Pierluigi Paganini May 22, 2015

A security researcher has compiled the Ransomware Removal kit that could be used in the process of responding to ransomware infections.

CryptoLocker, CoinVault, and TeslaCrypt are the names of some of the most dreaded ransomware that infected million of users worldwide. The extortion is a very common practice in the cyber criminal underground and ransomware are a powerful instrument for criminal crews to  rapidly cash-out their efforts.

In several cases, victims opted to pay a fee to cyber criminals in order to restore their files.

The good news in that a security researcher has compiled a ransomware removal and rescue kit that could help victims to sanitize their infected system and unlock encrypted files.

The security professional Jada Cyrus has compiled a “Ransomware Rescue Kit“, also known as “Ransomware Removal Kit” and published it online. The Ransomware Removal Kit tool is free, the idea behind the application is to provide a unique instrument to support decryption tools for different strains of ransomware:

“I have compiled this kit to be used for security professionals and system administrators alike, in order to help streamline the process of responding to ransomware infections. Some of the information in this kit is obsolete due to the rapidly evolving nature of ransomware. I will do my best to keep it up to date with the help of the malware community at large.” wrote Cyrus.

One of the most important suggestions to follow in case of ransomware infection it to avoid paying the ransom.

“You should never pay the ransom,” Cyrus says. “This will only reinforce this type of attack. According to most security intelligence reports, criminal enterprises are already making large profits from ransomware.”

The Ransomware Removal Kit includes abilities of the following ransomware removal tools:

• CoinVault: CoinVault ransomware removal tools
• CryptoLocker: CryptoLocker removal tools and Threat Mitigation
• CryptoLockerDecrypt: FireEye Tool to decrypt files encrypted by the CryptoLocker ransomware
• FBIRansomWare: FBIRansomWare Removal Tools
• TeslaCrypt: Tool for removing this variant of CryptoLocker ransomware
• TrendMicro_Ransomware_RemovalTool: General ransomware removal tool from TrendMicro

The first response to a ransomware infection consists in the disconnection of the machine from the internal network to prevent the diffusion of the malicious agent. Be sure to create a copy of the disk that could be restored in case of problems with the ransomware removal kit.

The second step is the identification of the strain of malware that caused the infection, then the user can try to decrypt files and remove the malicious agent.

Pierluigi Paganini

(Security Affairs – Ransomware Removal kit, cybercrime)