There are two main types of ransomware: crypto ransomware and locker ransomware.
- Crypto ransomware encrypts files on a computer so that the user cannot access them.
- Locker ransomware locks the victim out of their device, preventing them from using it. This type of ransomware does not encrypt files.
This FAQ article mostly focuses on Crypto ransomware which is detected by the Secure & Govern Probable Ransomware Analysis Rule.
What is Crypto Ransomware Recovery?
The Crypto virus is a type of ransomware that encrypts files stored on a local or network drive so that they are effectively inaccessible. The ransomware was introduced in 2013 and is typically carried via email attachments. Once the files are encrypted, it then offers to decrypt the data if a ransom is paid. The ransomware can be particularly troublesome for customers once the encrypted data syncs to the cloud and down to other user devices.
Due to the nature of the encrypted files and ever-evolving variations, it's difficult for anyone to 100% accurately differentiate the Crypto-encrypted files from standard encrypted files. However, Egnyte Secure & Govern solution monitors content sources and provides early detection of Ransomware. In fact, with Egnyte versioning and retention policies, files can be restored to their original state. Although Egnyte has achieved a 100% success rate in restoring customer data so far, the ongoing evolution of this ransomware presents a risk of potential data loss.
What Signs Indicate a Possible Crypto Ransomware Infection?
A web browser, desktop, or server may be locked with a message demanding payment to unlock the system, and file directories may contain a 'ransom note' file, typically in .txt format.
Files may have a new extension appended to their filenames and/or be encrypted.
- Examples of Ransomware file extensions: .encryptedAES, .ezz, .1txt, .egnigma, .zzz, .aaa, .abcd, .block, .cdrpt, .vvv, .Tesla, .xcri, .micro, .lockedfile, .cryptolocker, _crypt, .missing, .r5a, .xrtn, .adam, .crypt38, .2lwnPp2B, .pzdc, .just, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .7z.encrypted, .LeChiffre, .0x0, .1999, .ha3, .toxcrypt, .SUPERCRYPT, .CTBL, .lockymap or 6-7 length extension consisting of random characters
What is Egnyte Doing About Crypto Ransomware?
Egnyte Secure & Govern is able to detect and notify the administrator of the affected user's account so that corrective actions can be taken. This prevents the rampant spread of encryption to other files. Egnyte is continually enhancing the tools to detect, recover and restore customers’ files as quickly as possible from Crypto encryption.
How Does Egnyte Detect Crypto Ransomware?
Egnyte provides multiple layers of detection and protection to ensure data safety. All Egnyte’s detection and prevention methods are described below.
Malware Scanning on File Upload
- We use a malware engine to analyze every file on upload
- If malware is detected, the file is automatically moved to the quarantine area for Admin to further investigation
Ransomware Scanning on File Upload
- We look for known subset Ransomware extensions and notes
- If a known ransomware artifact is detected, Egnyte revokes the auth token for the application
Artifact-based Ransomware Detection (Secure & Govern Customers Only)
- Detects 2500+ Ransomware artifacts (file extension and notes) found in a content source.
- If Ransomware is detected, Egnyte Secure & Govern immediately creates an issue and sends an alert
Zero-Day Ransomware Detection (Secure & Govern Customers Only)
- Detects anomalous file activity, such as file encryption.
- If Ransomware is detected, Egnyte Secure & Govern immediately creates an issue and sends an alert
What Should The Admin Do When A Probable Ransomware Anomaly Is Detected?
The following steps should be followed for any Probable Ransomware detection.
-
Understand the Probable Ransomware detected
- Secure & Govern provides the ransomware name in the detail section of Issue
- Secure & Govern provides the ransomware name in the detail section of Issue
-
Understand the scope of Probable Ransomware detection
- Secure & Govern allows exporting the possible affected files
- Secure & Govern allows exporting the possible affected files
-
Isolate the potentially infected files
- Prevent the infection from spreading by separating all infected computers and files from each other, shared storage, and the network.
-
Investigate the affected files found
- Determine whether or not the Probable Ransomware detection is a false-positive
- Scan all affected systems and files using proven anti-malware software
- There are also several sites that can help identify and confirm ransomware. Here are a couple of the sites:
-
If the analysis determines there are NO infected files, this can be considered a false-positive detection
- If this was an artifact-based detection involving a known Ransomware extension and the investigation determines the extension is also generated by a safe internal application, the extension can be whitelisted to prevent future detection. Whitelisting an extension can be done using the Whitelist File Extension action found under the Remediate button.
- This issue can also be remediated by selecting the Dismiss this Occurrence action found under the Close button within Secure & Govern. The following modal will appear.
For Reason select Expected Behavior, optionally enter a comment and select Dismiss to close the issue
- If this was an artifact-based detection involving a known Ransomware extension and the investigation determines the extension is also generated by a safe internal application, the extension can be whitelisted to prevent future detection. Whitelisting an extension can be done using the Whitelist File Extension action found under the Remediate button.
-
If the analysis determines there ARE infected files, do the following
- Click on the Remediate button for the issue detected within Secure & Govern and select Deactivate User Account. This will disable the user's account and prevent the further spread of the ransomware for the infected user.
- Report to Authorities: The FBI requests that all ransomware victims report ransomware incidents at ic3.gov regardless of the final outcome
-
Understand the options:
- Pay the ransomware - It's generally considered a bad idea to pay the ransom
- Try to remove the malware - There are several internet sites and software applications that can potentially help with the removal
- Wipe system clean and restore from backup - This approach is considered the most effective approach, provided a reliable backup strategy or version control is in place. In many cases, Egnyte's file versioning can help with the restore process. Ransomware often creates a 'new version' of the file(s). When this occurs, the current version of the file can be deleted and restored using the 'previous version' of the file.
- Click on the Remediate button for the issue detected within Secure & Govern and select Deactivate User Account. This will disable the user's account and prevent the further spread of the ransomware for the infected user.
If there are any issues during the assessment, don't hesitate to open a support ticket with the Egnyte Support Team.
How do I recover my Crypto Ransomware encrypted data?
- In most cases, encrypted files become the latest version of existing files. Egnyte's version control allows reverting to an earlier version or a clean copy of the file through the Web UI
- Some variations of Crypto delete the original file, which can also be recovered from Trash as long as the data is within the Trash retention window. Once the data is removed from Trash, it is no longer recoverable, so it is important to report the issue as early as possible and ensure that the Trash retention policy window is adequately large.
-
If a large number of files are infected, users can use the recovery process listed below:
Egnyte Ransomware Restore from Snapshot
Customers can recover from Ransomware on their own by using Egnyte’s Snapshot-Based Recovery Solution. Egnyte provides two entry points for Ransomware restoration. Refer to the following links for more detailed information.