How to recover your system from a Ransomware attack

Hello how are you? My name is Steve Regan with CSO Online and yesterday I infected this computer with

ransomware

. Today I will try to fix it and show you how the first thing I will do here is restart Windows 10 in safe mode, but it is not as simple as restarting

your

computer and pressing F8. There are actually things you need to do to be able to see my screen and what I'm going to do is go down here to the Home button and I'm going to press power, but before I press restart I'm going to hold down the shift key.

Now there are times while those

system

s reboot that you won't be able to see my screen from the live feed, so we have a camera over my shoulder as you can probably see and we're going to record this, so after restarting the computer in safe mode Once you set the options, you will no longer see the live stream, so I will describe to you what I am doing what I am seeing that way you will still have a basis of what is happening, so hold down the Shift button and I'm going to click restart now that the computers are backing up, you'll see I have three options to choose from.

The first thing I'll do is click Troubleshoot. Now, once that screen appears, you will click on Advanced Options and then Startup Settings. From this point on, you probably won't see a live message. transmit but once you are in the startup settings you will see a list of things they could do for you and a little button that says restart just click restart this will put

your

computer into a selective boot mode and what will happen. Once you boot from BIOS and return to the OS, you will be shown a list of things, so this list requires your function keys f1, f2, etc. and the one you want to press for Safe Mode is f4, so once that startup settings screen appears, press F4 on your keyboard and it will boot your computer into safe mode.

Safe mode is a very basic loading of Windows, only the minimums are put in and the reason we are booting into safe mode is because I am going to try to install an antivirus, scan my computer and see if I can remove Locky that way. Now that's not going to decrypt my files. I'll still need backups for that, but there's no point in uploading it. backups to my computer or upload files to my computer if Locky is still there because he will just encrypt them and I won't be able to

recover

them so we reboot into safe mode if it looks strange.

Don't worry about that, so once safe mode loads you need to install some anti-malware and what I did was download and install malwarebytes anti-malware and hitman pro, both are free. I also updated both software. versions and now I'm going to run scans on the

system

with them. My hope is that by doing so I can find and remove Locky, but there is no guarantee, but we will try anyway. Passive scanning with malwarebytes. it detected locky and went to remove it, a reboot was necessary, the reboot took me back to my normal desktop so I did the whole process again rebooting into safe mode and now that all I did, what I have in front of me is malwarebytes.

I open again and I'm in safe mode so I'll come here to scan and I'll select the custom scan and I'll set it to scan the entire C drive and the entire E drive and If you remember, the e drive is my at-at storage which was encrypted when blocking it and the reason I do this is to make sure that if there is anything pending, it will be on the left side of the screen here from our bytes check the box that says rootkits and then press scan. This scan will take some time so sit back and let it run and then once it's done we'll continue fine, so after about 46 minutes Malwarebytes finished and found nothing. and the next step is to install the Hitman Pro update and then run it as a scan.

Remember that malwarebytes already found block E, which is good, so now we'll let Hit Pro run because we'll see if there's anything else it needs. to get it or anything else we need to take care of, so I ran Hitman. It took me a few minutes to run it and I found some cookies and other things, but nothing major. We have rebooted out of safe mode or returned to our usual mode. On the desktop, we have a horrible looking background that, if you right click, select Customize, as you can see on the screen that I'm giving you right there, you just choose all of that from there, but what am I going to do? now is to restore my computer to a previous state.

I'm going to right click on go to system and this will appear. I'm going to click on system protection, you'll see system restore and lo and behold, I have an automatic restore. point since before this computer was infected, it will tell you once it has started, it can't stop, okay, I'm just going to say yes and it will prepare to restore the system. This is going to take some time, so we're going to let this run and I'll be right back, so we start the system restore and, like on a cooking show, how they put it in the oven and suddenly, the finished products are waiting for you, well , the finished product is waiting for you because yesterday while we were infecting. one laptop with

ransomware

, we actually infected two laptops with ransomware because why break one machine when you can break several?

As you can see, I have a pretty bleak history because when I did a system restore I had nothing on this computer. and if we look in My Documents, everything is gone, so I'm going to right click on the Start button, go to control panel and select backup and restore, because what I'm going to do is restore my files from a backup that was the external backup that I mentioned earlier so I'm going to select another backup come here choose the top one because that's what I want to search in the folders so when I did the backup I was in the administrator account , which means everything I need in the Documents folder, add that folder, select Next and I'll tell you to go to Steve's documents folder.

Now we're not going to do a direct replacement, hit restore and finish when you open the documents here. obviously you have to go to what the permission will tell you I do, there you go, all the files that were encrypted have been restored to give you an idea of ​​the pain instead of just re-imaging the machine like your IT department would do YOU. We did this manually and it took about four and a half hours and that's not including the time I'm going to spend now downloading and installing Microsoft Office again and things like that, but the big advantage here is that I was able to

recover

my files for the backup. security and I'm going to get all of that back and I didn't have to pay two thousand dollars to get more information about ransomware and of course all the other up-to-date news about ransomware and things like that that you can look for it on CSO online again.

My name is Steve Reagan and this is recovering from ransomware. See you soon.