For the first time, I've actually managed to get my hands on a computer that's been infected by ransomware. I've heard quite a bit about it in the media, but had not actually seen one before.
So an acquaintance of mine told me: "Hey, I know you're good in IT and stuff (I know a thing or two, not sure if I'm "that" good), could you please take a look, why most of my pictures, documents, music, have suddenly become unusable."
I thought, why the hell not and give it a go, since it's my first time seeing a computer, that has files encrypted by ransomware. So when I boot up computer a browser and a text document opens, telling me I should visit Tor's .onion site and pay up some Bitcoins. Of course, she's not going to do that. She told me, that the data that's encrypted is not that "valuable", but said she'd be glad, if I could retrieve even a bit of the files.
So I started looking for a solution. I read that easier types of ransomware are cured by just scanning with Malwarebytes' Anti-Malware application. Well, it did find a bunch of things, but that didn't help decrypting the files. Then for the sake of it, I tried scanning with SuperAntiSpyware, Sbybot S&D (not sure, if this program is relevant these days), Comodo's anti-virus and Hitman Pro. None of these helped.
Then I stumbled upon on this forum, and found you have a section that helps with ransomware. And from here I found a thread that links to a service, that identifies which type of ransomware the file is infected with. Turns out the files are infected with a ransomware called CrypMic. I looked it up, and it seems like there's no solution found yet, to decrypt those files.
Now, I saw some guides recommending System Restore - although it was turned on, the longest dating back restore point date was a few days ago, so that was out of the question. Another recommendation was to try file recovery programs, Recuva in particular. In the end I ended up recovering ~200 000 files. But going through them, it did restore some files that were encrypted, most of the files were still under encryption - but I'm sure she's glad, I got at least some family photos back, although there's some more processing and sorting to be done, but just browsing through the files, it does not give much hope.
Then I thought, I'd give PhotoRec a go (by selecting file types, which seemed relevant), but this ended up recovering also ~200 000 files, but problem is that it spreaded those recovered files in 300 folders. I'm not sure how I should process these, to find the files, that'd actually have some value - a negative side of PhotoRec is also, that it does not retain original file names. I found a batch-script, that'd go through all the folders and move them to one folder, that'd help a bit, to browse these files at one go, and maybe I could actually sort these by size, resolution, or anything.
Given that these files are not that important, I'm not sure how much time I'm willing to invest, to browse through these files. I was thinking, if I have any more options left, before I'd format the hard-drive and install Windows.
I have an idea, though I'm not sure if it's possible, and if there's actually a point. I've read that getting a cure/fix for types of ransomware have taken months, sometimes even years. Since she has quite a big hard-drive, I thought if there's a way to archive the contents of the drive to a *.zip, *.iso, or whatever file, make a new partition and just copy the file there, so that if, by some luck, the fix is found to decrypt this CrypMic ransomware, I could just apply a fix on the files, and she'd get her files back. So I'd have this *.iso (or whatever filetype) file on another parition, and then I could install Windows on another partition. Another side of this though is that, there may never come a day this CrypMic will see a fix to decrypt files. Given what I've read about CrypMic, it seems entirely possible.
So, I'm pretty sure, you can't give me a quick-way solution to this problem, by providing step-by-step guide. But, I was wondering, what would you do, if you were me. Would you just format the HDD, and wouldn't hassle with it? So yeah, long story short, what are my options, if any?