Assess Decryption Options (Backups, Keys, Tools)
Evaluate all available decryption options: free decryptors from No More Ransom project, encryption keys from memory dumps, backup-based recovery, and volume shadow copy recovery. Exhaust all options before considering ransom payment.
Actions
- 1
Check for free decryptors at nomoreransom.org and other researcher repositories. Upload a sample encrypted file (non-sensitive) and the ransom note to ID Ransomware for variant-specific tool recommendations.
- 2
Analyze memory dumps for encryption keys using Volatility: `vol3 -f memdump.raw windows.memmap --dump --pid <ransomware_pid>` -- search the dumped memory for key material patterns. For some variants, keys are held in memory until reboot.
- 3
Check for surviving Volume Shadow Copies: `vssadmin list shadows` or `Get-WmiObject Win32_ShadowCopy`. Many ransomware variants attempt to delete VSS but some fail. Restore from VSS if available.
- 4
Verify backup integrity by performing test restores of critical systems: `Restore-VBRItem -Backup (Get-VBRBackup -Name "Critical_Server") -RestorePoint (Get-VBRRestorePoint | Sort-Object -Descending | Select -First 1) -Reason "IR Test Restore"`.
- 5
For partial encryption variants, attempt to recover unencrypted portions of large files: database files, VM disk files, and archive files may have recoverable data beyond the encrypted header.
Queries
DeviceProcessEvents | where DeviceName == "ENCRYPTED_HOST" | where Timestamp > ago(48h) | where ProcessCommandLine has_any ("vssadmin","wmic shadowcopy","bcdedit","wbadmin") | project Timestamp, ProcessCommandLine, AccountName, InitiatingProcessFileName | order by Timestamp ascSELECT Name, InstallDate, Description FROM Win32_ShadowCopy -- WMI/osquery query to check for surviving shadow copies on target hosts
index=wineventlog sourcetype=WinEventLog:System host=ENCRYPTED_HOST EventCode=8193 OR EventCode=8194 OR EventCode=524 earliest=T_START latest=T_END | stats count by EventCode, ComputerName, Message | sort -count
index=wineventlog sourcetype=WinEventLog:Security host=ENCRYPTED_HOST EventCode=4688 earliest=-48h (CommandLine="*vssadmin*" OR CommandLine="*wmic shadowcopy*" OR CommandLine="*bcdedit*" OR CommandLine="*wbadmin*") | table _time, CommandLine, Account_Name, ParentProcessName | sort _time
Notes
DO NOT reboot encrypted systems if memory has not been captured. Encryption keys in RAM are lost on reboot and may be the only path to decryption.
Test any decryption tool on a COPY of encrypted files first. Some tools can corrupt files if the wrong variant or key is used.