WannaCry Recovery Tips

 

By Mike Cobb, Director of Engineering

Ransomware

Last month, the WannaCry/WannaCrypt ransomware tore through hundreds of thousands of computers overnight in a worldwide onslaught. If you are a victim, there is hope.

Through in-depth study of the WannaCry ransomware, Kaspersky Labs has discovered that the code was poorly written and contains a number of possible loopholes for victims to recover some of their data without paying the ransom. You can read about the mistakes Kaspersky found in the WannaCry code here.

If you choose to attempt recovery of your files from the WannaCry ransomware on your own, here are some additional tips that may help.

“Important” Folders

It appears that, like a few other ransomwares out there, WannaCry often targets what it views are “important” folders and ignores others. These “important” folders include your Desktop and Documents.

If you have been infected by WannaCry, explore files that are not in these locations. You may find a lot that has not been touched by the ransomware.

Using Recovery Software

We would like to stress that, if your files are irreplaceable and valuable to you, you should always go directly to a professional organization like DriveSavers to try and recover your data. However, if your data does not hold the importance that would warrant professional data recovery, it appears that for advanced users publicly available recovery software may just do the trick.

It is very important that you do not attempt using software unless you are familiar and comfortable with data recovery best practices. Otherwise, you risk infecting another system or making matters worse.

Use a Clean Target Drive

If you are successful at finding unencrypted files on your infected computer, you will want to copy those files to another device that has not been infected, like an external hard drive or thumb drive. This comes with its own dangers, as ransomware may travel from your primary device to an attached device.

Just in case, use a new external drive as a target (i.e. the drive you will move your recovered files to). If you choose to use a target drive that is already in your possession, first connect the target drive to a computer that has not been infected, and make sure there aren’t any files already on the target that you wouldn’t want to lose if the ransomware spreads to that device.

Whatever you do, do not copy over any files that you are not 100% certain of what they are. In particular, do not copy any .exe files to the target drive. You do not want to accidentally introduce the ransomware onto the target drive.

Using Your Recovered Files

You can connect your target drive to an unaffected computer and open your copied files, provided you are positive that you did not copy over any executable files related to the ransomware.

If you would like to use your infected computer again, you will need to wipe it clean at a low level. This will erase everything on your drive, including your files (encrypted or otherwise), the ransomware, any programs you have on the computer and even the operating system itself.

From here, you can reboot from a backup or reinstall your operating system from a disk. You can then reinstall your programs, provided you have serial numbers to verify with the manufacturers that you have already purchased those programs previously. If you do not have serial numbers, you will need to re-purchase the programs you wish to use.

When to Hire a Professional

With any ransomware, there is always hope that there could be a solution.

If you have been infected by WannaCry and the files that are encrypted hold information that does not exist elsewhere, you cannot recreate and cannot live without, we recommend that you do not attempt recovery on your own or use data recovery software.

Stop and consider what is on your computer. Do you have any of the following?

  • Wedding photos
  • Baby photos
  • Tax files
  • Employee files
  • Proprietary or patented material
  • Payment files

With data that holds this amount of significance, do not leave anything to chance. We are available 24/7 to answer your questions and get started with your ransomware data recovery. 800.440.1904

Read more about ransomware data recovery.