming that the crooks used the operating system’s regular file-deletion function.

That’s because most operating systems don’t overwrite deleted files immediately: to save time, they simply label the disk space occupied by the old file as “available for re-use”, so that it’s often possible to recover old files, at least for a while.

But undeleting files is a hit-and-miss operation.

To do it properly may require spending both time and money on a data forensics expert, and even then, you might end up with disappointingly incomplete results.

Calling in forensic experts is probably what would happen in a really important case, such as a murder investigation.

But after a ransomware attack, you might as well assume that data recovery will end up much more expensive than the ransom the crooks are demanding.

Of course, ransomware crooks don’t want you to recover without paying, so they don’t need to be so careful in their coding.

They typically just overwrite your files in place, aiming to leave as little as possible of the old content behind.

In theory, however, even rewriting a file in place might not actually overwrite the disk sectors in which the original content was stored.

Some operating systems, and some disk devices, deliberately shuffle writes around on the disk to perform what’s called wear levelling.

Solid state disks that use flash memory actually degrade with use due to wear-and-tear right down at the electron level, so writing over and over to the same memory cell can shorten the life of the device. Thus, wear levelling.

So, trying to dig down to the disk sector level, or even to the disk device’s firmware level, to look for data that was overwritten logically but not physically, is technically possible.

Once again, however, it would be much more uncertain, and very, very much more expensive, than just swallowing your pride and paying the crooks.

Cracking the encryption

The last way to cut the ransomware crooks out of the equation is to crack the encryption they’ve used.

As mentioned above, they sometimes make programming blunders, or choose weak ciphers, or use strong ciphers incorrectly, and therefore leave behind cryptanalytical backdoors.

But if they’ve done the crypto correctly, cracking it is as good as impossible, and here’s why.

A lot of ransomware, such as CryptoWall and Locky, uses a technique like this:

  • Connect to a server run by the crooks and download an RSA public key unique to your computer.
  • Generate a random AES key for each file (keeping it only in memory) and encrypt the file.
  • Encrypt the AES key with the RSA public key and save the encrypted file-decryption key along with the file.

Don’t worry if you have to read that a few times to get the picture of what it going on.

The trick is that the RSA encryption algorithm relies on two keys, not one: the public key locks your data, and thereafter, only the private key can unlock it.

In other words, if the crooks generate an RSA public-private key pair in the cloud for each infected computer, and only ever send out the public keys, then the crooks really are the only possible source of the unique private key needed to unlock the AES keys that in turn unlock your files.

Why not just encrypt the files themselves with the RSA public key, and leave out the AES part?

That’s because RSA is so slow that it’s only practical to use it to encrypt small amounts of data, such as randomly-chosen keys for much faster algorithms such as AES.

Why use a different key for every file?

That’s so every file encrypts differently, even if it has the same content, so you can’t use decryption hints from one file to decrypt any others.

In other words, decrypting all your files without paying is equivalent to one of these feats:

  • Cracking the RSA public-private encryption algorithm and thus recovering all the per-file AES keys.
  • Cracking the AES encryption algorithm, once for each file.

We don’t want to discourage you, but we think that’s a much harder and much less certain undertaking than paying the crooks.

What to do?

It sounds as though we’re advising you simply to pay up.

For the record, we recommend that you don’t pay, on the grounds that this means sending money to criminals.

Indeed, if you get hit by ransomware and you decide to take it on the chin, write off all your files, and start over, we say, “Power to you,” and we salute your fighting attitude.

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

We really wish things weren’t like that, but we thought it would help if we explained your options in an uncompromising sort of way.

In other words, “Prevention is better than cure!”

Useful ransomware precautions

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Many ransomware attacks arrive in documents, and rely on persuading you to enable macros (embedded document scripts). Don’t do it: Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Be cautious about unsolicited attachments. Crooks who send malware in documents are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.


A solid backup strategy is the most important part here. File storage is the other.

Personally, I don’t keep files locally. Everything goes on Dropbox or Google Drive. Sometimes OneDrive, but mostly for documents I intend to edit often. I can reformat my hard drive and have Mint up and running that afternoon. Re-establish logins to cloud storage and I’m up and running again.

For the enterprise, it gets trickier, since people need to have the ability to modify the files they use. Catch it early and mirrored virtual servers can be a lifesaver. If you have a hot backup that hasn’t been infected yet, you point everything to the backup, blow away your encrypted virtual server, create a new mirror from the good server, and go. If you don’t catch it before the changes propagate to the mirror then you have to rely on your backup strategy. This is where a good colo can come in handy, since they’ll (presumably) have the processes in place for just such a solution.


Just be careful not to load file system drivers that turn your cloud storage data objects into files accessible directly via a file share :-)


Nope! Web access only.. I don’t expect I’ll ever have to deal with this, but cloud storage is so easy anymore that it’s barely an interruption to use.


Anything I am the least bit worried about I view on my Surface RT. Office on this does not even have macros, so no chance of being turned on. Also, as it is not an x86 processor, much less likely to be infected anyway. Windows RT has many definite advantages.


My first tech job I did backups to QIC which seemed to take a whole day for a 1GB. Now we use a hybrid NAS/cloud (we are required to have offsite backup), and since I worry that both could become infected, I use an external USB that I physically disconnect when the backup is finished.


I got rid of the ransom ware on my computer just by doing a system restore in safe mode.

It was easy.


Too bad the ransomware deletes all system restore points.


you must have had a very early version of it if your statement is true.


According to Microsoft: “System Restore does not affect personal files, such as e-mail, documents, or photos, so it cannot help you restore a deleted file. If you have backups of your files, you can restore the files from a backup.”

Perhaps the OP just wanted to get their computer working properly again, not to recover data files?


Check Bleeping Computer and/or Emsisoft before you throw in the encryption towel. Emsisoft and Dr. Web have had some luck in decrypting certain ransomware versions–usually due to errors by the bad guys in their encryption process.



To quote myself from the article:

Nevertheless, we have to be blunt here, and tell you, “These days, it’s unlikely, so expect the worst.”


I made a list of the ‘action items’ from “Company Bs” Software Directors infection –
1. Email not in junk folder. CompanyA users had it in Junk.
a. Fixed, applied GPO to CompanyB and CompanyC so Outlook properly filters email marked as Spam.
2. Word Macros executed.
a. Fixed – Assuming Macros were enabled. Microsoft disables by default. Policy forces disabling of Macros. Does not prevent user from enabling macros on a per-document basis.
3. Macro wrote bat file, executed VBScript (1)
a. Fixed %temp% and %appdata% execution allowed in CompanyB and CompanyC. Policy applied to CompanyC to prevent, but not CompanyB as it interferes with installers.
4. Bat file executed VBScript. cscript allowed to run (VBA commandline) (2)
a. No Action. Not sufficiently tested. Disabled cscript/wscript site-wide in past lives.
5. AV disabled by script.
a. Fixed. No user can disable AV on their desktop, was enabled for CompanyB.
6. Download malicious file allowed – ran from %temp%
a. Possibly Fixed. OpenDNS in testing to block access to malicious internet sites by name.
b. Investigating transparent proxy w/AV. This will communicate with web sites on behalf of client PCs, AND scan downloaded files with a different AV. (Squid + WCCP + DansGuardian)
c. Fixed (see 3a)
7. No backup for desktops.
a. Compensating Control – Reminded users that local systems are not backed up and are vulnerable to many issues that can destroy local data.
i. This can be anything from a HD failure to a virus to TSA confiscating equipment.


“Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary”
I don’t see an option to not be logged in as Administrator. It says if I change to a Standard Account, someone else has to be Administrator. I am the only one who uses my computer. How do I not stay logged in as Administrator?


You can create two accounts, one with high privilege and one without. Logon as the regular user if you don’t need to be admin.


And when you need to do something as administrator wherever possible stay logged in as standard user and use the option to ‘run as different user’ and use the admin account credentials so that process is the only one running as administrator and close it once the task is complete.


I guess I don’t know enough about MS accounts. I can’t create a Standard Account with the email address I use for the Admin Account. But if I create a new Standard Account with a different email address won’t I have to reinstall all my programs and re-link all my other accounts?


John, create a new admin account, ideally not linked to any email address (the email address/computer account link is not necessary just the way Microsoft would ‘prefer’ you to do it). Once the admin account has been created log in as that user, confirm you can access everything necessary. Then, you can demote the existing admin account to standard user and still have the email links etc you require.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!