Recovering From a Ransomware Attack
Ransomware attacks are on the rise. It is getting more common to get random emails with subjects indicating they are package tracking, voice mails, photo edits, and so on. Many of these are attempts to get you to take the bait, click the link, and ultimately install ransomware. Much has been written about recognizing malicious emails, not opening mail from unknown users, and other good advice. What happens, however, if you are unfortunate and do get hit with ransomware?
We are assuming this is a true Ransomware infection, where an active payload of malware has been added to your system. Another type of Ransomware is Scareware masquerading as Ransomware. This latter Ransomware has no payload but threatens you with data encryption as well. It is best to assume any Ransomware threat includes a payload, at first. A safe mode reboot investigation can help you check if a payload is active. If the infection is just Scareware, you may be safe with a reboot and comprehensive malware scan to confirm there is no infection active.
First, be very suspicious of any unusual activity. One of the first signs, even before the ransom notice pops up, is that programs will stop working, or documents will disappear. This activity is due to the malicious software starting to encrypt your files. If anything like that happens, take immediate action. First, disconnect your computer from your network. That is, physically disconnect the network cable, or if you use a wireless connection, turn it off. Also, immediately shut down your computer. I do not usually advocate just turning off the power, but this is one time that it is not a bad idea. The idea is that if ransomware has started on your system, to limit the damage occurring.
Try to start your computer in safe mode, and begin investigating. Make sure you lookup entering safe mode in Windows on your version to MAKE SURE you do NOT get a normal boot or the Ransomware will be active again. Check for those programs or documents that suddenly disappeared. If there is a file with the same name, but the extension has changed, most likely ransomware is the culprit. In that case, be prepared to do some research, and possibly still lose some work. It depends on the active Ransomware variant since some have been Ransomware payloads have been cracked and there are recover utilities available.
Other Ransomware payloads do not have removal utilities, and you will have to go to your back copies. Before that, however, you need to make sure that the machine is cleaned of the ransomware programs or your system will be reinfected and you will need to start over again. If utilities exist to clean the Ransomeware for your system, they should be used immediately. If not, a lot of digging and experimenting will be required. If there is no cleaning utility you may need to reformat the infected drives, reinstall the operating system, and then restore from a full image backup, NOT just a file backup. In either case, spend a lot of time checking your system, before putting it back on your network and getting on with your work. You want to be very, very, sure that the Ransomware is gone, or you will be exposing the rest of the computers on your network to Ransomware infections.
Recovering from Ransomware is a critical task that can be very complex. This blog is just a simple overview. We recommend you contact CCS Retail Systems Support for further guidance and services to ensure the Ransomware is properly eliminated from your systems. Remember that if you comply with the Ransomware demands there is NO guarantee that your payment will result in any recovery of your system. The best course of action is to defeat the Ransomware request NOT honor it.
Dave.