There are two main types of ransomware: crypto ransomware and locker ransomware.
- Crypto ransomware encrypts files on a computer so that the user cannot access them.
- Locker ransomware does not encrypt files. Locker ransomware locks the victim out of their device, preventing them from using it.
This FAQ focuses on Crypto ransomware which is detected by the Secure and Govern Probable Ransomware Analysis Rule. For additional information, check out the frequently asked questions below.
What is Crypto Ransomware Recovery?
The Crypto virus is a type of ransomware that encrypts files stored on your local or network drive so that they are effectively inaccessible to you. The ransomware was introduced in 2013 and is typically carried via email attachments. Once your files are encrypted, it then offers to decrypt the data if a ransom is paid. The ransomware can be particularly troublesome for customers once the encrypted data syncs to the cloud and down to other user devices.
Due to the nature of the encrypted files and ever-evolving variations, it's difficult for anyone to 100% accurately differentiate the Crypto-encrypted files from standard encrypted files. However, Secure and Govern solution monitors content sources and provides early detection of Ransomware. In fact, with Egnyte versioning and retention policies, your files can be restored to their original state. While we’ve had 100% success rate in restoring customer’s data to date, the continued evolution of this ransomware is a risk for potential data loss.
What signs indicate a possible Crypto Ransomware infection?
Your web browser, desktop or server is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file.
Some or all of your files have a new file extension appended to the filenames and/or are encrypted.
- Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encrypt, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters
What is Egnyte doing about Crypto Ransomware?
Secure and Govern is able to detect and disable the affected user’s account. This prevents the rampant spread of the encryption to other files. We are continually enhancing the tools to detect, recover and restore customer’s files as quickly as possible from Crypto encryption.
What should I do when a Probable Ransomware anomaly is detected?
The following steps should be followed for any Probable Ransomware detection. Please don't hesitate to open a support ticket with the Egnyte Support Team at any point in the process below.
- Understand the Probable Ransomware detected
- Secure and Govern provides the ransomware name in the detail section of Issue
- Understand the scope of Probable Ransomware detection
- Secure and Govern allows you to export the possible affected files
- Isolate the potential infected files
- Prevent the infection from spreading by separating all infected computers and files from each other, shared storage, and the network.
- Investigate the affected files found
- If analysis determines there are NO infected files, this can be considered a false-positive detection
- Select to "Ignore" the issue detected within Secure and Govern
- If analysis determines there ARE infected files, please do the following
- Select to "Fix" the issue detected within Secure and Govern. This will disable the users account
- Report to Authorities
- The FBI requests that all ransomware victims report ransomware incidents regardless of the final outcome
- Understand your options:
- Pay the ransomware - It's generally considered a bad idea to pay the ransom
- Try to remove the malware - There are several internet sites and software applications that can potentially help with the removal
- Wipe system clean and restore from backup - This approach is considered most effective, but only if you have a sound backup strategy and/or version control. In many cases, Egnyte's file versioning can help with the restore process. Ransomware often creates a "new version" of the file(s). When this occurs, the current version of the file can be deleted and restored using the "previous version" of the file.
How do I recover my Crypto Ransomware encrypted data?
- In most cases, encrypted files become the latest version of your files. With Egnyte's version control, you can revert to an older version or clean copy of the file using our Web UI.
- Some variations of Crypto deletes the original file, which can also be recovered from Trash as long as the data is within the Trash retention window. Once the data is removed from Trash, it is no longer recoverable, so it is important to report the issue as early as possible and ensure that your Trash retention policy window be adequately large.
- If a large number of files are infected, our Support team can help recover the files for you by submitting a Support request. Send the following information to our Support team and we will revert the files based on the data you provided:
- Username of the individual who got infected.
- Date when the files were uploaded to the cloud or date of infection. This information can be obtained by running an File Audit Report, in Egnyte Collaborate, if your account has the feature enabled. If you do not have the audit feature, please let us know.
- Username of the individual who got infected.
Note: A typical revert process can take up to 3-5 business days.