Category: General / What should I do if I am hit with ransomware?
If you are hit with ransomware there are several steps that you will want to do to recover. The first thing you should do is pause the commit cycle to prevent the ransomed files from being committed to disk.
Pause commit cycle:
- Log into the portal.
- Find the client that was infected with ransomware and go to the “Device Details” page by clicking on the client.
- From the Device Details page click the “Restore / Revert” button.
- Then select the “Control Overlay” option and follow the steps to suspend the commit overlays.
- Note: don’t forget to resume the commit overlays after the ransomware incident is over and all the files have been recovered.
The next thing to do is to remove the ransomware from the system. If the system is a workstation then you can remove it with One-Click Restore.
One-Click Restore:
- Log into the portal.
- Find the client that was infected with ransomware and go to the “Device Details” page by clicking on the client.
- From the Device Details page click the “Restore / Revert” button.
- Then select the “One-Click Restore” option and follow the steps to restore the system to an older snapshot. Make sure to choose a snapshot that was from before the ransomware was installed.
- Note: the client needs to be connected to the Internet for these steps to work.
For data recovery, you will need to revert the files. Note: if the files were encrypted too long ago then you can export the data engrams and deleted files. But trying revert first.
Revert files:
- Open the NeuShield GUI on the client in question.
- Click on the “Anti-Ransomware” tab.
- Starting at the top of the list, click the “Revert” button on each folder one-by-one, until all folders have been reverted.
- While still on the “Anti-Ransomware” tab find the green arrows at the bottom of the screen and click the right arrow once. If both arrows are grey and not green then you can skip to step 6.
- Note: this green arrow will allow you to see protected folders on your cloud drives (OneDrive, DropBox, Google Drive, etc.), if any exist.
- Follow step #3 by “Revert” each cloud drive folder one-by-one. Then follow step #4 by clicking the green arrow to the right again. Repeat these steps until you have reverted every folder on all of the pages.
- Once all of the folders on all pages have been reverted you can check the folders manually to see if the ransomed data has been recovered.
In some cases, it is possible that the data was encrypted too long ago for the revert to be able to recover the data. In this case you will need to export the Data Engrams and the deleted files. To be able to export files from NeuShield you need to have at least build 1226 installed.
Export Data Engrams and Deleted files:
- The first step is to add a registry key. Go to registry key “HKEY_LOCAL_MACHINE\SOFTWARE\NeuShield\NeuShield Data Sentinel” and add a new String Value called “exportObjects”. You can keep the data for the exportObjects blank.
- Note: by default this will export data to the “%localappdata%\NeuShield\Export” folder. If you do not have enough room on this drive you can export data you can modify the “exportObjects” registry data to a different local path that has enough room to store the data.
- Once the registry key has been added, if successful, you will have a new right-click option. Go to any protected folder and right-click on the folder and select the “Export deleted files” option.
- Once the deleted files export is done then right-click on the same protected folder again and select the “Export engrams” option.
- Once you have exported both deleted files and engrams you can see the exported data from the “%localappdata%\NeuShield\Export” folder, by default (unless you changed the folder). Repeat steps #2 and #3 on other protected folders until you have exported data from all folders that you need to recover data from.
If you would like any assistance in recovery open a support case.