How to Restore Backed-Up Data After a Ransomware Attack
Consumer Reports has no relationship with any advertisers on this website.
Friday’s massive ransomware attack, “WannaCry,” paralyzed computers in hospitals, universities, and companies worldwide in what is believed to be the biggest online extortion scheme in history. The ransomware has so far affected more than 350,000 computers.
Though WannaCry mostly hit enterprise computers, other types of ransomware regularly affect users at home. In most cases, files are encrypted by the malware and the computer owner sees a message demanding a ransom. Don't pay, the message says, and the data will be gone forever.
Consumer Reports has previously written about how to avoid ransomware attacks and other malware problems. Topping the list is setting up automatic updates to the operating systems on your computers and phones: Anyone with the latest patches to Windows 10 was safe from this most recent attack; anyone without the latest updates was vulnerable.
More From Consumer Reports
Another major precaution is to back up your data. "Regularly backing up your devices gives you the best way to recover should your computer be infected with ransomware," says Gary Davis, chief consumer security evangelist at McAfee.
When you have copies of all your important photos and other files, stored either with a cloud service or on an external hard drive at home, there's no need to pay a ransom. Instead, you can clean out all of the encrypted files and malware, and restore your machine to the squeaky clean state it was in before the attack. (Advanced computer users might want to take a look at these online tools for decrypting the data, but most consumers will find them unhelpful.)
It's not always easy to figure out how to restore your data. Computer users may have dutifully set up automatic backups without ever having to actually restore a hard drive.
What follows are directions for restoring your data, no matter which iteration of the Windows operating system you're running. We're going all the way back to Windows XP, which hasn't been supported by Microsoft since 2014, because older operating systems are so vulnerable to attack. (Though Microsoft doesn't usually issue fixes for Windows XP, it did release an XP patch to combat the latest ransomware attack.)
If your laptop has been hit by ransomware and you have your data backed up, here's what you should do next.
On Windows XP, you can use Automated System Recovery to return your computer to the state it was in before the ransomware took hold.
You'll need to reboot your computer from a copy of the operating system. Begin by restarting with the CD (or floppy disk) of Windows XP inserted. Depending on which model you have, you'll need to press a key, probably Esc or F12, to have the computer use the copy of the OS stored on the disk. When prompted, press F2 to start the Automated System Recovery process.
Next, you'll be asked to choose the disk image you want to restore from—a disk image is a full copy of your hard drive, with all of its files and applications, at a certain point in time. (The data will be stored in a location you chose when you created the backup.) At the end of the restoration, you should have a working PC again.
Now that you've done all that, how about buying a new computer, one running Windows 10? If you have some special need for XP—and it's hard to imagine what that would be—isolate it on a spare machine. There's just no good reason to run your personal or business life using an operating system that no longer receives security updates.
If you're using Windows Vista, you'll want to access the system restore option during boot-up. While the machine is starting, tap F8 continuously until the Advanced Boot Options screen shows up. Select Repair Your Computer and press Enter.
A window called System Recovery Options will show up. Select Next and pick the Windows Complete PC Restore option.
Select a system image and the system should take care of the work for you.
Next step: Like your buddies using Windows XP, you're living life dangerously if you continue to rely on Vista. Support for this OS ended on April 11, 2017—just in time for the advent of WannaCry. So, Vista users, it's time to move on.
During boot-up, tap F8 continuously until the Advanced Boot Options screen appears. Select Repair Your Computer and press Enter.
The System Recovery Options window will show up. Click Next and select "Restore your computer using a system image that you created earlier.” Select a system image (from wherever you have your backups—probably an external hard drive) and let the process run its course.
Windows 8 and 10
Hold down the Shift key on your keyboard and click the Restart option in the Start menu or Start screen.
Your computer will boot to a special recovery menu. On Windows 10, select the Troubleshoot tile followed by "Advanced options" and then System Image Recovery.
From here, the process is similar to that on the previous Windows iterations. Select the image that was created before the ransomware took hold and restore from there.
Copyright © 2005-2017 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.