A very simple, and general note on Ransomware.

By: Albert van der Sel.
Date: 2 December, 2020.
Version: 2.1
For who: for private users with PC's/laptops, or small business users.
Status: in development.

Please refresh this page to see any updates.

- Also included is a public listing of "weblinks" to "decryptors" of ransomware,
as was put available by various Manufacturers of AV software, and other Organizations.
This information, detached from this text, is also available using this link.

- In addition, some pointers for backup/restore of a private PC are discussed, as well as
a lightweight discussion of clean-up procedures, Win shell commands, and some other topics.

This is a supersimple note. You should not have any high expectations from it (if there would be
any readers at all...).
It might only be of use for Private users of PC's/Laptops, or small business users.

It's about "ransomware", that is, the rather nasty software which encrypts your datafiles, and after that,
displays a note (or screen) on how you can obtain the decryptor key, to unlock your files again.
But, you must first pay a substantial amount of money (often in Bitcoin), before you receive that key.

I don't dare to say if you should pay or not. But, you are relatively immune,
if you simply have good backups (!) of your valuable datafiles.
If you have backups, there is ofcourse absolutely no reason to pay any amount of ransom.

By the way:

Some folks received a key after payment, but some folks never did, even though they paid the ransom.
Most authorities argue that you should never pay.
An often heard argument is that we are dealing with criminals, and if they receive payments,
their "business model" then obviously works, and that is certainly not good...

But if you would have no data backups at all, and you absolutely depend on your files...,
wow.. that's a very, very difficult situation.

About ransomware:

There are some differentiations, like if the malware locks your device (locker ransomeware), or that
it indeed encrypts (most often) your datafiles (crypto ransomware). Other differentiations are about
the type of targets (the victims), or the way the software got access of the system etc.. etc..

This note is about that stuff that encrypts your datafiles.

As said before, you are pretty much immune if you have good backups.
In the worst case scenario, you need to rebuild the system, configure it again, but at least
you have all your clean data, which (in my opinion) matters most. And you can restore that.

If you do not have databackups yet, why don't you create them now???
It would be rather bad if some bunch of criminals, would really hold you at your tail.

Backups of your valuable data is mandatory. But, having a recent systembackup (Operating System + App directories)
is very helpful too.

The chance to find a decryptor by consulting listings of keys (on the internet) is not high,
or pretty low actually, but ofcourse it's worth trying (if you do not have data backups).

The difficulty in decryption arise from the fact that asymmetric encryption (private/public keys)
is almost impossible to tackle. But it's slow. Symmetric key encryption is also hard to fight, but
in principle slightly more easier "to crack" than asymmetric encryption. Symmetric encryption is way faster,
that's why hackers often choose this one for bulk data encryption.
Ofcourse, when I say "easier" it actually means that it still is incredably difficult.

-Not all ransomware uses strong cryptography, and in such case, there is some hope.

-However, many ransomware nowaydays, use a remarkable combination of both methods (asym + sym).
Usually, it all is awfully strong. See section 8 for an example.

In quite a few cases, and with different variants of one sort of malware, there is a difference between
online- or offline keys, in Symmetric encryption. Online often means that communication
with a control Server generates different ID's (also used in the encryption), resulting in a
different key per victim.
This is less so with offline keys, meaning that the encryption key is the same over multiple victims.
The latter thus enhances the chance on succes on finding a decryptor.

However, generally speaking, finding a decryptor key, unfortunately, has little chance for success.
But indeed, some keys have been found (whatever the method), hence the listings.

But if you have good data backups, there is no need to search for keys.
So, if you still need to create good backups, then do it now. Maybe section 7 provides
some usable tips, or follow any other good method, you are comfortable with.


1. Some (hyper) trivial remarks.
2. About the Listings.
3. The decryptor Listings.
4. Some commands you might find useful.
5. Other info.
6. Usual cleanup process.
7. A few words on how to backup and restore your PC/Laptop, and repairs.
8. More advanced techniques from Science.
9. An example attack, using encryption.
10. Tables of common extensions of known ransomeware, and some further info.

1. Some trivial remarks:

First, maybe you do not like the word "rule", so you can also interpret it as "recommendation".
Below are some very trivial "recommendations".

Rule Number 1: Always have good and recent backups of all your valuable data,
and store them savely at another location (e.g. not on the same PC, and not online).
Have multiple backups (recent, and slightly older ones), to make sure you are good.

Super trivial remarks ofcourse..., sorry about that.

Rule Number 2: Be very careful with email attachments and links in emails.
Those are very common causes (among others), for ransomware infections.
In effect: only open an attachment if you are confident of the source,
or the document is exactly what you already expected to recieve.

It's really true: not withstanding all the nifty tricks around, the simple attachments
and links in emails (and sites) are the main cause for infections. You can avoid that.

Other "relatively mundane" causes are that (general) trojans may drop the ransomware,
or you get it via download of untrusted tools, or installers, containing the malware etc...

So, you better not stuff your business PC with all sorts of shady "tools", which you
can find all over the place.

Some further pointers to investigate:
(1). Do not use your PC with an Admin account.
(2). Maybe you like to investigate using Virtual Machines: if one goes "down" using the internet,
it's easy to restore, and the thing is quite isolated from the rest (other VM's).
However, using VM's is not the holy grail against ransomware.
Also, it can be a challenge to learn about VM's if you are quite blank to the technology.
(3). Use easy to mount and unmount backup media. Always unmount after creating a backup.
(4). Maybe you can use an older PC as a "backup server", which is *only* online on your network, when needed.
(5). Make sure the firewall is on, and optionally tuned for your system.
(6). If needed, make a study of controlled folder (directory) access, like NTFS permissions
granted to some users (groups) only, and not to general groups like "Everyone" or "Authenticated Users".
(7). If you want, you may investigate how you can lower the number of running services, shutdown ports etc..
all for the sake of lowering your "surface area of attack". There are lots of Cyber documents which give
good pointers for this.
(8). Try to create a "repair disk" like bootable DVD, or bootable USB, with WinRE/WinPE (a mini windows).
(9). Extremely trivial: apply OS patches and application patches.
(10). Really Hyper trivial: use good, and licensed, well-known Anti Virus software.

Sorry for the trivial remarks.

2. About the Listings:

  1. There is no guarantee that links will not "fade away" (become inactive), as time moves on.
  2. Also, this might not be the best listing as time moves on.
  3. The listing was created "by just Googleling around for a bit". That's all there is to it, really.
    So, it's really no big deal here. If a monkey like me can produce listing, you probably can
    make a much better one yourself.
  4. Such listings will never be up-to-date, never be complete. But it's good they exist!
  5. If you are hit by ransomware, report your case to the Police too. They may have a cyber unit,
    which may help in providing a decryptor.
  6. This is just an extremely simple listing. The chance you can find something usefull here,
    is unfortunately, pretty low. But you may want to browse it anyway.
  7. Opinions differ a bit, but I would say: If your system looks like being hit by ransomware,
    then immediately isolate it from network(s), devices etc..
    Often, ransomware communicates with roque internetsites for all sorts of purposes (like e.g. keys).

    If you would have seen a screen indicating that your system is comprimised, and where the bad guys
    ask for money, it could be worth wile (opinions differ) to note key identifiers from that screen,
    which might help in identifying which decryptor you might need later on.
    As said, Opinions differ a bit on these actions.

    Important: Only if you absolutely have NO data backups (opinions differ a bit):

    It's sometimes advised that the system should not be powered down, since
    the prime numbers used to build the crypto keys remain in Windows memory and have not yet been wiped out.
    Some tools can then hopefully reconstruct the decryptor key.
    However this is not a common, or publicly advised rule, and will only work in some cases.
    I will come back to this at a later phase. I am afraid that in most cases, this all is wishfull thinking.
    But for some ransomware instances, the method indeed seems to work.

    However, I am not the AllMighty, so maybe you want to dive into it anyway.

    So, the above paragraph (in red), seems all a bit like wishfull thinking. My idea further is:

    - If you have good data backups: no worries. See section 6 for cleanup procedures.

    - If you do NOT have backups, then consult your AV provider, consult a Cyber Team (e.g. at the Police department,
    Universities), or lastly, go like a missile searching the Internet. Or consult section 6 when this document
    is on the "ready" status (which it is not, at this time).

    In section 4 and 7, I will show where possibly shadow copies (VSS) of data can be found, on your system.
    At least as of Win7, per default, a portion of diskspace is reserved for "shadow copies", which might
    be helpful after a ransomware attack, and you do not have backups.

    However, at least some ransomware try to destroy the VSS area. If that succeeds, depends on a few factors.

    Usually, at the next boot, while the system still is not connected to anything, "Up_To_Date" AV software
    would be able to neutralize it, but it's not impossible that the malware already has deleted itself.
    Perform several scans with different AV tools. If the system appears clean, you might find datafiles
    in folders (and possibly even network drives) with weird extensions (hopefully not).

    About the cleanup procedure, different opinions go around. See section 6 for more info.

    -A simple one, after a boot, lets the AV software clean the system, check thoroughly of all is away,
    and do a restore of all datafiles.
    -A more better approach (or safer approach), is to rebuild the Operating System, clean everything,
    install (or restore) Apps again, and restore all datafiles.

    If you have data backups, then you will survive the misery. If not, the challenge begins....

  8. If you have no data backups, and If a certain decryptor seems to be a "fit", then it's still extremely
    important to be very cautious in applying such a decryptor. Sorry, it's a bit trivial ofcourse.
    You best investigate further, or consult an expert. There is always a risk.
    Some keys indeed exists, and some AV manufacturers produce tools, a sort of wrapper, that, if you have the key,
    the tool can further do the work (decrypting) for you (sometimes menu-based, or prompt actions).
    Please to not expect too much on finding decryptor keys !
    I think, that it is *only* needed to look for decryptors, I you do NOT have data backups.

3. The Decryptor Listings:

Sorry, it's just a very simple listing. In most cases, there will be no solution found
in this listing. But you can browse it anyway.

-If you do not know which one to use, a pointer may be the extension of the encrypted files,
like for example "bookkeeping.xls.xyzw", where the malware has extended the encrypted filename
with "xyzw". You can take a look at section 9, Table 1, for several listings of such extensions, which may help
in identifying the ransomware.

Please note that not all ransomware will append an additional extension to the filename.

- In most cases, in the listings, instructions come with the decryptor.

- In some cases, it might be so that the kit wants a pair of the unaffected file, with the
accompanying infected (encrypted) file. Often, it might be pretty hard to fullfill that requirement.

-I hope that the links are "stable" (not fade away), but you never know with weblinks.

- The listing was created "by just Googleling around for a bit". That's all there is to it, really.
So, it's really no big deal here. Other folks did the hard work. I only listed it below.

Actually, by now, I invested quite some time in finding "good" links...
Hopefully, the result is not too dissapointing for you.... I will maintain the listing.

=> Listings of links to decryptors (as found sofar: 11):
Blog from heimdalsecurity
How to Use McAfee Ransomware Recover
McAfee Ransomware Recover

=> Possible help which require that the system was not rebooted (as found sofar: 1):
Blog Malwarebytes discussing options for WannaCry.

=> Possible decryptor kits (as found sofar: 1):
10 Decryptor tools (techviral.net)

4. Some commands you might find useful:

-Subsections 4.1 upto 4.8 deal on rather simple commands to view and filter on patches,
or how to set the Firewall on, or how to set NTFS permissions (icacls), or attrib,
and a few remarks on VSS.
This might be all a bit trivial info for you.

-Subsection 4.9 is about "SFC", the System Files Checker, and the "DISM" command.
These might be not so familiar to you, and they can play an important role in detection
of system damage (the OS), and reparation.

You can start a "command prompt" (cmd), run under an Admin account (for this time).
(use "Run as Administrator").
At the "C:\>" prompt, you can copy/paste some of the commands like listed below.
Some commands are for using Powershell, as is shown in the text below.

For example, it can be handy to grep (filter) the output, on a certain KB fix number, to see
if you indeed have it on your system.

For almost everything listed below, a GUI makes the same possible too.
However, using a prompt is more versitile, given the fact of the enormous
amount of commands and tools available today.
Indeed, below is only a very very limited subset of commands.

4.1 Checking patches/patchlevels on Win systems, from prompt:

C:\> wmic qfe list
C:\> wmic qfe get
C:\> wmic qfe get > c:\temp\patchlist.txt --output stored in c:\temp\patchlist.txt
C:\> wmic qfe list | find /I "text you want to filter output on"
C:\> systeminfo | find /I "kb"

C:\WINDOWS> copy WindowsUpdate.log C:\TEMP
Then you can just browse around, and search for kb's or other info, in C:\TEMP\WindowsUpdate.log
The latter one is a bit cumbersome, but quite informative.

Another interesting log is CBS.log in C:\Windows\Logs\CBS\. Here tools like sfc report their findings.

4.2 Checking patch/patchlevels on Win systems, using Powershell:

-- all fixes:

PS C:\> Get-HotFix


PS C:\> Get-WmiObject -Class "win32_quickfixengineering"

-- only the latest:

PS C:\> (Get-HotFix | Sort-Object -Property InstalledOn)[-1]

-- other fix info:

PS C:\> Get-WmiObject -Class "win32_quickfixengineering" |
Select-Object -Property "Description", "HotfixID",
@{Name="InstalledOn"; Expression={([DateTime]($_.InstalledOn)).ToLocalTime()}}

4.3 Checking the status of the FireWall on Win systems, using command prompt:

C:\> netsh advfirewall show allprofiles.

4.4 Changing the FireWall status to "on", if needed, on Win systems, using command prompt:

C:\> netsh advfirewall set allprofiles state on

4.5 mpcmdrun.exe, if you depend on "Microsoft Defender Antivirus":

If Microsoft Defender Antivirus is your base defense policy, you really should take a look
at the "mpcmdrun.exe" command, to see how you can control the utility.
There are plenty of websites discussing Windows Defender.
A quite useful application of the latest Defender, seems to be the controlled folder access feature.
You might investigate that further.

4.6 Object access and icacls sessions:

Anything listed here, can be done using the GUI as well, like the file explorer.

Suppose you have datadirectories, like "E:\data", with subfolders like "E:\data\excel", "E:\data\administration",
then it's best to restrict access to those folders.

=>I would not advice to do anything at all with root locations, like "C:\" or "E:\".

=>However, it's best to remove "Everyone" and "Authenticated Users" (and "Users") from the NTFS
security listing, on folders like "E:\data\excel", "E:\data\administration" etc..
Remove any non system account, and leave your account or your group in place.
I would recommend to leave the OS entities in place (like "System").
Next you must add the right group (or for a personal user, the right account).

You can use the (file) explorer to modify NTFS permissions and remove or add accounts
to the permission listings (ACL's), and modify the permissions per account.

You can also use tools like "icacls", (the native) prompt command too.

C:\> icacls "C:\test" /grant MyPC\albert:(OI)(CI)F /T

The command above, gives the user MyPC\albert, Full Control (F) on the directory C:\TEST.
The command further gives Full Control (F) on any subdir, due to the "/T" switch.
(Instead of a local user of a Workstation or Server, the account may also be a Domain Account,
like for example "albert@antapex.org", or an AD group, Local Group, etc..).

The parameters in parenthesis, might seem weird, but they stand for Object Inheritence (OI)
and Container Inheritence (CI).

Did you noticed what a silly guy I am? Notice the "F" permission of Full Control in the command above.
It's practically never needed to grant "F" to a normal useraccount or group. Use "M" if you want the account
to modify files (R and W and other), but F is usually too much.
Simply use RX if you only want to grant Read permissions.

The following is only for inspiration, for you to build easy scripts, using icacls.

Many malware runs in the security of the user which started it.
So, suppose you have MyPC/Joe and MyPC/Donald as accounts on your PC.
Next is a bit of a silly example, but it's only for demonstration purposes.

=>Suppose, if you want to do serious work, and access and modify datafiles in D:\DATA,
you might logon as MyPC/Joe.
The Administrator already set the permissions before, using the Modify permission
granted to MyPC/Joe:

C:\> icacls "D:\DATA" /grant MyPC/Joe:(OI)(CI)M /T

So, MyPC/Joe, can modify files in D:\DATA and all subfolders.

=>Suppose, you only want to browse the Internet, use mail, social media etc..,
then you might logon as MyPC/Donald.
The Administrator already set the permissions before, using the RX permission
granted to MyPC/Donald:

C:\> icacls "D:\DATA" /grant MyPC/Donald:(OI)(CI)RX /T

So, MyPC/Donald, can only list and read files in D:\DATA, but not modify it.

If you need to remove the NTFS permissions:

C:\> icacls "D:\DATA" /remove MyPC/Testuser /T

Yes, silly example ofcourse, but it was for illustrational purposes only.
But you can build all sorts of batch files, using icacls, operating on accounts and folders.

Using multiple accounts, for seperate sorts of work, looks a bit "paranoia" indeed.
Sorry for that. However, if you work it out, then it will work in protecting data.

The main point is: having good NTFS permissions on filesystem objects, really helps.

4.7 attrib command:

While NTFS permissions are more important, a simple way exists to make files read-only, and hidden.
This can be done by using the attrib command. A small chance exists that the enumeration algolrithms
of malware does not take attributes into account (which are just flags, and not ACL's).
Don't have high hopes of the effect, but It's really easy:

Suppose you have an excel directory and a photo directory within E:\DATA.

E:\DATA\exel> attrib +r +h +s *.*

makes all files flagged as hidden, read-only, and as systemfiles. In effect, with simple enummerations,
you don's see them anymore, and they are read-only (yes, I know, it's simple).


E:\DATA\exel> attrib -r -h -s *.*

returns the flags as the opposite (as they were before).

It's not hard to create a batch which can do that over a bunch of data folders.
Is this any good? No, not really. But it is an option.

4.8 Shadow copies of data:

This is about VSS: Volume Shadow Copies on Disk.

Did you know that most Windows versions (at least as of Win7), use a reserved part of diskspace
to store "shadow copies" of directories. Maybe your data directory is included in such "Shadow Copy".

Multiple copies of a folder can be stored, like from yesterday, one week ago etc..

From data in folders, VSS only copies changed blocks into VSS area, thereby limiting the needed diskspace
for storing files.

Simply from the file explorer, rightclick the folder you are interested in, and look in the menu
if you have the option to "restore a former version".

However, some modern ransomware instances try to destroy the Shadow copies as well, but most
do not. Maybe you are lucky, after a ransomware attack, and you do not have regular backups.
In such case, shadow copies might help you.

Check the Web to see what you can do with those "shadow copies". It's quite good.

4.9 The sfc and dism commands:

SFC, or the System File Checker, enables you to replace corrupted, or missing, systemfiles,
so it has nothing to do with datafiles.
Even if there are no complaints or any error messages, you can run "sfc".

The "dism" command has a similar functionality, and even much better compared to sfc.
Sfc will use a cached folder to replace files, while dism can practically use any location.

For later versions of Windows, you first must use the "dism" command. This holds for Win8.x and Win10.

- Start an elevated prompt (Run as Administrator).

- For Win8.x, Win10 run:

C:\> dism.exe /Online /Cleanup-image /Restorehealth

You see the /Online switch, meaning that dism tries to use "Windows Update" for any replacements.

If that does not work, e.g. online is not available or something, but you have any Win souce
available (DVD, networkdrive, sxs dir, or whatever) of the SAME version, then use:

C:\> dism.exe /Online /Cleanup-Image /RestoreHealth /Source:WhatEverSource /LimitAccess

where "/Source:WhatEverSource" could be e.g. "/Source:F:\win10".

For older versions of Windows, from an elevated prompt session, you can always try to use:

C:\> sfc /scannow

It's highly recommended to do a websearch on dism and sfc (certainly for dism), to learn more.

Old txt file with DOS/CMD commands:

The following one of my old txt files, containing dos/cmd commands, of which some maybe useful
in checking the status of the machine, services, processes, network, and other info.
If like to see it, try: Some dos/cmd commands.

5. Other info:

The following doc might provide some further tips. It's not really great, or something,
(since it's one of my own notes), but it might (?) provide some useful info. I'am not sure.
But, there are indeed some sections with recommendations. So, I list it anyway.
But I just found out that I need to do some serious re-editing of that note.
There is way too much blabla in that note, so I make that better. But the core repairs
will be also found in the section 7.

Windows repair, data salvage, and some tips.

6. The usual cleanup procedure:

Nothing is perfect, and that certainly holds for this note...
It's not guaranteed the best options are presented in this section: It's my view only.

After you have noticed a "ransom message", the question is ofcourse, what to do next.
At this stage, it's quite likely you have encrypted datafiles, but the system itself might
be compromised too (e.g. damaged systemfiles), although the latter does not often happen.

If you have backups of data, you are relatively unharmed, since you can restore the data
at a slightly later moment. It's only a lot of hassle.

If possible, make a screendump, or write down important key items, from the Ransomeware Message
which usually was (is) displayed on your screen. (Usually, there exists .txt files as well, with the same
message, for example in folders where encryped datafiles are around).

Next follows a number of cleanup procedures.

Method 1 (not recommended, only for special cases).

It's sometimes advised that the system should not be powered down, since maybe, "very maybe"...
the prime numbers used to build the crypto keys remain in Windows memory and have not yet been wiped out.
Some sort of tool, can then hopefully reconstruct the decryptor key.

Generally, this looks like wishfull thinking, and it would only work for a few ransomware instances.
At this point, I only know of one article stating success, using this methodology.

If you have data backups, then I do not support option (1).

Also, it's not a common, or publicly advised rule, and will only work in some cases.

Thus in general, procedure (1) is not the best answer, except in some rare cases.
But you still might persue this option, if you have found decryptor routines, and have no databckups.

Method 2. (Reasonable, but method 3 is better and safer).

So, if you look at the mainstream of articles discussing the next steps, it goes like listed below.
It's now assumed that you indeed have backups of datafiles.

-Disconnect the machine from any external storage (if that applies in your case).
-reboot to save mode with networking enabled.
-Logon to the system, and perform a thorough scan with your AV software.
(it could not hurt, if possible, to update the AV software with the latest malware database).
-It might be that the AV software reports that malware was found, and was cleaned up, or
that nothing was found at all.
-If possible, do another scan with a free edition of another AV manufacturer (optional).
-Reboot again in normal mode.
-Start a command prompt, as an Administrator, and perform the "dism" command or "sfc" command,
as was shown in subsection 4.9.
-It's likely you need to further cleanup Ransomeware message files, and the encrypted datafiles.
-If everyting looks OK, you can restore the backups of the datafiles.

Ofcourse, startup options of the system, and Registry entries were possibly faulty too,
but the AV scan/repair should have taken care of that.

So, (2) looks like a decent procedure. I personally agree, but I think (3) is more safe.

Method 3. (The best procedure, in my opinion).

But..., I would have recommended a full reinstall of the Operating System, again an AV scan, followed by
a restore of the datafiles.
This seems like an overkill for most cases. So, indeed. Option (2) above looks like a pretty decent procedure.

-It can be indeed be quite some work to install and configure special software, like bookkeeping software,
cashiering apps, or cadcam software, etc...
-A reinstalled system also seriously lags behind in security patches etc.. And it thus needs
special attention to this subject too.

So, normally, I advice a reload of Windows. But others say that this is unneccessary in many cases.
And they may have a point.

It's a bit strange, but I am somewhat uncomfortable now, in keeping the positition of a reload of Windows.

But, after carefull considerations, I still favour a complete reinstall of the Operating system,
and reinstall (or restore) of all applications.

The deep reasoning behind a reinstall of Windows, simply is the fear of damage to the Operating System,
and e.g. faulty Registry entries, and all sorts of other stuff, which could keep lurking around etc..
But good AV software, with dism/SFC, will all detect that. However, still not good enough for me.

In Resume:

- Only for very special cases, and no data backups: option (1). But it's a bit wishfull thinking.
- A reasonable approach: option (2). I agree to that. It's a methodology often found in articles on ransomware.
- The best approach: option (3). I find this much better. Just my opinion.

-In general: Reinstall the System (or restore image) + restore datafiles, EXCEPT if you know
for sure, that in your specific case (with your specific ransomware), it's good enough to follow
method (2).

-Important: The above, represents my own view only.
Most articles do not refer to a reinstall of the OS. They describe a procedure similar to method (2).
So, if you prefer (2) above (3), that could be right. I only wanted to exclude any risks.

So, this simple note will not be good enough without telling how to simply backup data files,
and how to make a system image of the OS (plus optionally all Apps).

7. A few words on how to backup and restore your PC/Laptop (private user):

All in this section might be percieved as rather trivial stuff. If indeed so, sorry about that.

7.1 Hot and Cold files:

=> When you have data folders which stores e.g. Word documents, Excel files, pdf's, photo's etc..
then these are "cold" files. No process is accessing them, unless you have one such file
open in an application. There is no problem to copy them from one disk to another disk (like usb disk),
and it's all a clean operation. Very simple.

=> Some other business datafiles, may not be "cold". Like database datafiles, or some datafiles
belonging to some accounting program. "Just" copy them, "just like that", from one disk to another,
may not lead to the desired result. This is because the datafiles are "hot", and a process, or many
processes, are accessing them (the files are "open").
Probably, some "records" inside such a file, are read, or are in the process of being updated etc..
If you think you have such software, then consult the manual (or internet), for specialized backup
commands or procedures.

For example, if I have SQLServer running (A database engine), and I have an "accounting" database (also
with that name), then from a SQL Server utility, like "the SQL prompt" SQL>, I can make a full backup
by a command like:


The database backend engine, then knows exactly how to handle such command.

The result is, a full backupfile, named ACCOUNTING_18112020.BAK, which gets created in the folder U:\BACKUPS,
which might be a networkdrive, or external USB disk, or other internal disk etc...
I cannot just copy the database files to U:\BACKUPS\, unless I shutdown SQL Server (and the files become "cold").

So, keep in mind that some business programs keeps files open, and just using commands like "copy", or using
OS graphical utilities (like file explorer), will not create consistent backups.
Often, you need utilities from the suite itself, or shutdown the service(s) of that App.

But the larger majority of datafiles on private machines, are Documents, Spreadsheets, pdf's, photo's,
or Dev. sources (.html, .php, C# sources etc.. etc..), which are all "cold", and can be copied
with ease, and no worries.

What is futher the topics in this section? How to create databackups, how to create a System Restore point,
how to create a System Image, how to repair boot entities, and how to restore backups.

7.2 This will be quite an Informal discussion:

When you dive into backup/recovery techniques, you will soon encounter terms as Retention period,
Full backups, Differential backups, Incremental backups, Snapshots etc..

Here you will see none of all that stuff. I'am not saying that it's good to leave that all that stuff.
But, I want a simple, but effective, method. I want a few decent and independent backups of my datafiles.
Indeed, this note is targeted for an "average", private, PC/Laptop user.

Maybe I am dumb, but I don't care about that. I like to play on safe, so let's say I have two independent USB disks,
and another PC (with a shared folder) on my network, which will also store backups of my (main) PC.
So, I have 3 backup locations. It's just an example.

You can also use a Storagefacility in the Cloud, but I advise to have local copies too.

So, we are not a large datacenter, and we just want a couple of independent backups.

Some recommendations:

=>Especially to counteract ransomware: Ransomware is often able to ennumerate (discover)
all storage you have available on your PC (like C:, D:, F:, U: etc..., and possibly even UNC paths).
So, after a backup is Done, then (nicely) disconnect the backup device (like usb disk, or backup Server etc..).

=>Also important: Having very recent backups is great. But keeping slightly older backups,
(a few days old, a week old or so, all up to you) is highly recommended.

=>Only rely on multiple media. For example, having only "1" backup device, is not good.

=>It helps if you have "organized" (most) of your datafiles, in some main folder, and subfolders,
where each subfolder contains some particular type of data, like:
E:\DATA, and within E:\DATA, subfolders like E:\DATA\EXCEL,

So, what you could do, for example, have one USB disk, which stores a week old backup, then backup
daily to the other USB disk. When a week has past, reverse the roles of those disks.
Then you always have backups of one week ago, together with very recent backups. Then, once in a while,
(say, every month), store backups at the backup server on your network. It's just a suggestion, no more.
You can figure out a simple roulation scheme, which suits you best.

7.3 Simple data backups:

Using the native "Microsoft Backup tool" is probably the best option to backup data.
Or, possibly, if you know how to use it, the well-known and very versitile "robocopy" utility.
However, I will illustrate the use of "xcopy" only. It's simple and practical.

=> Using xcopy to backup to e.g. an USB disk.

-I would love to discuss "robocopy", since it's a great backup tool, with enormous capabilities.
For such simple and small note as this one, time and space is a bit limited.
I can certainly advice to take a look at robocopy (it should already be on your systeem).
For example, it not only can copy, but also "sync" directory trees, and much more.

-Using the "Microsoft Backup tool". You can also follow Microsoft's recommendation for data backups.
It's probably the best option for data backup/restore. There are many webpages discussing this method,
so I will say nothing about it.
It's not only usable to backup files, but it can also keep a "history" of files as well.

I will do a step backwards (to xcopy), indeed a more primitive way, but which will always work,
on any version, on any Win PC.

-The standard tool "xcopy" is not so bad, actually. Next follows an illustrative example.
Suppose on a local disk (partition) E:, we have E:\DATA with subfolders. Suppose U: is
an external backup disk. Then by using, from the command prompt:

First, goto U:
and if neccessary,
create directory DATA.
Goto the datadrive E: again,
change to E:\DATA,
and use "xcopy"
E:\> cd \DATA
E:\DATA> xcopy *.* U:\DATA /S

E:\DATA> xcopy *.* U:\DATA /S

Do not forget the "S" switch with "xcopy", since this will make sure that all subfolders
in E:\DATA, will be copied as well to folders inside U:\DATA.
The command has many switches, also to copy new files only. However, this simple, maybe somewhat primitive syntax,
ensures a full copy from all what is in E:\DATA, is copied to U:\DATA.

It's quite the same, if you instead would use the File Explorer, and highlight E:\DATA,
rightclick, choose "Copy", then goto (highlight) U:\ (indeed the root), and choose "Paste".

I know that this is very simple, and somewhat primitive method, but it works, for small volumes of data,
and high volumes of data.

If the amount of files, or the total size, is really large, the third party tool "TeraCopy"
uses optimized algorithms for handling large volumes, or very large filesizes.

So, you have a way (via command prompt, or using the GUI) to backup all simple data objects to
a storage device as e.g. an USB disk.

Note for USB disks:
Most often they are formatted with the FAT32 filesystem. No problem in storing datafiles,
but FAT32 will not store the associated ACL's (the permissions). This is not a really large problem,
since if you restore to E:\DATA again, objects inherits the permissions of the the container (the folder).

To perfom a full restore, is exactly the other way around of the xcopy command shown above.

U:\DATA> xcopy *.* E:\DATA /S

In case of an attack, you should first have fully cleaned the system, and have removed all
encrypted files from the E:\DATA directory. Or just remove everything, and create E:\DATA again.
Then, perform the restore. Do not forget to check and adjust the NTFS permissions.

Remark: If you do not have backups, some folks say that you best backup the encrypted datafiles,
since you never know if a decryptor might become available at a later time.

Ofcourse, you can also copy just one file, or a selection of files, from "U:\DATA" to "E:\DATA",
or to another location. For example "U:\DATA\ACCOUNTING> copy june2019.xls E:\DATA\ACCOUNTING".
Here I simply used the standard "copy" command from the cmd prompt.

=> Using xcopy to backup to a newtworkdrive.

Ransomware is often able to ennumerate (discover) all storage you have available on your PC,
(like C:, D:, F:, U: etc..., and possibly even UNC paths).
So, that's also true for a "network drive", mounted on some shared folder on a Server (or other PC).
If you do a backup to a networkdrive, then after a backup is Done, then (nicely) disconnect
the networkdrive, or disconnect that Server (or the other PC) from the network.

You can do a similar action to a networkdrive (say F:), just like you did with the local USB disk.
Indeed, you can do everything from the GUI.

Let's see how you can do it From the command prompt. Suppose we have Server STARBOSS with a shared folder
"backups". Then the unc to that location is "\\STARBOSS\backups".

Suppose on STARBOSS the following account exists "STARBOSS\bckup".

Then you can try:

E:\DATA> net use * \\STARBOSS\backups /user:STARBOSS\bckup

Then STARBOSS asks for the password of the (local) account STARBOSS\bckup.

After you have entered the correct password, a drive letter returns, like say F:
Thus F: is now connected to \\STARBOSS\backups.

Now you can use the "xcopy" command, fully similar as we already have seen above:

E:\DATA> xcopy *.* F:\ /S

Or you can simply use the File Explorer for copy activities.

When ready making backups, delete the mount, e.g. via "E:\DATA> net use F: /delete"

For now, that's it about backing up data directories. It was all a bit primitive, maybe.
Ofcourse there are plenty nice backup/restore utilities. Maybe you like those better.
Or, maybe the cloud is your way to go.
The only keypoint is: have some good backups of your data.

Maybe you would say, that xcopy stuff, is stupid and from 1000 years back.
True, but it works. But..., Maybe you should see what the standard "Windows backup tool" has to offer,
if you don't know it already.
It's pretty simple, and works fine. I have nothing to write on the standard Windows backup tool:
It's practically too simple to work with (but it's quite good).

7.4 Creating a System Image:

A System Image is a snapshot of the Partition where Windows is installed on.
It can even be larger, by selecting more partitions when configuring this sort of backup.

So, it's usually a rather large sort of backup, taking up a lot of space.

-It's a good option for "Disaster Recovery" to recover the whole system.
-It's not indended for data backups (some datafiles, or data directories). For that, see section 7.3.

A smaller set of critical systemfiles and configuration, is called a "Restore Point".
A Restore Point is not equal to a System Image. A Restore Point is handy before new Apps
are installed, or before a patch is applied, or when you just want to have a reference point of the configuration
of the OS (including the Registry). On most Windows versions, it happened automatically, only on Win10,
you need to activate of having the creation of Restore Points automatically (somewhat strange really).

Me personally, am not particularly wild about a "System Image". However, having a reasonably recent version
available, could help out when your system dies (possibly by a serious diskfault or so, or by some ransomware which has
destroyed system files).

How good a System Image is for you, just depends. For me personnaly, reinstalling the OS, installing Apps,
and doing a bit of configuring, works good enough. Indeed, for me, only the "data" is Holy...
You know ofcourse that Albert is the author, so do be critical of whatever he writes..

So, you might have a complex configuration, with special applications, which are very difficult
or timeconsuming to install and configure. Then a System Image is really good.

Three more important points to consider:

- A system image should be stored on disk media, formatted with the NTFS filesystem, and not FAT32.
It's possible to use DVD's too (a bit old fashioned maybe). You can use a networkdrive as well.

- Restore from a system image goes via a boot of (a good or faulty) Windows, to a Recovery Environment.

- Creating a System Image, once every one, or two months, seems reasonable for a Private user.

How to create a System Image:

It depends bit on your Windows version. From Control Panel, you might find a Backup Applet, or File History applet,
or other applet, from which you can start to create a System Image.

How to Restore a System Image:

Usually, at the earliest boot time, you can go into "a special boot recovery menu".
Or, if Windows could not boot properly, it may automatically go to that recovery menu.

So, usually, we would have:

Recovery Menu -> Troubleshoot -> Advanced Options -> System Image Recovery

Repair Disk:

If you would have created a "Repair Disk", then you can also boot from that Disk (DVD, USB disk),
and a minimal Windows version starts up (WinRE), which will show a menu from which
you can also choose to perform a System Image Recovery.

It could be true, in some cases, that you first need to enter the BIOS, or UEFI Bios emulation,
and choose to boot from DVD or USB.

7.5 Creating a Restore Point:

From Control Panel, via the System applet, find the tab "System Protection".
The Items on this pane, all have to do with Restore Points, like creating a new one, or delete
older Restore Points, as well as to configure a drive/partition for allowing to create Restore Points.

In the same pane, you can apply an existing Restore point, in order to revert to the State of the OS
as it was, when that particular Restore Point was created.

It contains drivers, essential OS files, the Registry, and other info, which defines the state of the OS
at the time the Restore Point was created. But it's not a full System Image.

It generally can help if the install of some App patch, or App, or driver etc.. went wrong.
Restore Points are kept in a hidden folder called "System Volume Information".

Up to now, I am not aware, if a Restore Point was indeed ever helpfull in restoring a system after
a ransomware attack. Opinions may differ, but a Restore Point is generally not helpful in system damage.

Indeed, that's a difference with a complete restore using a "System Image", because then it's evident
it will restore a system, completely back to it's former state (at the time the Image was created).
Anyway, Restore Points helped me (and other users) to revive from misconfiguring systems.

This all is minimum info, indeed. Only if you didn't knew it existed at all, it was perhaps a bit helpful.
Maybe you like to do a thorough websearch on the in-and-outs of Restore Points.

-Opinions may differ, but I think it has been made likely, that Restore Points are no suitable means
against ransomware (in case systemfiles would be damaged)

-A Restore Point is more apt for situations when you want to RollBack from misconfigurations,
or installations which went wrong. It's not a full Restore of the System.

7.6 A few remarks on WinPE/WinRE:

WinPE and WinRE, both are a sort of "mini Windows" Operating system, with a kernel, some API's,
drivers, user environment etc.., and you can use them for a range of operations.

WinPE is short for "Windows Preinstallation Environment", and WinRE is short for "Windows Recovery Environment".

WinPE's purpose, is slightly more geared towards installations, while WinRE's purpose,
is slightly more geared for recovery.

Most folks say that WinRE is based on WinPE, including tools for Recovery.
From that viewpoint, they are very similar, with, in headlines, just an accent shift.

For quite some time, most machines comes with a Recovery Partition, from which you can boot to WinRE,
so many machines already "have it". WinPE on the oyher hand, must be downloaded and linked
from the ADK related Microsoft site.
Sometimes, Microsoft slightly alters the links and contents of the ADK ("Assessment and Deployment Kit"),
of which WinPE is part of. A small bit of a hassle, but not a real problem.

Let's say, that both are quite similar, and both can be used for recovery operations, like booting
from media having WinRE/WinPE, and then e.g. copy data from a broken bootdisk to another disk.

This fact has nothing to do with ransomeware, or bootrepair. Indeed, it could just happen that
your machine breaks down, and will not boot anymore. With a DVD, or USB, with WinPE, you can still
boot and try to copy data to healthy media.
So, having a bootable DVD or bootable USB, with WinPE, is certainly valuable.
Although te above is true, it is often more easy, in case of bootproblems, to boot to
the Recovery Environment (possibly automatically, or by 3 erroneous boots, or some keysequence),
and by using WinRE, reinstall an Image, or troubleshoot bootproblems.

As you will see below, WinRE, once booted, runs entirely from a "ramdisk". Furthermore, it has basic
support for WiFi and some more noteworthy properties.

7.7 The Recovery Environment (WinRE):

-If Windows failed to boot 3 times in a row, it "usually" (or should), start the Recovery Environment.
You could also press the reset (on/off) button, three times in a row.
-If Windows really could not boot, it should start the Recovery Environment, depending on the damage ofcourse.
-There are ways to manually enter the Recovery Environment, from a running Windows, by holding shift and
selecting "Restart button" (if you can find it...), or e.g., by using the shutdown command:

C:\> shutdown /f /r /o /t 0

------Intermezzo (if you are interested... But you can skip it if you want.):

Let's checkout if you have the Recovery Environment.

Usually, folks use the DISKPART, or MOUNTVOL tools, to assign a driveletter to the "Recovery Partition",
and once easily accesible, you can browse around, and quickly discover that you indeed have
a Recovery Partition, like seeing a large file like INSTALL.WIM (or other filename).

I like to do it this way, namely via the boot manager:

From a (elevated) command prompt, run:

C:\> bcdedit /enum

=> If you get back records like:

path..................\EFI\Microsoft\Boot\bootmgfw.efi (note this line)
path..................\Windows\system32\winload.efi (note this line)

Then your system uses UEFI (or EFI) type of pre-boot.

=> If instead you see:

path..................\Windows\system32\winload.exe (note this line)

Then the machine uses BIOS/MBR type of pre-boot.

Now try this command:

C:\> bcdedit /enum all

The "all" option, shows, among other stuff, the full boot entries of the boot manager
If you see lines like:

description.........Windows Recovery Environment
description.........Windows Recovery

then at least your boot manager is (or was) aware of a Recovery Partition. Ofcourse, in exceptional cases,
one (theoretically) could have deleted the Partition, possibly by not knowing it was good for.

I like to show the use of DISKPART, but I leave it out here. In quite a few articles, one might read
that the Recovery Partition is always the Partition with number "so-and-so".
That is not true. So, on your machine, it could possibly have any number.

On the Recovery partition, a lot of files might be present, like INSTALL.WIM, WinRE.wim,
and boot.sdi etc.. However, the Manufacturer of your PC/Laptop, might have choosen for another
sort of configuration, since all sorts of scripts implement the restore of the image.

On my Recovery Partition, I see an INSTALL.WIM file (Windows Image File), but you might see
other filenames. Let's see what is in it:

H:\RecoveryImage> dism /Get-WimInfo /WimFile:INSTALL.WIM
Deployment Image Servicing and Management tool
Version: 6.2.9200.16384

Details for image : install.wim

Index : 1
Name : Windows 10 Pro
Description : Windows 10 Pro
Size : 28,792,536,024 bytes>

So, it has an Image for Win10 Pro. It actually is a "capture", or snapshot, of a template machine,
of which the Manufacturer thougth is was a good model to install on multiple machines.
Anyway, it's very likely you have such "capture" too, on a (hidden?) Recovery Partition.

------End Intermezzo.

So, what is the Recovery Environment good for...?
After the machine boots to the Recovery Environment, on Win10 you see a screen similar
to the figure below:

Figure 1: Recovery Environment.

In all honesty, all the options shown, speak for themselves. For example, you can restore an Image,
or apply a "Restore Point" (not a full image), and other options like starting a command prompt,
or perform a "Startup Repair".

-When there were bootproblems, ofcourse you might first try the repair suggested by "Startup Repair".

-If "Startup Repair" did not helped us out, then we can try more advanced repair options,
by using the command prompt. See section 7.9.

7.8 Creating bootmedia:

In general, folks then quickly think about a DVD or USB disk/flashdrive.


If your PC/Laptop has a DVD player, it's easy to create a Repair Disk containing WinRE,
and recovery options (including command prompt with boot repair commands).
However, DVD is much less popular compared to a few years back.
In Europe, so I observe, many modern PC's/Laptop's don't even have them no more.

Just start Control Panel, find the Backup applet, and search for "Create repair disk".
It's really that easy. You cannot only boot to the Recovery Environment, but also,
after booting using the DVD, you can try to salvage datafiles in case the harddrive
really cannot boot nomore.


7.9 Using commands for bootrepair:

8. More advanced techniques from Science:

What really is a potential solution, if some interface monitors processes, and if encryption
is detected, a roll-back is done to the former file, using the copy_on_write method.
The latter simply means, that before a block is modified, that block is copied to a reserved area.
It can also be used for a roll-back, in case of an infection.

Such mechanisms are in use at backup/recovery operations, for a long time by now.

Some organizations are pretty close to a full solution. But other solutions are in "the making" too.
Maybe I can find some nice articles.

Here I like to place some interresting proposals from the scientific community.

8.1 ShieldFS:

The ShieldFS proposal (University of Twente).
pdf explaining ShieldFS in more detail (shieldfs.necst.it).

8.2 ARXIV docs: Analysis of ransomware and modern techniques:

9. An example ransomware attack with encryption:

Still busy selecting a reasonable example.

10. Info on the Most common file extensions of known ransomeware:

There exists lots of ransomware, at least a couple of hundreds identifyable instances.
I personally am particularly interested in how to "undo" the damage, using a decryptor, if one
is available. Next, I want to know which exploit they used (if any), and/or how
they got elevated privileges (if any).

Ofcourse, the used file extensions (after encryption) are important too, since it may help in
identifying the malware, and thus the possible decryptor key, if it exists.

Below are two tables: Table I is quite simple, since it only list the common ransomware name
with it's used filename extension (like "mypicture.jpg.xyzw", where xyzw is added by the malware).
Table II tries to give some more specifics of known ransomware.

Table 1. Ransomeware extension listings.

(in development: listings from other sites):

This sort of listings, "links" the ransomeware variants, to the used file extensions (of the encrypted files).
Quite good listing already exists on other websites. So, here is a nice listing of such webpages:

Up to now: 4 links.

Not all ransomware will extend the filenames, with a specific extension to the names, but most do.

from "techviral.net"
from "avepointcdn.azureedge.net"
from "ransomware.zuckerscharff.com"
from "malwareid.nl"

Table 2.

(in development: my own work):

1. STOP:

=>File extensions after encryption:
=>Possible Related executables:

=>Most active period:

=>Created file system objects:

=>Used exploit(s) (if any):

=>Using external Servers (download):



=>Further description:


=>Possible Solution, if you do not have data backups:

2. Wannacry Ransomware:

Wcry, WannaCry, WanaCrypt0r, WCrypt, WCRY: using the NSA discoverd EternalBlue exploits and variants (?)
=>File extensions after encryption:
=>Possible Related executables:
wnry.exe, wcry.exe, wcrydl.exe, wannacry.exe, taskhsvc.exe (=TOR server)
=>Most active period:
2017, 2018
=>Created file system objects:
Possibly a folder in Program Files\RAND_install_STRING
Possibly a working folder is created like [random number].WNCRYT
Ofcourse the encrypted datafiles.
=>Using exploit(s):
SMB exploits, among others.
One important delivery vector was the option
of Anonymous user (null session),
=>Using external Servers (download):
Yes, using TOR
Using WinApi + third party
for using RSA and AES algorithms
Initially: XP, Win2K3
Without MS17-010, higher Windows versions might be victim too.
It turned out that Win7 systems were massively infected.
=>Further description:
Wcry will enummerate all local and network drives mounted on the system.
Where is access, encryption of datafiles follows.
Exploit Resolved with MS17-010.
Newer and patched systems: likely no problems expected.
However "copy-cats"/"variants" will likely to remain.
I have not found a complete solution. But that does not say anything, ofcourse.
=>Possible Solution, if you do not have data backups:
Immediately after infection, do not reboot the system.
Please see: Blog Malwarebytes discussing options.

3. Clop Ransomware:

In fact a series of ransomware variants, resemble the "clop" model.
It's a very dangerous one, and it seems that here too (nov. 2020) no decryptor is available.

So, "clop" is actually a number of similar variants. Also, browsing through some tech analyses,
it seems to me that the Clop variants are all quite similar to "Ryuk" ransomware.
For example, both try to stop hundreds of Windows services (using "net stop" commands),
and try to "kill" Shadow storage by "vssadmin" commands.
Also the encryption module seems very similar.
Both are a rather remarkable combintion of .bat and exe commands (or functions).

Some articles say that Ryuk is delivered as a payload of the Emotet and Trickbot malware,
or other malware. It's likely that the "clop" variants are delivered in a similar manner.

=>File extensions after encryption:
Often, or exclusively sofar: .clop
=>Possible Related executables:
Files in name similar too this example: "C:\users\Admin\AppData
\Temp\Ransom.Win32.CLOP.dd8b499da9cafd369bc5dfbf18749f8dc5c1da8b.exe" .

=>Most active period:
since early 2019, and still very active.
=>Created file system objects:
Not yet known to me.
=>Using exploit(s):
Not yet known to me.
=>Using external Servers (download):
Not yet known to me.
In principle any Windows machine.
=>Further description:
I have not found a any solution or decryptor. But that does not say anything, ofcourse.
=>Possible Solution, if you do not have data backups:
Not available.

Still busy with Table 2. It's not really that interesting
for a reader, except if I would have seen a decryptor for a certain ransomware.

Still busy...

Any Questions, Tips, Remarks? Send me a mail: albertvandersel@zonnet.nl