Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible steps to take after computer has been infected with unfixable ransomwar

  • Please log in to reply
2 replies to this topic

#1 johndoh


  • Members
  • 7 posts
  • Local time:12:10 PM

Posted 10 August 2016 - 03:11 PM

Hello there.
A friend of mine brought his laptop to me, in hopes that I might retrieve the files that were infected by ransomware. Given that ransomware used to encrypt the files is something called CrypMIC, which remains to be unfixable to this date, I was thinking what are my options with this computer.
I've read that there is a small possibility to retrieve a small percentage of files through file recovery software, but this could probably recover thousands of files and it'd probably take days to browse through these, to get the actual photos or documents my friend would actually want. 
I'm wondering if there are any tricks or tips that might help me sort through tons of files effectively?
Then I've been thinking that there is a slight possibility that this particular ransomware, CrypMIC, could be fixed some day. It could be a few months, could be years. Given that, in these days, the price of 1GB for hard drives isn't that large anymore, is it possible to just backup the whole drive somewhere, I don't know, in an ISO, RAR or whatever format? 
If it's possible, how would one actually do it?
And if I could actually transfer this huge ISO, RAR somewhere for the future, say on another partition or external HDD, are there any dangers behind it? Say I'd put this ISO, RAR, to another partition, leave it here, start installing new Windows and let my friend continue using his computer, would the ISO/RAR be able to infect the newly installed Windows on other partition and the files downloaded there?
Or if I'd backup the ISO/RAR on the external HDD and connect this to another computer, would it get infected?
Then final question - what mechanisms could I use, which programs could I use, how could I limit the operating system and the rights, so that my friend, his wife, kids, wouldn't mess up the computer again. Are there any possibilities to ask for the password every time someone would install software. Would that even help? I mean, kids want to install games too, so they'd have to ask for the password every time, and I'm not sure how comfortable that'd be. 
I haven't really thought about those things, when I've installed Windows for my other acquaintances. I haven't limited anything, so they have full permissions to do everything. All I've done, has been installing listed programs people have told me, anti-virus software (I've installed Comodo). So I'm wondering what are my options, when I'm installing new Windows for him?
So a wall of text above, but I'll try to summarise it.
1) Computer is infected with unfixable ransomware. File recovery has reportedly given somewhat good results, getting a small percentage of the files encrpyed, back. Then again, going through tons of files, would be a pain. Are there any tools/tips that'd help me sorting, browsing through those files? Or should I just let him do it? Should I just copy the recovered files to an external HDD? Then again, wouldn't those recovered files infect the external HDD?
2) Are there any tools, that'd help me packing the whole system into one ISO/RAR, so that if some day in the future, a fix will be made for CrypMIC, I could just use the ISO/RAR, apply the fix on it, and he could get all his files back? I'd appreciate a step-by-step guide. 
3) If there actually is a possibility to make one giant ISO/RAR, would the viruses, ransomware spread through this ISO/RAR to a newly installed system, if it'd sit on an external HDD or another partition?
4) What should I keep in mind, when I'm installing the new Windows? I'd also appreciate a guide on this too, or even a video, that'd show me, if there's any tips, on where and what should I limit. So that he wouldn't come back to me in a few years, telling me, that his system has been infected again with ransomware, or any sort of virus. Of course I'll tell him to regularly backup.

BC AdBot (Login to Remove)



#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,742 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:10 AM

Posted 10 August 2016 - 03:34 PM

When you discover that your computer is infected with ransomware you should immediately create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

Crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered.

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.

Unfortunately, I am not aware of any way to decrypt CrypMIC encrypted data without paying the ransom.

When or if a solution is found, that information will be provided in the appropriate support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.For the best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections, see my comments (Post #2) in this topic...Ransomware avoidance.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 johndoh

  • Topic Starter

  • Members
  • 7 posts
  • Local time:12:10 PM

Posted 12 August 2016 - 03:44 PM

I have some additional questions.
In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.
I tried using Recuva and PhotoRec and ended up with tons of files. I used Windows' search function to sort out all the images that were over 1 MB. Then I had to find out, which files were actually legit JPEG files - but there's no way I'd browse through 10000 of files manually and see if Windows show thumbnail of it (if it shows thumbnail, it'd be a healthy JPEG). 
I found a program called jpeginfo, under Ubuntu (used liveCD), and that program processed through those >1MB files. When jpeginfo found that an image was corrupted, it'd delete it, and now I have around 3000 photos.
And then I used a program called Fslint under Ubuntu, which allowed me to get rid of the duplicates. Now I've ended up with ~2000 photos.
So those 2000 photos are actually healthy, which aren't encrypted and which I could retrieve with file recovery software and there were actually a whole bunch of photos, that weren't actually encrypted in the first place.
Then again, my friend, whose computer it is, said, there are somewhat important documents here too, but I have no idea, how I should process these. I think I'll just hand him the folder with recovered documents and he'll have to look into it himself and find which of those are healthy and which aren't.
Now my plan is the following:
1) boot to Ubuntu using liveCD
2) hook up the external HDD
3) copy the folders retrieved using file recovery software - pictures folder and documents folder on to external HDD
I'm wondering if it's safe to hook up the external HDD to a potentially infected machine? Or I wouldn't have any problems if I'd copy those two folders to my external HDD using Linux, since that Linux, coming from DVD, should be clean. Or could I infect my external HDD?
Then, if I've copied those two folders, I'd think of creating an image file of the hard drive. I know no tools which do it and I have no experience with those, so I should probably investigate it.
But there's also another concern. Do I have to scan with those mentioned tools, you mentioned - Malwarebytes Anti-Malware, Emsisoft Anti-Malware, ESET Online and the Comodo anti-virus BEFORE I create the image? Because my plan is to create this image and also probably copy this image to an external HDD and I'd want the image to be clean and not spread any malware to my external HDD through this image.
I tried scanning the system with Malwarebytes Anti-Malware, but it'd scan for too long, so I quit it, because I didn't want it to stay running while I was out of the house. But if it's necessary to perform the scans with mentioned programs before, I'm willing to do it.
Meanwhile you, or anyone else replies to me, I'll look for some tutorials on YouTube on this imaging thing. I hope it's not anything that difficult.
And thanks for replying quietman7, really apperciate help from smarter people!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users