Please read the instructions for Ransomware Incident Response free evaluation
Instructions on how to submit your case:
- First of all download this questionnaire, save it and fill in every detail about you or your client: Ransomware-Preliminary-Questionnaire.xlsx
- We will need the Ransomware note files (for example Readme.txt, Decrypt_My_Files.txt, How_to_decrypt.txt, _openme.txt etc). If you don’t find such file in a directory of the encrypted files then you might see a screen that shows the Ransomware demands, so we request that you take a photo of this screen and send us the screenshot.
- Three different encrypted files from your infected computer ONLY .doc, .docx, .xls, .xlsx that should be under 500kb
- One file from the ones that are encrypted (in step 3) should be also send in its ORIGINAL (un-encrypted) form (search for backups or from emails you sent to colleagues some days before the encryption). Mention that we should have one exact file in its Encrypted AND Decrypted form so we may try to study the encryption carefully. Our team will not accept to analyze cases that do not complete this step.
- The MAC address of the infected machine (if you have multiple MAC addresses we will need them all). If you don’t know how to find the MAC address, click here.
- The domain name of the infected machine. You can find this information by running this in the infected machine through the command prompt : systeminfo | findstr /B /C:”Domain” . Instructions here.
- The computer name of the infected machine. You can type the command: hostname in command prompt. Instructions here.
- We need to know every detail on the actions you have done after the infection with as much detail as you can, including technical information.
- We need a copy of your communication with the hacker if any (we prefer to handle cases where you haven’t contacted the hacker yet)
- Don’t move,rename, or delete any files or executable until we tell you so.
- You can send us the files in .zip/.rar/.7z format using http://sendspace.com or https://dropmefiles.com/
Important Advice for your files
- Disconnect the infected machine(s) from any network (public or private) to prevent further infections or double encryption.
- Instantly backup all the crucial files or partitions of your infected computers.The backup should not be in the form of file copy, but rather in the form of a sector by sector image using software like Ghost.
- Its very important to be able to maintain the initial state of the encrypted machine because things can get worse!
- Don’t remove the virus yet, before you take a full image sector by sector backup. Some solutions need the virus running so we can get information about decryption keys.
We will need some time to analyze your case after you submit the information requested, so we kindly ask for your patience in order to process the data you send us.
We will come back to you when we finish analyzing the available solutions (if any) and provide you with feedback free of charge.
Please reply to us as soon as possible because Ransomware incidents are quite time sensitive.