There are two main types of ransomware: crypto ransomware and locker ransomware.
- Crypto ransomware encrypts files on a computer so that the user cannot access them.
- Locker ransomware does not encrypt files. Locker ransomware locks the victim out of their device, preventing them from using it.
This FAQ focuses on Crypto ransomware which is detected by the Secure and Govern Probable Ransomware Analysis Rule. For additional information, check out the frequently asked questions below.
What is Crypto Ransomware Recovery?
The Crypto virus is a type of ransomware that encrypts files stored on your local or network drive so that they are effectively inaccessible to you. The ransomware was introduced in 2013 and is typically carried via email attachments. Once your files are encrypted, it then offers to decrypt the data if a ransom is paid. The ransomware can be particularly troublesome for customers once the encrypted data syncs to the cloud and down to other user devices.
Due to the nature of the encrypted files and ever-evolving variations, it's difficult for anyone to 100% accurately differentiate the Crypto-encrypted files from standard encrypted files. However, Secure and Govern solution monitors content sources and provides early detection of Ransomware. In fact, with Egnyte versioning and retention policies, your files can be restored to their original state. While we’ve had 100% success rate in restoring customer’s data to date, the continued evolution of this ransomware is a risk for potential data loss.
What Signs Indicate a Possible Crypto Ransomware Infection?
Your web browser, desktop or server is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file.
Some or all of your files have a new file extension appended to the filenames and/or are encrypted.
- Examples of Ransomware file extensions: .encryptedAES, .ezz, .1txt, .egnigma, .zzz, .aaa, .abcd, .block, .cdrpt, .vvv, .Tesla, .xcri, .micro, .lockedfile, .cryptolocker, _crypt, .missing, .r5a, .xrtn, .adam, .crypt38, .2lwnPp2B, .pzdc, .just, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .7z.encrypted, .LeChiffre, .0x0, .1999, .ha3, .toxcrypt, .SUPERCRYPT, .CTBL, .lockymap or 6-7 length extension consisting of random characters
What is Egnyte Doing About Crypto Ransomware?
Secure and Govern is able to detect and disable the affected user’s account. This prevents the rampant spread of encryption to other files. We are continually enhancing the tools to detect, recover and restore customers’ files as quickly as possible from Crypto encryption.
How Does Egnyte Detect Crypto Ransomware?
Egnyte provides multiple layers of detection and protection to ensure your data is safe. All Egnyte’s detection and prevention methods are described below.
Malware Scanning on File Upload
- We use a malware engine to analyze every file on upload
- If malware is detected, the file is automatically moved to quarantine area for Admin to further investigation
Ransomware Scanning on File Upload
- We look for known subset Ransomware extensions and notes
- If a known ransomware artifact is detected, Egnyte revokes the auth token for the application
Artifact-based Ransomware Detection (Secure and Govern Customers Only)
- Detects 2500+ Ransomware artifacts (file extension and notes) found in a content source.
- If Ransomware is detected, Egnyte Secure & Govern immediately creates an issue and sends an alert
Zero-Day Ransomware Detection (Secure and Govern Customers Only)
- Detects anomalous file activity, such as file encryption.
- If Ransomware is detected, Egnyte Secure & Govern immediately creates an issue and sends an alert
What should I Do When a Probable Ransomware Anomaly is Detected?
The following steps should be followed for any Probable Ransomware detection. Understand the Probable Ransomware detected.
- Secure and Govern provides the ransomware name in the detail section of Issue
- Understand the scope of Probable Ransomware detection
- Secure and Govern allows you to export the possible affected files
- Isolate the potentially infected files
- Prevent the infection from spreading by separating all infected computers and files from each other, shared storage, and the network.
- Investigate the affected files found
- Determine whether or not the Probable Ransomware detection is a false-positive
- Scan all affected systems and files using proven anti-malware software
- There are also several sites that can help you identify and confirm ransomware. Here are a couple of the sites:
- If the analysis determines there are NO infected files, this can be considered a false-positive detection
- If this was an artifact-based detection involving a known Ransomware extension and your investigation determines the extension is also generated by an safe internal application, the extension can be whitelisted to prevent future detection. Whitelisting an extension can be done using the "Whitelist File Extension" action found under the Fix button.
-
- This issue can also be remediated by selecting the "Dismiss this Occurrence" action found under the Close button within Secure & Govern. The following modal will appear.
-
- For Reason select "Expected Behavior", optionally enter a "comment" and select Dismiss to close the issue
- If the analysis determines there ARE infected files, please do the following
- Select Fix button for the issue detected within Secure and Govern and select the "Deactivate User Account" action found under the Fix button. This will disable the user's account and prevent further spread of the ransomware for the infected user.
-
- Report to Authorities
- The FBI requests that all ransomware victims report ransomware incidents regardless of the final outcome
- Understand your options:
- Pay the ransomware - It's generally considered a bad idea to pay the ransom
- Try to remove the malware - There are several internet sites and software applications that can potentially help with the removal
- Wipe system clean and restore from backup - This approach is considered most effective, but only if you have a sound backup strategy and/or version control. In many cases, Egnyte's file versioning can help with the restore process. Ransomware often creates a "new version" of the file(s). When this occurs, the current version of the file can be deleted and restored using the "previous version" of the file.
- Report to Authorities
If you have any issues during the assessment, do not hesitate to open a support ticket with the Egnyte Support Team.
How do I recover my Crypto Ransomware encrypted data?
- In most cases, encrypted files become the latest version of your files. With Egnyte's version control, you can revert to an older version or clean copy of the file using our Web UI.
- Some variations of Crypto deletes the original file, which can also be recovered from Trash as long as the data is within the Trash retention window. Once the data is removed from Trash, it is no longer recoverable, so it is important to report the issue as early as possible and ensure that your Trash retention policy window is adequately large.
- If a large number of files are infected, there are two recovery processes offered by Egnyte. These are listed below.
- Egnyte Ransomware Restore from Snapshot
Customers can recover from Ransomware on their own by using Egnyte’s Snapshot-Based Recovery Solution. Egnyte provides two entry-points for Ransomware restoration. Please see the following links for more detailed information.
-
Egnyte Professional Services
Our Professional Services team can help recover the files for you by submitting a Support request. Send the following information to our Support team and we will revert the files based on the data you provided:- Username of the individual who got infected.
- Date when the files were uploaded to the cloud or date of infection. This information can be obtained by running an File Audit Report, in Egnyte Collaborate, if your account has the feature enabled. If you do not have the audit feature, please let us know.
- Egnyte Ransomware Restore from Snapshot
Note: A typical revert process can take up to 3-5 business days.