First of all excuse me for my english, maybe I will use some wrong sentence. I write from Italy.
It's several months I read posts of help requests.
I think a blog is functional when it gives answers, but I also think that if the questions are always of the same type, the blog looses its rule.
For this, after having helped thousand of customers hit by a ransomware variant in the last 3 years, I would like to spend some words on how the cryptolocker works and on when you can solve, or not, your problem.
1) A cryptolocker can hit your computer basically in two ways. The first is an infected attachment/link in a spam email or a virus inhoculated in an infected website. The second is a direct RDP attack to you server/computer. The second one is the most dangerous, because when a pirate logs in he can do all (he removes antivirus, clears the shadow copies, erases backups and more....).
2) Target of the Crypto attack are your important files: DOC, PDF, XLS, JPG the most common, but also database and several other file extensions.
3) Recovery data software are useless when hit by a Cryptolocker. A recovery software works when you accidentally erase one or more files and you need to recover them (and it works only if you are fast and you don't have written new files in the drive where the deleted files are - if you overwrite the sectors of the erased file you will not recover it). Cryptolocker doesn't erase files. It overwrites them. No erased file, NO RECOVERED FILES!
4) Some cryptolocker variants have been deciphered in the last years. But a lot are still unrecoverable.
5) The latest cryptolocker variants have no possibility of decryption. If you search, you can see that the last known decrypters are some months old....
You need to have back your files? Don't ask for magic! Magic is not possible.
When my customer ask me what to do, and when I understand that they could close their offices without the encrypted files, I make those considerations:
1) Server reinstallation (after a backup of encrypted data has been done) and applications reinstallation and configuration: € 1.000/2.000
2) Data restoration. If they have a backup, how old is it (usually months...)? How many days, weeks, months will they loose after a crypto attack? How much will it cost to the customer rebuild all the lost data? How many persons for how many days will work for it? Imagine 3 persons for 1 week (I want be optimistic): € 1.500/2.000
3) Which is the damage of your image in the eyes of your customers? They will not be happy, and maybe some will leave you. Imagine you are a lawyer and a customer knows that your server is not failsafe and secure. He knows that his private problems are inside your server and they are not safe. For each customer that leaves the lawyer, the cashflow decreases. Let's say that a lawyers customer brings € 1.000/2.000 per year.
4) Final step: maths! Let's sum 1.000+1.500+ 1.000 and we reach € 3.500 if we consider the lowest values. € 6.000 if we consider the highest.
Now, consider that the money request for a Cryptolocker usually starts from 1 Bitcoin, but that you can find an agreement for 0.5 or less if you are skilled (I have personally reached 96 agreements). Consider that 0.5 Bitcoin in this moment is equal to € 4532,50
Consider that if you pay you can solve the problem in no more than 48 hours.
A lot of customers tell me they are afraid that after payment they will not receive decrypter. 96 times it didn't happen. 96 times we received decrypter and eventually full support if something didn't correctly work (yes, it has happened that we received a wrong decrypter: email with description of the problem and new, correct, decrypter in few hours).
Please, keep in mind that I am not saying that you should pay the ransom. It's always a RANSOM. It's ILLEGAL. Who uses ransomware for making money is not an honest person. I AM NOT DEFENDING THE HACKERS.
I simply say that, if you analyze the problem, and you search the best solution for you or for your customer, you must consider that time is money. And some firms don't have time to loose.
FINAL CONSIDERATION: If a crypto virus hits your computer and makes damage, the first responsible is not the hacker. It's the IT Manager that didn't configure properly the computer. Robust backups, strong antivirus, firewalls hardware, Staff training, renovation and control of the IT infrastructure has a cost. You can spend it to keep your systems updated. Or you will probably spend it later, making hackers rich and remaining with old infrastructure.
Make your choices.