Your Ransomware Survival Guide
Ransomware Survival Guide
Ransomware is on the rise — and every computer is a potential target. It doesn’t matter if you run a small business or a Fortune 500 company, ransomware can cause serious damage to your business by locking up your data. While prevention is preferred, should ransomware affect you, this ransomware survival guide can help you limit the damage.
My computer has been infected by ransomware. Now what?
Your first instinct may be to panic! After all, a cryptic note demanding money is alarming and access to your files is mission critical. As alarming as ransomware is, we urge you to remain calm. You can get through this, but it will be a much easier recovery process if you don’t panic.
So, take a deep breath and disconnect your computer from the network. Depending on how the computer is connected, you may need to sign off of Wi-Fi or unplug the Ethernet cord. This is crucial in preventing the infection from worming its way onto other network assets.
How can I identify which ransomware infected my computer?
Some ransomware is more challenging to deal with than others. For example, fake ransomware has emerged, bringing with it scary looking ransom screens but without the hardcore encryption of your data. Likewise, some forms of ransomware can be dealt with thanks to newer decryption tools on the market. Even if you’d rather just pay the ransom and get your files back, some variants are notorious for taking your money and keeping your files locked up. Knowing exactly what type of ransomware you’re dealing with is helpful in determining what to do next.
Fortunately, there are a few ransomware identification websites out there that can help point you in the right direction. For example, MalwareHunterTeam.com has an ID Ransomware tool that allows you to upload either the ransom note or an encyprted file for analysis and identification.
Am I “Patient Zero”?
In healthcare, the term “patient zero” refers to the person identified as the first carrier of a communicable disease in an outbreak of related cases. We use the same term to describe the first computer infected by ransomware. Is your computer the first to lock up with ransomware? You’re patient zero! Remember, deep breath and disconnect from the network ASAP to prevent others from getting infected.
Now, retrace your steps as you may be able to identify the source of the infection such as a malicious website link or infected email attachment.
How do I unlock my files?
Ransomware is effective (for the bad guys) because it encrypts files so that they cannot be unlocked unless the user obtains the decryption key (which, presumably the hackers will provide to you once the ransom is paid). Unfortunately, with just a few exceptions, without this key, you won’t be able to open your files.
Because there are a few exceptions, check with your computer security solution provider to see if a ransomware decryption tool exists to unlock your files. If not, you will need to restore your files from a backup. Keep in mind how your computer got infected in the first place so that after you restore your system, you don’t inadvertently re-infect it by opening the same email attachment or visiting the same website that infected your system originally.
Should I pay the ransom?
We understand how important your files are, but we urge you to explore all of your options before even considering paying the ransom. The FBI does not support paying extortionists a ransom. In an April 2016 advisory about ransomware, FBI Cyber Division Assistant Director James Trainor said that you might not get your files back even after paying a ransom.
He also said, “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Assuming you’ve tried everything else and do not have a good backup, you’ll want to consider the nature of the files that have been encrypted. Are the files mission critical or are they older files that you no longer need?
How can I tell if the ransomware has been fully removed from my computer?
It’s tricky, especially if you are unable to identify the source of the original ransomware infection. We recommend resetting the infected computer back to its original factory settings, which will completely remove all traces of malware. From there, restore your files from a current backup. Even then, the backup could restore the original infected file, which, if activated, would start the process all over again.
How can I prevent future ransomware attacks?
You probably don’t want to suffer through another ransomware infection. The following steps can help keep your systems safe:
- • Install reliable computer security software, antivirus, anti-malware, and antispam tools on all of your systems.
- • Implement an automated patch management system or work with a managed services provider to ensure that all software and operation systems are regularly patched with the latest updates and security patches.
- • Have your entire team participate in security awareness training so everyone understands how to spot and report suspicious emails or unusual activities.
- • Work with your computer security solution provider to ensure that all end user logins, roles, and permissions are set up appropriately.
- • Invest in a reliable backup system with redundancy built in. For example, you should have three copies of your data with at least one set stored safe and sound offsite.
- • Evaluate your data assets. What data is mission critical? Where is it located? And how is it protected?
- • Regularly evaluate the backup status of all network storage systems including individual computers, servers, and network attached storage devices.
- • Test your backup system. Is it reliable? How long does it take? Are there any failures or weak points?
- • Practice a 3-2-1 backup strategy that requires you to have three copies of your data in two different locations, one of which is offsite.
- • Quantify the cost of downtime to get a better understanding of the true cost of ransomware. It could be much higher than anticipated, making investments in computer security and backup systems a bargain in comparison.
How can I limit the damage caused from ransomware should a future infection occur?
Even with the best systems in place, ransomware is still a threat. Here are a few steps to take now to minimize the damage: