Ransomware: How do I recover my files?

August 4, 2019

Ransomware: How do I recover my files?

2017 was officially dubbed the cyber year of Ransomware, which all started with the WannaCry outbreak in May of that year. WannaCry was estimated to hit approximately 200,000 devices in 150 countries and had a major impact on the UK National Health Service (NHS).

WannaCry was the first Ransomware to include worm-based behaviour, spreading itself automatically and infecting other devices; thus making it a devastating piece of malware.

At this point, little did we know that an even moredevastating attack was just around the corner. Less than two months later inJuly 2017, the Nyetya ransomware emerged and made WannaCry look small fry.

Nyetya (aka NotPetya) took it to another level with itsdestructive nature. Not only could it manually move throughout the network likeWannaCry and encrypt files, but it also cleared event logs and deleted datafrom the infected device’s hard drive, making it unrecoverable. Nyetya became thefirst wiper ransomware seen in the wild.

One of the biggest victims of Nyetya was the shipping giantMaersk, who lost $300 million to the recovery of the ransomware attack. Theattack shut down Maersk operations for several weeks, closing over 70 portterminals around the world.

In 2018 we saw a downturn in the amount of ransomwareattacks in the wild, as we witnessed a significant rise in a new threat, the CryptoMining malware. This trend away from ransomware was short lived and it never wentaway completely.

At the halfway point in 2019, ransomware has put itself firmlyback on the map as one of the largest threats in cyber security today. With anapproximate 300% rise in ransomware attacks against business this year, itappears that it’s here to stay.

What exactly is Ransomware?

Ransomware is a type of malicious software (malware) that infects vulnerable machines, with a goal to encrypt a user’s files, making the data unusable and holding it to ransom.

WannaCry Ransom Note

A ransom note is copied to the machine and instructs thevictim how to contact the attackers and pay the ransom.

Attackers typically expect to be paid with a crypto currency,such as Bitcoin, in order to cover their tracks and by paying the ransom thevictim hopes to gain access to the decryption keys which will allow them torecover their files.

Unfortunately, this is not always the case, leaving victimswith a hole in their bank balance and complete loss of their data.

The real cost of a Ransomware attack

Although the ransom fee charged by the attacker for thedecryption keys can be large, it can pale into insignificance when compared tothe cost associated with recovery from a ransomware attack and the potential lossof business.

We mentioned above the huge cost to Maersk, but morerecently two US cities have become victims of attack. Here we saw two differentscenarios with different outcomes.

Riviera Beach City Council faced a $600,000 ransom demand, withthe City of Baltimore facing a demand of $76,000. Riviera decided to pay the ransomand use their cyber insurance to help, while Baltimore decided not to pay theransom. Baltimore have since confirmed that they expect this attack to costthem over $18 million in revenue loss and recovery efforts.

If you are not securing your business and you are not properlyprepared, the ability to recover quickly and effectively from a disaster orsecurity event will be both difficult and costly. Like the Baltimore attack, thecost could significantly outweigh the original ransom demand.

How do I protect against this threat?

Preparation and prevention are the best defence against aransomware attack. Follow some fundamental principles to help protect yourorganisation.

  • Keep all your systems up to date with the latestsecurity patches.
  • Deploy an Anti-virus solution - keep it activeand up to date.
  • If possible, use an advanced anti-malwareproduct that can detect and prevent the malicious encryption of files.
  • Secure your perimeter devices – routers andfirewalls etc.
  • Do not allow management of your network directlyfrom the internet – ensure that protocols such as RDP, SMB, Telnet and managementSSH for internal services are disabled.
  • Ensure that critical systems are not accessiblefrom the internet – i.e. database servers.
  • Backup your files and systems using a cloudbased or offline solution – this is probably the most important factor, if allelse fails these backups will be needed to recover in the event of an attack, soyou should not rely on directly connected backups.

I failed to prepare now what? How do I recover my files?

So, you failed to prevent an infection, first of all, don’tpanic quite yet, you still have options.

Below are a few resources that can help to both identify thevariant of ransomware and search for available decryption tools that canprevent you from contacting the attackers and paying the ransom.

It’s worth mentioning at this point that not all ransomwarehas a free tool to decrypt your files.

No more ransom


No more ransom is an initiative driven by Europol’s EuropeanCyber Crime unit, the National High Tech Crime Unit of the Netherlands andMcAfee, to help victims of ransomware to recover their files without paying thecyber criminals.

No more ransom contains a raft of decryption tools forcertain versions of known ransomware variants.

no more ransom
No More Ransom
ID Ransomware


ID Ransomware is an online service provided by the MalwareHunterTeam and developed by Michael Gillespie (aka DemonSlay335). Like No more ransom, ID Ransomware can be used to identify which version of ransomware you have been infected with, through a sample or a copy of the ransom note.

The service can currently detect over 740 different variantsand has an option to notify you by email if more information or decryptorsbecome available.

ID Ransomware

In addition, the MalwareHunterTeam and Demonslay335 twitter feeds are great informational resources. They are also a good method to contact the guys directly if you need more info or you are struggling to identify your infection.


Kaspersky no ransom


Alternatively, security firm Kasperskyhas launched its own site that hosts several decryption tools for known versionsof ransomware.  Although not as completeas the previous two resources it’s worth noting as it may provide info in thefuture not available elsewhere.

No Ransom - Kaspersky

I can’t find a decryptor tool, is there anything more I can do?

If all else fails and you have got this far with no progressits big decision time. You’re in last resort territory, and have a couple ofoptions remaining:

Pay the ransom

Some people will disagree with this option, but paying theransom is still valid, and maybe your only option if the data lost is criticalto the running of your business.

That said paying the ransom is never a recommended option and should only ever be used a last resort. By giving in and paying up, you are funding the attackers so they can continue their malicious activities, while also opening your business up to further attacks.

As soon as the attacker knows you’re willing to pay, youbecome an easy repeatable target and should expect future attacks. Withransomware attacks its likely the attacker had access to your network so couldhave left backdoors in place for access later.

We appreciate this may be the only option for some, butplease think long and hard before paying up.

Take the hit

Alternatively, if the data lost is not business critical to youand you can survive without it, you should consider taking the hit.

This may include accepting that the data is lost anddeleting the encrypted files, or better still rebuild your infected systems andrestart from scratch.

Again, this in most cases is a difficult last resort decision, but it should always be considered. If the data or system is not business critical, then don’t take the risk of contacting the attackers and paying the ransom unless absolutely necessary.


Ransomware attacks continue to rise, especially in the businessarena.

The key to dealing with a ransomware attacks is to prepareand protect your business, so you can avoid a successful attack in the firstplace. Act on enforcing the items mentioned above, to increase your overallsecurity and reduce the likelihood of malware infection.

If you do not have the right capabilities in house it isstrongly recommended that you engage a specialist security company to assist youwith investigating the root cause of the attack, as well as helping you to recover.

Understanding how the attack happened will allow you to close the holes that the attacker used to get in and identify if any backdoors have been left in place, allowing them to return and launch another attack.

Don’t immediately assume that the attack was launched using email; although this is a very common method, companies that assume this quickly become victim of a follow-on attack, as they miss the real gap in their security.

And finally ensure that you are performing offline backups of your data so you can avoid your backup copies from being encrypted by the ransomware too.


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi