Recovering Ransomware-Encrypted Files: Part 2
4. Talk to the hacker… but keep your cool.
If all else fails, it is time to get dirty and talk to the piece of human garbage that put you in this position, but the TL;DR of it all is remove emotion when doing so.
The hacker will have left a method to contact them in order to pay the ransom. This is usually an email address, although depending of the sophistication of the malware it can sometimes be a TOR (dark web) link.
Before emailing the hacker, take a couple of steps to protect yourself from further harm. And keep the following points in mind:
5. The hacker is not necessarily very clever
It is extremely likely that the person who has encrypted your system is not a computer mastermind. In fact the “hacker” likely purchased the ransomware product and is just following an instruction set on how to run the ransomware scam.
With this in mind, you may be able negotiate with the hacker, or even trick them into giving you the decryption key.
- The hacker likely used an automated process to hack your computer, and won’t actually know who you are, how many files were encrypted or how many computers were compromised.
- The hacker is likely a group of criminals and the personal at the other end of the email exchange may change constantly.
- The hacker will probably be getting hundreds, if not thousands of emails everyday from victims and will be focused on minimising the time it takes for correspondence. Hackers will be reusing email templates, responding with one word answers and are unlikely to respond to questions not expedient to paying them money.
- The hacker will not be sympathetic to your particular situation.
- The hacker’s primary language is probably not english.
6. Set up a new, unrelated email address.
Use Gmail or any other public email provider and set yourself up a new address that is not related to you in any way.
Email the hacker and ask them how much it is to decrypt the files. Create a fake identity and send the email. Get as creative as you want to with this identity, just don’t link it with anything personally identifying or your data.
The hacker will probably ask you how many devices were encrypted, as ransomware can compromise an entire network. They will then tell you how much the ransom is, usually in bitcoin.
But lets not get too bogged down by the ransom just yet.
7. Work out exactly what files you need recovered
Do you need every item on your computer (or network) recovered, or do you only really need the one document you spent the last 20 hours writing but haven’t sent off yet.
If you only need one or two files than try this play:
When the hacker states their demand for a ransom, ask them to prove they actually can decrypt a file. They will almost always offer to decrypt a single file as proof that they can decrypt the rest on receipt of payment.
Great you now have your most important file back.
Lets say you a handful of files. Remember that the hacker doesn’t actually have access to your system so they don’t necessarily know if two files came from the same place, so you can try to email them from multiple email accounts and repeat the same trick.
This may not work as more sophisticated ransomware viruses generate encryption keys for each machine they infect, but as stated in part one of this series, the hackers running the ransomware scheme probably just bought the ransomware product and don’t know much about the underlying technology so there is no harm in trying.