Ransomware: How do I recover my files?

2017 was officially dubbed the cyber year of Ransomware, which all started with the WannaCry outbreak in May of that year. WannaCry was estimated to hit approximately 200,000 devices in 150 countries and had a major impact on the UK National Health Service (NHS).

WannaCry was the first Ransomware to include worm-based behaviour, spreading itself automatically and infecting other devices; thus making it a devastating piece of malware.

At this point, little did we know that an even more devastating attack was just around the corner. Less than two months later in July 2017, the Nyetya ransomware emerged and made WannaCry look small fry.

Nyetya (aka NotPetya) took it to another level with its destructive nature. Not only could it manually move throughout the network like WannaCry and encrypt files, but it also cleared event logs and deleted data from the infected device’s hard drive, making it unrecoverable. Nyetya became the first wiper ransomware seen in the wild.

One of the biggest victims of Nyetya was the shipping giant Maersk, who lost $300 million to the recovery of the ransomware attack. The attack shut down Maersk operations for several weeks, closing over 70 port terminals around the world.

In 2018 we saw a downturn in the amount of ransomware attacks in the wild, as we witnessed a significant rise in a new threat, the Crypto Mining malware. This trend away from ransomware was short lived and it never went away completely.

At the halfway point in 2019, ransomware has put itself firmly back on the map as one of the largest threats in cyber security today. With an approximate 300% rise in ransomware attacks against business this year, it appears that it’s here to stay.

What exactly is Ransomware?

Ransomware is a type of malicious software (malware) that infects vulnerable machines, with a goal to encrypt a user’s files, making the data unusable and holding it to ransom.

WannaCry Ransom Note

A ransom note is copied to the machine and instructs the victim how to contact the attackers and pay the ransom.

Attackers typically expect to be paid with a crypto currency, such as Bitcoin, in order to cover their tracks and by paying the ransom the victim hopes to gain access to the decryption keys which will allow them to recover their files.

Unfortunately, this is not always the case, leaving victims with a hole in their bank balance and complete loss of their data.

The real cost of a Ransomware attack

Although the ransom fee charged by the attacker for the decryption keys can be large, it can pale into insignificance when compared to the cost associated with recovery from a ransomware attack and the potential loss of business.

We mentioned above the huge cost to Maersk, but more recently two US cities have become victims of attack. Here we saw two different scenarios with different outcomes.

Riviera Beach City Council faced a $600,000 ransom demand, with the City of Baltimore facing a demand of $76,000. Riviera decided to pay the ransom and use their cyber insurance to help, while Baltimore decided not to pay the ransom. Baltimore have since confirmed that they expect this attack to cost them over $18 million in revenue loss and recovery efforts.

If you are not securing your business and you are not properly prepared, the ability to recover quickly and effectively from a disaster or security event will be both difficult and costly. Like the Baltimore attack, the cost could significantly outweigh the original ransom demand.

How do I protect against this threat?

Preparation and prevention are the best defence against a ransomware attack. Follow some fundamental principles to help protect your organisation.

  • Keep all your systems up to date with the latest security patches.
  • Deploy an Anti-virus solution – keep it active and up to date.
  • If possible, use an advanced anti-malware product that can detect and prevent the malicious encryption of files.
  • Secure your perimeter devices – routers and firewalls etc.
  • Do not allow management of your network directly from the internet – ensure that protocols such as RDP, SMB, Telnet and management SSH for internal services are disabled.
  • Ensure that critical systems are not accessible from the internet – i.e. database servers.
  • Backup your files and systems using a cloud based or offline solution – this is probably the most important factor, if all else fails these backups will be needed to recover in the event of an attack, so you should not rely on directly connected backups.

I failed to prepare now what? How do I recover my files?

So, you failed to prevent an infection, first of all, don’t panic quite yet, you still have options.

Below are a few resources that can help to both identify the variant of ransomware and search for available decryption tools that can prevent you from contacting the attackers and paying the ransom.

It’s worth mentioning at this point that not all ransomware has a free tool to decrypt your files.

No more ransom


No more ransom is an initiative driven by Europol’s European Cyber Crime unit, the National High Tech Crime Unit of the Netherlands and McAfee, to help victims of ransomware to recover their files without paying the cyber criminals.

No more ransom contains a raft of decryption tools for certain versions of known ransomware variants.

no more ransom
No More Ransom
ID Ransomware


ID Ransomware is an online service provided by the MalwareHunterTeam and developed by Michael Gillespie (aka DemonSlay335). Like No more ransom, ID Ransomware can be used to identify which version of ransomware you have been infected with, through a sample or a copy of the ransom note.

The service can currently detect over 740 different variants and has an option to notify you by email if more information or decryptors become available.

ID Ransomware

In addition, the MalwareHunterTeam and Demonslay335 twitter feeds are great informational resources. They are also a good method to contact the guys directly if you need more info or you are struggling to identify your infection.


Kaspersky no ransom


Alternatively, security firm Kaspersky has launched its own site that hosts several decryption tools for known versions of ransomware.  Although not as complete as the previous two resources it’s worth noting as it may provide info in the future not available elsewhere.

No Ransom – Kaspersky

I can’t find a decryptor tool, is there anything more I can do?

If all else fails and you have got this far with no progress its big decision time. You’re in last resort territory, and have a couple of options remaining:

Pay the ransom

Some people will disagree with this option, but paying the ransom is still valid, and maybe your only option if the data lost is critical to the running of your business.

That said paying the ransom is never a recommended option and should only ever be used a last resort. By giving in and paying up, you are funding the attackers so they can continue their malicious activities, while also opening your business up to further attacks.

As soon as the attacker knows you’re willing to pay, you become an easy repeatable target and should expect future attacks. With ransomware attacks its likely the attacker had access to your network so could have left backdoors in place for access later.

We appreciate this may be the only option for some, but please think long and hard before paying up.

Take the hit

Alternatively, if the data lost is not business critical to you and you can survive without it, you should consider taking the hit.

This may include accepting that the data is lost and deleting the encrypted files, or better still rebuild your infected systems and restart from scratch.

Again, this in most cases is a difficult last resort decision, but it should always be considered. If the data or system is not business critical, then don’t take the risk of contacting the attackers and paying the ransom unless absolutely necessary.


Ransomware attacks continue to rise, especially in the business arena.

The key to dealing with a ransomware attacks is to prepare and protect your business, so you can avoid a successful attack in the first place. Act on enforcing the items mentioned above, to increase your overall security and reduce the likelihood of malware infection.

If you do not have the right capabilities in house it is strongly recommended that you engage a specialist security company to assist you with investigating the root cause of the attack, as well as helping you to recover.

Understanding how the attack happened will allow you to close the holes that the attacker used to get in and identify if any backdoors have been left in place, allowing them to return and launch another attack.

Don’t immediately assume that the attack was launched using email; although this is a very common method, companies that assume this quickly become victim of a follow-on attack, as they miss the real gap in their security.

And finally ensure that you are performing offline backups of your data so you can avoid your backup copies from being encrypted by the ransomware too.

Ironshare – Security Simplified