Get Your Data Back Without Paying Ransom

In early 2016, aspiring U.K.-based photographer Amos Rabbani opened an email attachment purporting to be a parcel tracker. No sooner had he double-clicked on the file than he received a message saying that his data – including his entire photography portfolio – had been encrypted, and demanding a ransom of 1,000 pounds to recover it. With no leads from his anti-virus provider and several other companies, Rabbani reached out to malware researcher Fabian Wosar. Using the ransom note and some of the encrypted files as clues, Wosar was able to get all of Rabbani’s data back in about two hours. “I was told repeatedly by ‘the best’ that it was impossible to recover my files,” says Rabbani. “And then Fabian resurrected them from the dead.”

Ransomware – software that mainly targets Windows computers and threatens to publish private data or block access to it unless a ransom is paid – is not a new thing, and some sources even say it’s on the decline. But attacks are becoming more sophisticated and more costly to victims – an estimated $11.5 billion by 2019. Software like Emsisoft’s free ransomware buster has saved people more than $500 million since the company started helping ransomware victims in 2012.

We reached out to three battle-weary ransomware knights – Wosar (whose day job is at Emsisoft), Lawrence Abrams from Bleeping Computer (a computer help site started in 2004) and Michael Gillespie, who founded the free ID Ransomware service three years ago – for tips on how individuals and businesses can thwart the thievery. They all had surprisingly similar advice.

With ransomware – and all other computer nasties, for that matter – prevention is way better than cure. All three experts advise backing up your data using the 3-2-1 rule: “Three copies of your data, on two devices, one of which is located off-site,” explains Gillespie. If this sounds a bit beyond you – it does seem like the IT equivalent of being told to stop eating carbs, fats and sugars overnight – remember that one backup is far superior to none.

Even if you do all these things you could still be suckered because, well, criminals couldn’t give a hoot whether you’re a model citizen.

Their next advice concerns what Gillespie calls “proper cyber-habits.” Keep your system and software up to date; use anti-virus software (“pick something that works well and doesn’t annoy you,” says Wosar); stay away from dodgy downloads like file-sharing platforms; and be very wary of unsolicited emails (especially those with attachments).

Even if you do all these things you could still be suckered because, well, criminals couldn’t give a hoot whether you’re a model citizen. If you are the victim of a ransomware attack, you should either switch your computer off and contact the police and your insurance provider, says Abrams, or – depending on how tech-savvy you are – “make a backup of your encrypted data and ransom notes.” Whatever you do, do not delete any evidence (optimizer tools like CCleaner are a big no-no because they “clean” the scene). Think of it this way: “If you’ve accidentally consumed some household cleaner,” Wosar explains, “it’s a good idea to bring the bottle with you to the hospital.”

The next step is figuring out which family of ransomware you’ve been hit by. Instead of trusting the name in the ransom note (Rabbani’s ransomware claimed to be something it wasn’t), use an identification service for a definitive diagnosis. Armed with this info, reach out to tech support communities, or contact your anti-virus company. (Do not run a Google search using the name of the ransomware – the results will be littered with shady links that could drag you even deeper into the mire.)

In many cases, all three experts acknowledge, there will be no way to get your data back without the help of the criminal who encrypted it. That said, do your utmost to avoid paying them a cent. Apart from the fact that forking out the cash will encourage the bad guys to keep at it, there’s the very real danger that you could lose your money and your files. Even if the criminals want to decrypt your files (the road to hell and all that), they are often unable to because their ransomware is “so shoddily programmed” that it ends up destroying files instead of decrypting them, says Wosar.

Instead, try to cobble together what you can from a combination of cloud-based backups – iCloud, Google Photos, Dropbox, OneDrive – and ask family, friends and business associates to send files you’ve shared with them back to you. If your livelihood depends on getting your data back – small businesses that lack full-time IT departments are especially susceptible to ransomware attacks – be sure to negotiate the price, says Abrams, and keep in mind that “you are dealing with criminals, so fully expect to be screwed over by them again,” adds Wosar.

GET SOME: RANSOMWARE RELIEF

• Use a program like ID Ransomware to identify the ransomware and then reach out to ransomware tech support companies like Bleeping Computer for help with fixes.
• Some anti-virus companies offer free ransomware support and/or decrypters to the public: Emsisoft, ESET, Avast and Kaspersky.
• If you have trouble sleeping or are genuinely interested in seeing ransomware decrypted in real time, check out this three-hour video of Wosar on the case.