Can you get your data without paying the ransom?

19 July 2016 by Michael Nuncic

Ransomware is one of the hottest topics in computing, data and internet security and has gained momentum over the last few months. Now, more than ever before, users – home and business users alike – are being aggressively targeted.

When a computer is infected, is there a chance of regaining the valuable data? Can this be done by the user himself? Perhaps by the company’s IT staff? Or even by data recovery specialists like Kroll Ontrack?

Types of ransomware

With ransomware like Petya, CryptoLocker or TeslaCrypt being all over the news, it is easy to forget that ransomware is not really a recent development. For several years now, viruses, Trojans and other malware are sent over the internet to contaminate an end user’s computer by blocking it (or its files) and demanding a ransom to gain access to the data.

All ransomware are based on the idea of manipulating either a user’s hardware or software and files and then asking for ransom money in exchange for accessing the blocked contents. The three main types of ransomware are:

1.     Scareware

Scareware is the simplest form of ransomware. These are applications or programmes that usually appear as fake antivirus or clean-up software. These tools claim to have found dangerous viruses on a device and one must pay in order for the programme to remove them. In most cases real viruses or ransomware are not really installed on the hardware so they can be “removed” quite easily. If no action is taken by the user, they will permanently bombard the user with nerve-raking pop-ups or alert windows.

2.     Lock-screen viruses

Lock-screen viruses are the second most dangerous ransomware types. They will lock the user’s computer, display a full-size window with a message that a cybercrime was perpetrated on the device after the OS starts up and the computer cannot then be used.

To unlock the computer again the user has to pay a certain amount of money. In most cases the data itself is not affected nor infected and the computer – when unlocking tools for this specific virus are not available – can be “cleaned” by reinstalling the OS.

While all the data will appear to be lost after this process, it’s very likely that data recovery experts can help to regain access to the data by using special tools.

3.     The latest: ransomware + encryption

The new ransomware versions are the most dangerous ones. Even though there are more than 45 different versions at this time, they all operate in the same way. After gaining access to the victim’s computer – usually activated by the user himself when opening an email attachment like a Word or an Excel file – it will infiltrate the computer’s data and file structure and encrypt every file and folder on the computer. Several ransomware versions are also able to contaminate other computers and servers that are connected via a network.

This is the most dangerous type of attack for companies since one single employee with an open internet connection or a dangerous email attachment can contaminate a whole company and bring a business to a complete halt.

Can you recover encrypted and hijacked data yourself?

Nowadays there are several how-to guides and helpful websites available to help you regain access to both the hijacked computer as well as the encrypted data.

It is worth noting that though in some cases the solutions offered might work, there is a potential risk you ought to be aware of: your data may be destroyed or corrupted by following these tips. If that’s the case, then even the best data recovery expert won’t be able to help you. This is a risk that any company, or any individual, without a current backup should not take.

Are data recovery experts able to overcome encryption ransomware?

The honest answer is: it will depend on the specific situation.

For example, since the widespread of ransomware our data recovery engineers at Kroll Ontrack have managed to decrypt files from many and varied cases. The software engineers from our Research and Development team have created new tools to regain access to infected drives as well as to the encrypted files.

For most of the nasty ransomware viruses that are around nowadays we have developed the tools, the know-how and the processes to recover the data from the infected hardware.

Even though Kroll Ontrack is able to recover encrypted data for example by such famous ransomware like Petya-Mischa, TelsaCrypt, AutoLocky and DMALocker and its variants, it is still a difficult task and the outcome depends highly on the specific case and situation.

Data recovery experts may be capable of recovering data which is encrypted by ransomware but the best defence against any form of ransomware that we recommend is to be fully protected.