Ransomware and external HDD

[Gtech34]

Hello
My computer got infected with ransomware, I have 3 HDDs, only one of them got infected and some files (not all) are encrypted. I afraid of losing data on other HDDs and I brought external HDD. I want to copy my files from my internal HDDs to an external HDD. I already opened a topic on this subject on bleepingcomputer . com and they help me but they are very slow (I understand hat they all have their jobs), now I am able to boot into Win 7 but what to do now?

Most of the file names are changed to "pay or this file will be deleted in 24 hours".
However more than 48 hours passed after opening malware .exe file and files are still there but they are encrypted/

My question is, can I copy important images, videos, from 2 non infected internal drives (I can read all files from 2 drives, 3rd drive is partially encrypted.) to brand new WD Elements? Is there a risk to infect external drive too? Do I need to run malware scans first and then copy data?
I am also waiting for the reply from bleepingcomputer . com but they have not replied anything for 12 hours and time is very important in this case as I know.

Or is it safe to completely remove non infected drives from my PC? Can I prevent spreading malware by ding so?

Thanks

 

[bigpinkdragon286]

Disconnecting drives that are not infected is probably the best way to keep them so. Trying to access them using a machine that has been compromised may actually expose more data to damage, so I wouldn't do that.

Personally, I would start by disconnecting all non-essential drives, then I would reinstall Windows. Some folks think a thorough cleaning is all that's needed. The merits of both can be argued, and that's not really the point of this thread. By the time folks are done arguing, you could have reinstalled a clean copy of Windows several times.

Unless you're willing to try paying the ransom, or go through expensive data recovery services, I would consider any encrypted data to be a write off. Other folks may have better ideas about that. I personally would never pay the ransom, if for no other reason than the principle behind it.

Hopefully by now, you have a reasonably good idea what you did that caused your system to be infected with the ransomware so you can avoid future recurrences of it. If you don't know how you ended up with it, I would certainly be leery of reattaching any data drives to the machine until you sort out the root cause. You may not have the chance to save anything the next time.

 

[ss202sl]

Paying the ransom doesn't guarantee your files will be restored.
https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-were-able-to-recover-their-data/

 

[Gtech34]

Disconnecting drives that are not infected is probably the best way to keep them so. Trying to access them using a machine that has been compromised may actually expose more data to damage, so I wouldn't do that.

Personally, I would start by disconnecting all non-essential drives, then I would reinstall Windows. Some folks think a thorough cleaning is all that's needed. The merits of both can be argued, and that's not really the point of this thread. By the time folks are done arguing, you could have reinstalled a clean copy of Windows several times.

Unless you're willing to try paying the ransom, or go through expensive data recovery services, I would consider any encrypted data to be a write off. Other folks may have better ideas about that. I personally would never pay the ransom, if for no other reason than the principle behind it.

Hopefully by now, you have a reasonably good idea what you did that caused your system to be infected with the ransomware so you can avoid future recurrences of it. If you don't know how you ended up with it, I would certainly be leery of reattaching any data drives to the machine until you sort out the root cause. You may not have the chance to save anything the next time.

Thanks for your reply. So what's the safest way to remove internal hard drive without losing data stored on it? And what to do wth infected HDD? I have my operating system installed on SSD.

 

[bigpinkdragon286]

The safest way to remove a hard drive without losing data on it is to have it done by somebody qualified to do so.

Provided the computer is powered off, and you remove the drive without physically damaging it (including electrical), then there is no chance of data loss.

You don't have to actually remove the drives from the computer unless of course you plan to use them elsewhere. All that is needed is to power down the machine and disconnect the data connection to the drive. You may as well disconnect the power connection as well, as there isn't much need to apply power to an unused drive.