The recent ransomware cyberattack using the WannaCry Trojan, which has affected over 300,000 computers in 150 countries, has highlighted the security threat problem existing in the mobile era where there are thousands of millions interconnected devices and policies such as BYOD that increase the number of vulnerable devices on corporate networks.
Viruses, worms, Trojans and other malicious software are on the prowl for PCs and networks. The arrival of all kinds of malware for all platforms, data theft, cyber spying or privacy intrusion are increasing in the global Internet, forcing users and companies to take proactive measures in order to control them. Even forcing manufacturers such as HP, which makes security its priority when designing its devices.
Despite this, and although prevention is the first and main line of defense, it is not always possible to stay safe from infections. Any user might have had problems with malware on some occasion, even if they were not alerted by a security software.
If your PC is slower than normal, the system shows random errors, the web browser freezes trying to get rid of weird ads, or you cannot access your files, perhaps you have an infection hindering you from using the PC as usual while endangering your files. If this is your case and you cannot remove the infection with your antivirus, or if you do not have a security software, then it is time for your PC to go through a malware removal process like the one that we will show you.
Try to save your files
Backups are the greatest ‘lifesaver’ when it comes to countering any sort of virus, and sometimes they are the only solution for some viruses. If you have not backed up before, you can try to back up documents, photos, videos and any other type of personal or professional information that you cannot afford losing, even if they are infected, so you can try to restore them later in a clean system.
Included in this group are those highly affected by the aforementioned ransomware, usually with encrypted files, so we can restore those files when the needed tools to decrypt them become available. Evidently, we just need to copy the files on a controlled external drive without opening them until they have been cleaned since they can infect other devices.
To create backups, we can try two methods. Windows’ safe mode, also called ‘troubleshoot mode’ or ‘advanced startup’, is a way to boot the system only with the most basic controllers and services, which is useful to find and solve any OS problems that are not solvable in the normal startup where the malicious code is usually run.
If backing up is not possible with the previous tool, we need to use a more advanced method to access the infected PC’s files, such as using rescue disks (that can be run using optical disc drives, flash drives or external USB drives), like Windows’ native options or the solutions specifically designed for troubleshooting like Hiren’s Boot CD and Ultimate Boot CD to restore the system.
Disinfecting the PC
Once we try to save our important files, it is time to start disinfecting. However, we must point out that this is not always possible as it depends on the malware, which can force us to ultimately perform a clean install of the whole system and applications.
We try disinfecting with a boot method used to recover the PC from viruses. This is highly effective considering that a big majority of malware load/hide in the memory, which makes their detection/removal complicated once the system boots.
Every big security software vendor offers the possibility of creating said methods. The majority come in a ‘Live CD’ format based on Linux (which are created on and can be run by using optical disc drives, flash drives or external USB drive) that we can use on our PC, in any OS, without needing to install anything in it. We can use the following two good solutions:
- Kaspersky Rescue Disk
- ESET SysRescue Live
- Bitdefender Rescue CD
- AVG Rescue CD
- Panda SafeDisk
- Trend Micro Rescue Disk
- Norton Bootable Recovery Tool
- Avira Rescue System
- F-Secure Rescue CD
Using them is very simple, but first we need to boot the system through the rescue disk that we created. All of them update themselves and the virus definitions, then they start scanning and disinfecting the malware found.
We can access the unit where the main system is installed through the Live CD’s file explorer, which is useful if we want to delete any file or to back up directly the important files, as we saw in the previous section.
If removing the malware is successful, remove the rescue disk and try to boot the system as usual. If possible, install the best available security software and scan again your PC for any virus. If the system runs as usual, check all the applications that you had installed to see if they are functioning correctly. Do the same with the controllers and the drivers since there might be some damage even if the OS is clean and running.
If we are not able to remove the infection despite our previous efforts, the only remaining option is to reinstall the OS. If we have a recovery partition or system drives like the ones provided by HP for its PCs, then that is the first option to restore the PC to its out-of-the-box state.
Restoring the OS to its factory settings using the OS’ native tools is another simple alternative in contrast to backing up or a clean install. If nothing works, we need to perform a clean install of the whole system, formatting the partition to make sure that the virus is removed from the PC.
Lastly, you can restore your data and applications as long as you scan and clean thoroughly the files that we saved in the back up. Make sure that they are completely clean before copying them back into your PC since they might be the cause of infection, causing the whole process to be repeated.
Prevent further damage
The system partition is clean, but we also need to check the other partitions and the entire local network since the virus could have come that way, thus infecting the PC again. You can check them with the rescue disks created previously and with any security software installed as well since nowadays keeping a PC clean is complicated without any additional protection, even if we try to be as careful as possible. At the very least, using Windows’ preinstalled Windows Defender is recommended.
Changing your passwords is also recommended since a lot of current malware infect PCs in order to obtain access passwords. It is not unlikely that they are in the hands of third parties despite your system being clean, so it is highly recommended that, after being infected, you change all your passwords, from the local Windows user password to the ones used in Internet services, especially those used for financial services and e-commerce.
Lastly, bear in mind that prevention is the first and main line of defense. We need to keep a close eye on the websites that we visit, on the applications that we install, on the e-mails and attachments that we receive, on what we download, on the social media usage, on the essential OS and applications updates, and on running a good security software.
Ransomware, a very dangerous attack
Ransomware is one of the most dangerous types of malware for global cybersecurity, as recently shown by the WannaCry attack. It was maybe the most widely known massive attack but certainly not the only one around during the latest years.
Like the rest of attacks in this family, it exploits a vulnerability of the operating system, it infects a personal computer by different means (especially phishing and spam) and after that is potentially distributed to the whole network where it was installed. The common feature common to all ransomware virus, is that they block the computer normal operation by blocking access to the victim’s files using a strong encryption, then demands to the organization, company or user a ransom payment to release them.
For the WannaCry ransomware in particular, the Kaspersky firm has published a free tool created to protect specially small and medium companies. It works together with any other security solution without the need to install Kaspersky Lab products.
Given the magnitude of the attack, Microsoft took the decision as an exceptional measure to launch the MS17-010 patch for the already officially unsupported operating systems, Windows XP, Windows Vista and Windows Server 2003. For the rest of their OS the fix was available since March. Of course, the patch installation is mandatory to protect your machine from WannaCry and all its variants, because they can exploit the same vulnerability.
The speedy response to WannaCry made it possible to contain the infection, but there are several previous Ransomware specimens for which there is no total solution. For that reason, as always when we talk about security, we emphasize that prevention is the best cure.