The cold hard reality is that there is no real way to recover from a ransomware attack that truely (which most do these days) encrypt the drive. The only posture you can take is to maintain proper backups. Auditors have an understanding these days that data loss is an inevitability in a ransomware attack so they have some leeway in case it happens.
Again, the only way to protect yourself from ransomware is extremely good behavior based anti-malware (I hate to call it that because it's so much more) such as Checkpoint Sandblast or Sentinel Ones software. Even those are imperfect, so proper backups are still a must.
If you scower the internet you may find the decryption codes somewhere if you're lucky.
Checkpoint Sandblast and SentinelOne sound like anomaly-based IPS systems rather than just anti-malware, if that's what you were thinking of.
I'd imagine these would throw a lot of false-positives for legitimate configuration changes that aren't normally done during the baseline phase, or they would accept those changes and miss some anomalies thinking they are part of normal activity. It really depends on the baseline phase when the product is first implemented and the management after that.
If managed properly, they can be some of the best appliances on a network, but they're such a pain to configure correctly in the first place that most companies I've heard of don't bother with them.
Well I can't really think of a better word t ocall them than anti-malware. You're 100% correct, they're not that, they work much better. We only trialed the sandblast but it did get a bunch of hits that were false positives but, after the initial setup, the Sentinel one appears to be going strong (we're in trial phase right now.)
I threw cryptoviruses at both of them an they both stopped them.
And to clarify they both are very different systems. The sentinel product can probably be best explained like you did, as a host based IPS esque system.
Unfortunately, there is still no working decryption tool for the Wallet ransomware. We tried different guides including https://keonesoftware.com/guides/wallet-file-virus/, https://malwareless.com/remove-wallet-ransomware-virus/ and Bleepingcomputer's forum, but nobody could help. If this data is extremely important for your client it's better to pay a ransom, but there is absolutely no guarantee that you'll get your files back. Accordingly to Kaspersky Lab stats, 1 of 5 victims don't get their files decrypted after paying the ransom.
In my opinion there are few reasons that you should not pay up for ransom attack. The reasons are:
If you pay you are simply encouraging the cyber hackers.
You canβt trust cybercriminal as there is no 100% guarantee that they will return your files.
They may return and attack you again and again. They will thing we have received ransom payment from you once and why not again?
Paying ransom will boost their confidence as well as their total money and with that money they will create more sophisticated and complicated ransomware program
But why some organizations pay up?
Because they do not have any option, but to pay up in order to get back their important files.
Once again I am suggesting, you should ignore making payment, until and unless those files are very much important. If you have backup get the files from there.
Considering that ransomware trojans are constantly updated and developing, a common antivirus will not help. We need a special antivirus for each ransom virus. It is necessary to understand the very nature of ransomware. For example, there is a good description of the problem http://myspybot.com/pclock-ransomware/
Sorry OP I have not help to offer but a question to ask, how does one figure out the originating computer? Sifting through large amounts of raw logs for windows install eventIDs (assuming its windows, assuming the ransomware generates an install eventID)? Hunting down what system has the ransomware service running? I'm curious if one has a great backup setup, whats the efficient way of hunting down the offending computer to prevent re-encryption of the data.