Weybridge Computer Services


Ransomware attack on NHS - WannaCry , WanaCrypt0r 2.0 ...

Ransomware attack on NHS - WannaCry , WanaCrypt0r 2.0 ...
WCS.Tony - Sat May 13, 2017 @ 10:56AM
Comments: 0

Whatever you do - DO NOT PAY THE CROOKS

1. Turn off the PC
2. Report it to the police
3. Call a reputable PC support company.

I've had some experience with these attacks and they usually encrypt all your data, then pop up a message saying PAY ME TO GET YOUR DATA BACK.
Now if you have kept your PC updates as Microsoft suggest and have a current reputable antivirus running you should be OK.
Obviously you still have to be careful when you click on email links or run / open attached files (save should not do any harm).
The best defence is not to load the virus in the first place!

Your second line of defence is to take regular backups of your data, I can always reinstall Windows (even if we have to buy a copy) but YOUR data is unique to YOU. All your photos of the kids, friend’s addresses, typed letters to the solicitor etc. For the sake of £50 buy an external USB drive and use it to backup at regular intervals - once a week, a month, whatever. I would also recommend that you backup to different files or folder – not just overwrite the only copy each time. For example what would happen if you backed up your encrypted files to you only backup copy? You could have Backup-Jan, Backup-Feb etc., or Monday, Tuesday.... you get the idea.If you are really concerned or careful – each back up could be on a different USB drive. Work out what you want / need for your data and DO IT.

Obviously you will need to unplug the drive from the PC afterwards; otherwise the ransom ware will also encrypt your backup.
Personally I back up to an external USB drive and make regular secondary backups to DVDs that I store away from the PC.

Now back to "help I've lost all my data and they want £300".

Killing the nasty virus is not usually a problem to an experienced PC support technician.

This must be done before anything else as otherwise any files you attach (like trying to restore from your backups) will also get encrypted before you get a chance to copy them back. Once the virus has been stopped you can recover your old files from the backup just by copying them back.

If backups are not available, or very old, I have usually managed to crack the encryption key(s) but and here is the big BUT I need an encrypted file and the same file before it was encrypted. Usually one key un-encrypts all the user files, but quite often I had to get the key on several different files and keep un-encrypting until they are all back. Usually this is just restricted to user files but I've had instances where several system / software files that had also been encrypted.

A few customers who did not have ANY backups on USB drives, sticks or DVDs. Not even any files in OneDrive, Google Docs (both FREE) or Dropbox / Carbonite / Crash Plan etc. Luckily for them they were old customers and I always put a document detailing what I have done on their PC and any log files I created. This is stored as a DOC(x) or RTF file on their PC and I keep a copy for reference. I was able to use those files to hack the encryption keys, and restore all their data.

So basically:

  • Keep your system and antivirus software up to date.
  • Take regular backups and keep the copies (more than one) safe and away from your PC.
  • Google how to spot SPAM and what to do with email links and attachments, or how to avoid ransomware. No matter how good your system is at protecting itself it’s far better if you don’t do anything silly and let the attack in. Knowledge is power!
  • Finally there are many free (and paid) dedicated anti ransomware programs out there, you may wish to try one.

I should add that currently (13/05/2017) there is no decryptor available for the Wannacry attack that hit the NHS. Unless you have backed up your data you are in trouble. It may be possible to recover the original / deleted files using specialist recovery software but apparently the virus tries to stop that as well. Even if the old deleted files were on the disk after the infection every time you boot, every time you use your PC it will write data to the disk and there is a greater and greater chance that your old files will be completelly overwritten by new files.

If you have not been infected BACK UP NOW!

Comments: 0

Post a Comment

powered by Doodlekit™ Free Website Builder