Can Sigma Ransomware files be inlock?

[Diggar]

Got hit with Sigma Ransomware. I was able to roll back the system using restore for a few days ago but the files are still locked.

If I roll back the system to an earlier date will that help or is there some way to unlock the files?
Thanks

 

[daveybrat]

Nope, rolling back the system only affects Windows system files and the registry. Encrypted files are permanent unless you know the decryption key (which you can't).

 

[UsandThem]

Nope, rolling back the system only affects Windows system files and the registry. Encrypted files are permanent unless you know the decryption key (which you can't).

Yup. Unless you have your files backed up someplace else, you don't have many options outside of nuking your install and starting over again (delete partition or full format). Backups have always been necessary for important files because of drive failure, but now they are even more important because of the rise of ransomware attacks.

 

[Nashemon]

The most common advice among professionals is do NOT pay them. You're not only funding cyberterrorism when you do, you're also confirming that that their ransomware works, and there is no guarantee that your files will be decrypted by them. Once they have your money, there is no reason for them to continue helping you.

Personally, I would get another hard drive and offline copy the encrypted files to it. No OS files. Make sure to note what cryptoware you got hit with, then put that new drive into cold storage indefinitely and hope that a decryptor for that particular cryptoware becomes available some day. Which does happen pretty regularly.

Most major Antivirus companies provide all known decryptors for free, even to non-customers. It's a pretty incredible collaboration among competitors coming together for the common good. Just google 'ransomware decryptor' for a list of them.

This is the official host of the collaboration efforts. https://www.nomoreransom.org/

 

[PliotronX]

System restore is great for fixing loused up windows updates and whatnot but it doesn't restore documents. That would be the realm of shadow copies but most ransomware will delete them first thing.

 

[DAPUNISHER]

The most common advice among professionals is do NOT pay them. You're not only funding cyberterrorism when you do, you're also confirming that that their ransomware works, and there is no guarantee that your files will be decrypted by them. Once they have your money, there is no reason for them to continue helping you.

Personally, I would get another hard drive and offline copy the encrypted files to it. No OS files. Make sure to note what cryptoware you got hit with, then put that new drive into cold storage indefinitely and hope that a decryptor for that particular cryptoware becomes available some day. Which does happen pretty regularly.

Most major Antivirus companies provide all known decryptors for free, even to non-customers. It's a pretty incredible collaboration among competitors coming together for the common good. Just google 'ransomware decryptor' for a list of them.

This is the official host of the collaboration efforts. https://www.nomoreransom.org/

I have done it for small business clients. It usually requires an uninfected file/s to compare to the infected version. Even when the backup drive is infected, it may be that they have pics or files from their personal cloud accounts I can use.

And always observe the rule of 3 if you have stuff you consider mission critical or of great personal worth. It should be backed up locally on a regular basis, and remotely, in case there is a fire, break in, natural disaster, etc. Also, malwarebytes can be found for dirt cheap, no reason to not have it running on any system you have valuable data on. Along with windows defender (free) and the windows 10 creator's update, most ransomware will never have a chance to infect you. If you are still a windows 7 forever! fanatic, good luck with that.