Infected by ransomware

Issue:

A workstation's or server's files have been encrypted by ransomware. How do I decrypt them and get access back to my files?

Resolution:

A ransomware infection typically distributed through a few ways such as phishing email (common way to infect), infected USB drive, unsecured public Wi-Fi networks, exploitation of zero-day vulnerabilities, pirated software, and covert drive-by downloads from a malicious website.

We recommend having both DeepGuard and DataGuard security features enabled for protection against traditional and modern ransomware attack.

For ransomware attack assistance, we suggest you to contact our Emergency Incident Response team on this page.

https://www.withsecure.com/en/about-us/company-contacts/24-7-incident-hotline

To help us investigate the issue further, please provide the following information:

Detailed Description and timeline of the event [When did this exactly happened?]
Sample [Please provide us the sample of the suspicious file. Without this sample, we won’t be able to investigate the request further.]
WSDIAG [End-Point logs] depending from the OS version:
Autoruns
1. Download the tool from https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
2. Please remember to enable the "Hide Signed Microsoft Entries" setting.
3. Save the log file created as an .arn file to your Desktop.
Process Explorer
1. Download tool from http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx and extract the zip file.
2. Run procexp.exe with administrator privileges.
3. Click on File > Save and save the file as "procexp.txt" in your desktop.
After generating the logs, please upload them via FTP as follows:
1. Rename the WSdiag.zip file on your desktop.
2. Right-click on the file and select Rename [Your case number here] _WSdiag.zip.Right-click the
3. Windows Start icon and select Open Windows Explorer. A Windows Explorer window opens.
4. Type ftp://ftp.withsecure.com/incoming in the address bar, and press Enter. Note: After uploading the file, the file is no longer visible.'
5. Please reply to the incident case inform us that you have now uploaded the Wsdiag file.

Article no: 000004496