I`ve got ransomware! What should I do?
- 8th September 2017
- Posted by: Mark Dodds
- Category: Security
Prevention is always the best cure, but what if you’ve got ransomware on your computer? There are a lot of guides online on the precautions you can take, but knowing what to do after you find you have ransomware is critical, that’s why we`ve created a small guide on what to do if you’re unfortunate enough to get infected including how to spot what kind of ransomware you may have and the all important first steps to take as soon as you think you`ve become infected.
Types of Ransomware
Ransomware comes in three main types: screen-locking, fake ransomware, or encrypting ransomware. The screen locking strain creates a ransom note from an authority such as the FBI, CIA or even the government itself. In most cases the user won’t be able to get past this screen, so read on for tips on how to deal with ransomware. Fake ransomware is fairly harmless – you can navigate around your computer and a simple restart can help get your computer back to normal.
Any of these aren’t ideal, however encrypting ransomware is the worst. This guide focuses on encryption ransomware and how businesses can best deal with it.
How do I know it`s a ransomware attack?
There are many types of viruses. Some intend to steal valuable information or just to destroy files. Ransomware is designed to make you pay a ransom for your computer files. Most commonly you will see a pop up that says your files have been encrypted and there is a short deadline to make a payment.
You may find that you’re unable to access your files and may see something like this:
What do I do now? – First steps
It’s important to take action quickly, so aim to follow these steps as closely as possible:
- If you have an IT team, alert them
- Isolate the infected machine(s) by removing the network cable or disconnecting from WiFi
- Disconnect from the company computer network to avoid spreading it to other users
- You may need to temporarily lock down and check your file servers, as the attack can spread through shared network drives
- Keep your computer on – turning it off could remove evidence of the crime, removing critical files you could’ve used to decrypt
- Take a picture of the ransomware message screen on your smartphone so the police can file a report and your company has the option to file an insurance claim
How was I infected with ransomware?
Once you’ve isolated the virus, it’s important to look at how and where you were infected. Ideally, speak to the person who first noticed the ransomware. Try to find out what they were doing before the ransom screen popped up, did they click on any attachments or links in an email for example?
Should I pay the ransom?
It’s tempting to part ways with a small sum of $300, but we highly advise against paying anything for your files. Firstly, there is no guarantee that you will get your files back, and secondly, you are funding more ransom attacks against other people and businesses.
So, how do I get my files back?
In most cases there is no way of unlocking your files without the decryption key. There have been cases where malware researchers have found flaws in the ransomware, and have developed ways to un-encrypt your data.
One method for getting your files back is to search online for a ‘ransomware decryption tool finder’. You can use this to find out the type of ransomware you’ve been infected with and decrypt your files.
If no tool is available, the next option is to use your backups. It’s important for your business to have a backup strategy for situations such as this. Make sure you have an offsite backup as you risk your backups being encrypted too. This also applies to those using Dropbox, Google Drive, OneDrive, as well as many other cloud file storage providers as the encrypted files would synchronise back to the cloud. Some providers do have a rollback feature so make sure to check.
As long as you have a backup you should do a clean operating system install before restoring as the ransomware may have carried other infections such as keyloggers. If you don’t have a backup you will, unfortunately, find yourself in a difficult position.
Review your security
Surviving a cyber attack requires prevention, detection, and recovery. Think about what the cost is to you as a business if you experience downtime. Sadly, there is no on single solution to security, so we always recommend taking a layered approach:
- Make sure you’ve got anti-virus/anti-malware software on all of your computers and ensure it’s kept up to date
- Keep all of your software updated
- Conduct some security awareness training for your users with an emphasis on spotting potential phishing emails
- Most cyber attacks are launched via email, so you need to have a modern email security system that the tracks behaviour of email attachments and URLs
- Use a DNS filtering service such as OpenDNS to limit access to dangerous and questionable websites
- Restrict administrative access on all computers
- Make sure you are backing up your data and testing it
- Never plug computers and laptops into your network without a process to identify potential issues.
- Never plug in USB sticks on unknown origin
- Adjust your internet browser’s security and privacy settings
- Remove plugins such as Adobe Flash, Java and Silverlight unless you specifically need them – these plugins are notorious for being exploited.
Your data is the heart of your business and you need to have the right security to keep it safe. Following the above tips can help you reduce the chance of a ransomware and other malware getting into your IT systems.