Ransomware Removal Kit Could Help IT Admins

An enterprising security researcher has published a Ransomware Reponse Kit designed to help IT staff respond faster and more efficiently to infections which might lock employees out of their PCs.

Jada Cyrus posted the kit to developer collaboration site Bitbucket (via The Register), claiming it would help security professionals and system administrators “streamline the process of responding to ransomware infections.”

Cyrus added:

“You should never pay the ransom. This will only reinforce this type of attack. According to most security intelligence reports, criminal enterprises are already making large profits from ransomware.”

The kit itself features six elements.

These include instructions and removal tools to get rid of FBIRansomWare and Coinvault ransomware, as well Trend Micro’s ransomware removal tool and instructions on how to use it.

Also included are a FireEye tool to decrypt files encrypted by notorious ransomware CryptoLocker, as well as instructions on removal and threat mitigation.

CryptoLocker shot to notoriety back in 2013 as one of the first and most successful ransomware variants to encrypt all a victim’s files using a public key. The user is then forced to pay the attacker for the private key to recover their data or say goodbye to it forever.

Cyrus’ Ransomware Response Kit also features a tool to remove TeslaCrypt, a variant of CryptoLocker which emerged back in March targeting gamers.

TeslaCrypt is said to be aimed at some of the most popular games around, including Call of Duty, World of Warcraft and Assassin’s Creed – and could encrypt as many as 185 file extensions.

In fact, new research into the ransomware variant claims the gang behind it have managed to make over $76,000 in just 10 weeks – not a bad RoI.

Cyrus’ advice in case of infection is first to remove the affected system from the network, before identifying which variant has struck.

Next up, IT admins should create a copy of the threat if possible, which could help with decryption of files in the future.

If a decrypter is available, now is the time to use it.

“If possible, use restore points or backups to return to a safe state after removing the threat,” Cyrus adds. 

What’s Hot on Infosecurity Magazine?