Remove Windows 10 ransomware and restore encrypted files. Personal experience of use

Encryption isn't just about stopping NSA - it's about protecting your sensitive data in case you ever lose your PC. Unlike all other modern consumer operating systems - macOS, Chrome OS, iOS and Android - Windows 10 still doesn't offer integrated encryption tools for everyone. You may have to pay for the Professional version of Windows 10 or use third party solution for encryption.

If your Windows supports encryption

Many new PCs that ship with Windows 10 automatically enable “Device Encryption.” This feature was first introduced in Windows 8.1 and requires special hardware capabilities. Not every computer will have this feature.

There is one more limitation: it actually encrypts your drive only if you sign into Windows with a Microsoft account. Your recovery key is then uploaded to Microsoft servers. This will help you recover your files if you are unable to log into your computer. ( This is why the FBI probably isn't too worried about this feature, but we still recommend using encryption as a means of protecting your data from thieves.)

Device encryption will also be enabled if you log in organization domain. For example, you might be logging into a domain that belongs to your employer or school. Your recovery key will then be uploaded to your organization's servers. However, this does not apply to computers regular user connected to domains.

To check, Is device encryption enabled?, open the application Options, go to System → About the program and find "Device Encryption" at the bottom of the About panel. If you don't see anything about device encryption here, your computer doesn't support device encryption or it's not enabled.

If device encryption is turned on, or you can turn it on by signing in with a Microsoft account, you'll see a message telling you so.

For Windows Pro users: BitLocker

If device encryption is not enabled or you want a more powerful encryption solution that can also encrypt removable USB drives, you should consider BitLocker.

Microsoft BitLocker encryption tool from Microsoft is now included in Windows composition several versions. However, Microsoft still limits BitLocker to professional, enterprise, and educational editions of Windows 10.

BitLocker is most secure on a computer that has Hardware Trusted Platform Module (TPM), present on most modern PCs. If you have collected your own computer, you can add a TPM chip to it. Look for a TPM chip that is sold as an add-on module. You'll need one that supports the motherboard inside your PC.

Windows usually says that BitLocker requires a TPM, but there is hidden option which allows enable BitLocker without TPM. You will have to use a USB flash drive as a "startup key" that must be present at every boot if you enable this option.

If you already have a professional version of Windows 10 installed on your computer, you can search for "BitLocker" in the Start menu and use the BitLocker Control Panel to enable it. If you upgraded to Windows 7 Professional or Windows 8.1 Professional for free, you should have Windows 10 Professional.

If you don't have a professional Windows versions 10, you can pay approximately $99 to upgrade from Windows 10 Home to Windows 10 Professional. Just open the Settings app, go to Update and Security → Activation and press the button Go to the store. You'll get access to BitLocker and other features that Windows 10 Professional includes.

Security expert Bruce Schnee likes his own full disk encryption tool for Windows called BestCrypt. It is fully functional on Windows 10 with modern equipment. However, the cost of this tool is comparable to upgrading to Windows 10 Professional, so it is better to use BitLocker.

For everyone: VeraCrypt

Spend another $99 to encrypt HDD for some additional security, can be too wasteful when modern Windows PCs often cost just a few hundred dollars. Meanwhile, you don't have to pay extra money for encryption because BitLocker isn't the only option. BitLocker is the most integrated, well-supported option, but there are other encryption tools you can use.

Dear TrueCrypt, full encryption tool with open source code, which is no longer in development, and has some issues on Windows 10 PCs. It cannot encrypt GPT system partitions and boot them using UEFI, for most Windows 10 PCs. However, VeraCrypt is an open source tool for complete Source-based encryption TrueCrypt supports encryption system partition EFI from version 1.18a and 1.19.

In other words, VeraCrypt will allow you to encrypt the system partition of your Windows 10 PC for free.

TrueCrypt developers have closed development and declared TrueCrypt vulnerable and insecure, but researchers still doubt the truth of these claims. Much of the discussion around this centers on whether the NSA and other security agencies have a way to break this open source encryption. If you simply encrypt your hard drive so thieves can't access your personal files when they steal your laptop, you won't have to worry about this. TrueCrypt is quite secure.

VeraCrypt Project has improved security and could potentially be more secure than TrueCrypt. Whether you're encrypting just a few files or an entire system partition, this is what we recommend.

We'd like to see Microsoft give Windows 10 users more access to BitLocker or, by at least, has extended Device Encryption so that it can be enabled on other PCs. Modern computers Windows should have built-in encryption, just like all other modern operating systems. Windows users 10 no need to pay more or look for a third party software, to protect their important data if their laptops are ever lost or stolen.

In Windows 10, you can completely encrypt your hard drive using BitLocker security. This program is already integrated into Windows and is easy to use - at least if it's on your system board There is a special TPM module. Let's tell you how it works.

Encrypting a Drive in Windows 10 Using BitLocker

On your motherboard a component called a cryptoprocessor or Trusted Platform Module (TPM) chip may be installed. It stores encryption keys to protect information at the hardware level. It looks something like this: If there is a TPM module on the motherboard, encryption hard drive In Windows 10, organizing is very easy: Click the Start button > Explorer > This PC.

In the window, click right click mouse on the drive you want to encrypt and select Enable BitLocker from the drop-down menu. Enter strong password to the hard drive. Every time you turn on your computer, Windows will ask you for this password in order to decrypt your data.

Choose how you want to back up your recovery key. It can be saved in account Microsoft, copy to USB drive or print.

Choose which part of the disk to encrypt: the whole or only free place. If you recently installed Windows 10, choose the second one. If you enable encryption on a disk that is already in use, it is better to encrypt the entire disk.

Click Continue to begin encryption.

When encryption is complete, restart your computer and enter your password. If you receive an error message in Step 2 indicating that you need to allow BitLocker to run without a compatible TPM, your motherboard does not have a compatible TPM. In this case, you will have to take a detour.

Encrypting a disk in Windows 10 without a TPM module In order to encrypt a hard disk in Windows 10 without help hardware module key storage, do the following: Return to the Internet and Windows Search field and enter “Group Policy” (without quotes).

Click on the Edit entry group policy. A new window will open.

Navigate to Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Double-click This policy setting allows you to configure the requirement for additional authentication at startup. In the new window, select Enabled, check the box next to Allow BitLocker without a compatible TPM, and click OK.

Open This PC, select the drive, and click Turn on BitLocker.

After this, your computer will run quick check. When the verification is complete, the system will ask if you want to lock your computer using a USB key or a password.

Choose whether BitLocker encrypts the remaining free space or the entire hard drive.

BitLocker will start in background, encrypting your hard drive. You can continue to work in normal mode. After the first reboot of your PC, your system will boot only if you enter correct password during startup or connect a USB drive with a backup copy of the key.

The new feature first became available in Windows 10 Insider Preview build 16232, and now, after successful testing, another level of “Controlled Folder Access” protection has appeared in the final release of Windows 10 Fall Creators Update (version 1709).

The main idea of ​​the function is protection specific folders and files from unauthorized access. It should be considered as an additional layer of protection against malicious modification important files(for example, as protection against ransomware).

The Controlled Folder Access feature is disabled by default. The user needs to manually activate folder protection.

Note: During feature activation, the User Account Control dialog box may appear several times. All system changes must be accepted.

• Open Windows Defender Security Center via the tray icon.
• Go to the "Virus and threat protection - Virus and threat protection settings" section.
• Find the "Controlled folder access" option and set the switch to the active position.
• Then choose which folders you want to protect.

You can add local folders, folders on network drives and connected drives.

Principle of operation

Microsoft claims that system folders are protected by default. Windows 10 does not block most programs and applications from accessing protected folders and files stored in those folders. Microsoft maintains a list of allowed applications that are considered trusted and can easily access protected folders.

Most applications will be able to access protected folders without having to add them to White list manually. Applications that Microsoft deems safe will have access to these folders.

If Windows Defender blocks the application from making changes to folders or attached files, a notification is displayed on the screen. The User can then add programs to the list of allowed applications to avoid being blocked again in the future.

Conclusion

It's too early to tell how effective new feature“Controlled folder access” while ensuring security Windows devices 10. However, similar functions appear in paid ones complex antiviruses. In any case, for maximum protection, it is also recommended to regularly create backups important data.

P.S In the near future we will test the built-in protection against ransomware as part of our project COMSS.TV: Video Reviews. Stay tuned.

Found a typo? Press Ctrl + Enter

According to experts, laptop theft is one of the main problems in the field of information security(IB).

Unlike other information security threats, the nature of the “stolen laptop” or “stolen flash drive” problem is quite primitive. And if the cost of missing devices rarely exceeds several thousand US dollars, the value of the information stored on them is often measured in millions.

According to Dell and the Ponemon Institute, 637,000 laptops go missing every year at American airports alone. Just imagine how many flash drives go missing, because they are much smaller, and accidentally dropping a flash drive is as easy as shelling pears.

When a laptop belonging to a top manager of a large company goes missing, the damage from one such theft can amount to tens of millions of dollars.

How to protect yourself and your company?

We continue the series of articles about Windows security domain. In the first article in the series we talked about setting up secure entry to the domain, and in the second - about setting up secure data transfer to mail client:

1. How to make a Windows domain more secure using a token? Part 1 .
2. How to make a Windows domain more secure using a token? Part 2 .

In this article we will talk about setting up encryption of information stored on your hard drive. You will understand how to make sure that no one but you can read the information stored on your computer.

Few people know that Windows has built-in tools that help you store information safely. Let's consider one of them.

Surely some of you have heard the word “BitLocker”. Let's figure out what it is.

What is BitLocker?

BitLocker (exactly called BitLocker Drive Encryption) is a technology for encrypting the contents of computer drives, developed by by Microsoft. It first appeared in Windows Vista.

BitLocker could be used to encrypt volumes hard drives, but later, already in Windows 7, a similar technology BitLocker To Go appeared, which is designed for encryption removable drives and flash drives.

BitLocker is standard Windows Pro professional and server versions of Windows, which means in most cases corporate use it is already available. Otherwise you will need to update Windows license to Professional.

How does BitLocker work?

This technology is based on full volume encryption performed using the AES (Advanced Encryption Standard) algorithm. Encryption keys must be stored securely, and BitLocker has several mechanisms for this.

The simplest, but at the same time the most insecure method is a password. The key is obtained from the password in the same way every time, and accordingly, if someone finds out your password, then the encryption key will become known.

To avoid storing the key in open form, it can be encrypted either in a TPM (Trusted Platform Module) or on a cryptographic token or smart card that supports RSA algorithm 2048.

TPM is a chip designed to implement basic security-related functions, mainly using encryption keys.

The TPM module is usually installed on the computer motherboard, however, it is very difficult to purchase a computer with a built-in TPM module in Russia, since the import of devices without FSB notification into our country is prohibited.

Using a smart card or token to unlock a drive is one of the most safe ways, allowing you to control who completed this process and when. To remove the lock in this case, you need both the smart card itself and the PIN code for it.

How BitLocker works:

1. When activating BitLocker using a generator pseudorandom numbers a main bit sequence is created. This is the volume encryption key - FVEK (full volume encryption key). It encrypts the contents of each sector. The FVEK key is kept in the strictest confidence.
2. FVEK is encrypted using the VMK (volume master key). The FVEK key (encrypted with the VMK key) is stored on disk among the volume metadata. However, it should never end up on disk in decrypted form.
3. VMK itself is also encrypted. The user chooses the encryption method.
4. The VMK key is by default encrypted using the SRK (storage root key) key, which is stored on a cryptographic smart card or token. This happens in a similar way with TPM.
   By the way, the encryption key system disk BitLocker cannot be protected using a smart card or token. This is due to the fact that libraries from the vendor are used to access smart cards and tokens, and, of course, they are not available before loading the OS.
   If there is no TPM, then BitLocker offers to save the system partition key on a USB flash drive, and this, of course, is not the most best idea. If your system does not have a TPM, we do not recommend encrypting your system drives.
   In general, encrypting the system drive is a bad idea. At correct setting all important data is stored separately from system data. This is at least more convenient from their point of view Reserve copy. Plus encryption system files reduces the performance of the system as a whole, and the operation of an unencrypted system disk with encrypted files occurs without loss of speed.
5. Encryption keys for other non-system and removable drives can be protected using a smart card or token, as well as a TPM.
   If there is neither a TPM module nor a smart card, then instead of SRK, a key generated based on the password you entered is used to encrypt the VMK key.

When running from encrypted boot disk the system queries all possible keystores - checks for the presence of a TPM, checks USB ports, or, if necessary, prompts the user (which is called recovery). Key store discovery allows Windows to decrypt the VMK key, which decrypts the FVEK key, which already decrypts the data on the disk.

Each sector of the volume is encrypted separately, and part of the encryption key is determined by the number of that sector. As a result, two sectors containing the same unencrypted data will look different when encrypted, making it very difficult to determine encryption keys by writing and decrypting previously known data.

In addition to FVEK, VMK, and SRK, BitLocker uses another type of key that is created “just in case.” These are the recovery keys.

For emergency cases (user lost a token, forgot his PIN code, etc.) BitLocker on last step prompts you to create a recovery key. The system does not provide for refusal to create it.

How to enable data encryption on your hard drive?

Before you begin the process of encrypting volumes on your hard drive, it is important to note that this procedure will take some time. Its duration will depend on the amount of information on the hard drive.

If the computer turns off or goes into hibernation during encryption or decryption, these processes will resume where they stopped the next time you start Windows.

Even during the encryption process, the Windows system can be used, but it is unlikely to please you with its performance. As a result, after encryption, disk performance decreases by about 10%.

If BitLocker is available on your system, then when you right-click on the name of the drive that needs to be encrypted, the menu item that opens will display Turn on BitLocker.

On server versions of Windows you need to add a role BitLocker Drive Encryption.

Let's start setting up encryption of a non-system volume and protect the encryption key using a cryptographic token.

We will use a token produced by the Aktiv company. In particular, the Rutoken EDS token PKI.

I. Let's prepare Rutoken EDS PKI for work.

In most normally configured Windows systems, after the first connection to Rutoken EDS PKI, a special library for working with tokens produced by the Aktiv company - Aktiv Rutoken minidriver - is automatically downloaded and installed.

The installation process for such a library is as follows.

The presence of the Aktiv Rutoken minidriver library can be checked via device Manager.

If the download and installation of the library did not happen for some reason, then you should install the Rutoken Drivers for Windows kit.

II. Let's encrypt the data on the disk using BitLocker.

Click on the disk name and select Turn on BitLocker.

As we said earlier, we will use a token to protect the disk encryption key.
It is important to understand that in order to use a token or smart card with BitLocker, it must contain RSA keys 2048 and certificate.

If you are using the Certificate Authority service in Windows domain, then the certificate template must contain the scope of the “Disk Encryption” certificate (more details about setting up a Certificate Authority in the first part of our series of articles about Windows domain security).

If you do not have a domain or you cannot change the policy for issuing certificates, then you can use a fallback method using a self-signed certificate; details on how to issue a self-signed certificate for yourself are described.
Now let's check the corresponding box.

In the next step, we will select a method for saving the recovery key (we recommend choosing Print the recovery key).

A piece of paper with a printed recovery key must be kept in safe place, better in the safe.

At the next stage, we will start the disk encryption process. Once this process is complete, you may need to reboot your system.

When encryption is enabled, the icon of the encrypted disk will change.

And now, when we try to open this drive, the system will ask you to insert a token and enter its PIN code.

Deployment and configuration of BitLocker and TPM can be automated using a WMI tool or scripts Windows PowerShell. How the scenarios are implemented will depend on the environment. The commands for BitLocker in Windows PowerShell are described in this article.

How to recover BitLocker encrypted data if the token is lost?

If you want to open encrypted data in Windows

To do this, you will need the recovery key that we printed earlier. Just enter it in the appropriate field and the encrypted section will open.

If you want to open encrypted data on GNU/Linux and Mac OS X systems

To do this, you need the DisLocker utility and a recovery key.

The DisLocker utility operates in two modes:

• FILE - The entire partition encrypted by BitLocker is decrypted into a file.
• FUSE - only the block accessed by the system is decrypted.

For example, we will use the operating room Linux system and FUSE utility mode.

IN latest versions common Linux distributions, the dislocker package is already included in the distribution, for example, in Ubuntu, starting with version 16.10.

If for some reason the dislocker package is not available, then you need to download the utility and compile it:

tar -xvjf dislocker.tar.gz

Let's open the INSTALL.TXT file and check which packages we need to install.

In our case, we need to install the libfuse-dev package:

sudo apt-get install libfuse-dev

Let's start assembling the package. Let's go to the src folder and use the make and make install commands:

cd src/ make make install

When everything has compiled (or you have installed the package), let's start setting up.

Let's go to the mnt folder and create two folders in it:

• Encrypted-partition - for an encrypted partition;
• Decrypted-partition - for a decrypted partition.

cd /mnt mkdir Encrypted-partition mkdir Decrypted-partition

Let's find the encrypted partition. Let's decrypt it using the utility and move it to the Encrypted-partition folder:

dislocker -r -V /dev/sda5 -p recovery_key /mnt/Encrypted-partition(instead of recovery_key, substitute your recovery key)

Let's display a list of files located in the Encrypted-partition folder:

ls Encrypted-partition/

Let's enter the command to mount the partition:

mount -o loop Driveq/dislocker-file Decrypted-partition/

To view the decrypted partition, go to the Encrypted-partition folder.

Let's summarize

Enabling volume encryption with BitLocker is very easy. All this is done effortlessly and for free (provided you have a professional or server version of Windows, of course).

You can use a cryptographic token or smart card to protect the encryption key that encrypts the disk, which significantly increases the level of security.