Rescue .pst file from ransomware infected PC

<quote>
A mate's win7 PC has become infected with ransomware.

All his word docs, photos etc have been given new extensions and encrypted, but his .pst file hasn't been renamed, so I'm hoping it may be okay.

He works at sea, so needs offline access to old emails.

The infected PC is a cruddy old laptop with a damaged screen that was headed for the bin anyway, so I don't need to try fixing it.

My question is this:

How can I get the .pst file from the infected PC and safely check it without risking contaminating another machine?

</quote>

You need to be careful here, but if the affected machine is still operational (i.e. you can browse the internet, send/receive emails, create documents/spreadsheets, etc), then the ransomware has done its thing and bolted through the stable door. There is therefore no active component of the infection on the machine at the moment, but there is possibly a dormant form that could be retriggered if you happened to stumble on it in your recovery of the PST file.

I am assuming that MS Word and MS Outlook are installed on the affected machine as you mention docs and PST files respectively. I would also assume that there is a high likelihood of MS Excel being installed as it is the usual companion of MS Word. Your description leads me to believe that these applications may be the ones that are predominantly used and are therefore highly likely to have been used as the path to introduce the ransomware. Without knowing which particular ransomware variant you have been stung with, I can only quote the fact that says "roughly 60-70% of ransomware is introduced via socially engineered emails that subsequently run scripts/macros that do the nasty work". The implication of this in your case is that the ransomware probably came in as a document or spreadsheet attachment to an email that looked legitimate to your mate (probably seeming to have come from someone who had been recently emailed - that's the social engineering part). When it was opened it then ran a macro from within that attachment that downloaded the ransomware engine which then proceeded to encrypt the files it wanted to target, maybe turn off some file backup options, maybe delete any system restore points, maybe overwrite free space multiple times, leave a message in the directories within which it encrypted files, and delete itself from the machine (leaving no retrievable copy of either a public or private key). It may have had to ask to have the macro execution enabled but being a "cruddy old laptop with a damaged screen" it may have had the ability to run macros still turned on as that was an old default. (The "maybe" parts in the preceding statement are dependant upon the ransomware variant you got stung with).

I would guide you to proceed as follows:-

. Copy the PST file to a USB stick and take it to another "clean" machine.
. Run as many Anti-Virus and Anti-Malware tools over it as you can find. I would recommend Malwarebytes and Hitman Pro as first attempts (as well as your "updated" Anti-Virus suite). There are many others available as well.
. Review the logs from these tools to see if they found the ransomware in a particular email in the PST file.
. If it explicitly states that the email has been erased, then you are probably safe, but just to go "belts and braces" I would proceed as follows:-
. If an email is not identified you will have to then do some detective work to find out when the files got encrypted. It should be apparent by looking up the dates on the files left behind by the ransomware.
. Now you need to attach and open the PST file and find emails in the PST from just before the dates on the ransom demand files. You can do this with Outlook or an Outlook email viewer tool (available from Microsoft).
WARNING Don't try to open the email yet or you may retrigger the ransomware.
RECOMMENDATION Turning off "allowed macro execution" in Excel and Word may help to prevent a retrigger. (I haven't researched how to do that but it should be relatively straight forward).
. You need to look for an email with an attachment that is likely to be a Word document or an Excel spreadsheet and might have some unusual phraseology in the Subject header (the ransomware carrier).
. This is the email that MUST be deleted without opening it, and you will probably have to do this with Outlook (so be careful).

If you have managed to get to this point then the PST should be clean and you have probably removed all traces of the ransomware (apart from the already encrypted files). Please also take into account other advice offered in this thread as they all have valid points to make.

If you wish, you can PM me, but as I am fairly new to being active on this site, it may take me a little to figure out how that works.

Regards Tony

turb

bigtone58