Hi I wonder how one should handle ransomware intrusion. Lets say you have been infected by a really potent ransomware, how does your plan for handling that look like? If it is really potent, as far as i know there is no handling to solve it since the ransomware will stop/block/destroy any action to fix the situation. If one connects an external disc to the pc to use an image to recover the Os, the moment one opens that disc, it will also be infected. In that scenario the infected disc is useless and unrecoverable. So, which is the best way to go about to nullify a ransomware damage and hopefully restore the infected disc, or at least be able to use it securely in a future?
1. Get rid of the ransomware by either going to a site that specializes malware removal or by reformatting your computer. 2. Recover all your data from either a cloud backup or hard drive backup. 3. Re-install all the programs you had on your computer if you reinstalled Windows in step 1.
With proper backups this would be a simple recovery process. The backups will not get hurt if the computer is cleaned first. Additionally the backup media can be made read ONLY before it ever sees the dirty computer. By being "read only" that backup media can be used again and again without fear. A small but simple example is a MicroSD, which can be quite large in space. They are easily and fully locked to write by physical switches not simply software locks. Hardware locked devices are more reliable and solid than using software locks. Depending upon your level of computer expertise the one outstanding item is confirming the bios is good to go. That is a rare attack because it requires advanced attacks. My bios can be unlocked by me and confirmed via sha256sum that nothing changed at all. One flipped digit and the sum won't match.
As was noted above, just restarting and booting from a Recovery Disk made by your imaging software in order to restore an old image would be fine as long as we are speaking of an air-gapped external drive. However many will save images on an internal secondary drive, and here issues may arise. Although most ransomware is specific in the types of files to be encrypted (docs, jpg, etc), some will be destructive to many other files on the system including saved images and backups. Of the popular Imaging solutions available, Macrium Pro offers protection from any ransomware attacks on their created images (Image Guardian). If you have any interest, I made a video about it here: hxxps://www.youtube.com/watch?v=aAzXnaKbRB4
Thank you for your responses. To sum it up; it will work if i use a usb with a bootable W11 ISO that is "read only" for fresh install Windows by wiping the disc first? After that i can use my rescue disc to boot from and install my previously made image of the system, and that will be it!? The above will then work in most cases if i will not be hit by some very advanced ransomware which is unlikely for me as a basic Pc user?
If you have backups of all relevant Windows partitions, including the System, then you should be able to skip the formatting of the disk, and just boot into the rescue recovery environment to write the backups over top the infected disk. Hopefully you have some sort of reliable backup software installed and rescue disk, and are familiar with how to use it. Hasleo free backup/recovery suite has worked well for me, but of course there are others available as well, although not necessarily free. Hasleo allows you to create an emergency rescue pendrive, as well as install a boot menu to your drive.
