Ransomware can be a b***h. It locks your computer and unless you pay a ransom (usually in the £600-1000 range), you’re data is encrypted forever. Meaning, it is as good as deleted. Our anti-virus cannot possible be perfect 100% of the time and therefore we must prepare ourselves for the fact that we might one day get struck by a crippling ransomware attack.
If you are suffering from an attack, here’s what to do…
What To Do If You Get Attacked
Disconnect the infected device from everything (all networks, WiFi, etc.). Assume anything connected to the affected device is also compromised and perform the steps below to those devices too. Remove CDs and DVDs and unplug USB drives from your computer. Prevent it spreading but do not turn your computer off! Much like malware, some ransomware takes a tighter grip of your machine once rebooted. For any steps below that require the internet, use a healthy non- impacted device to do the web browsing.
2. Identify Ransomware Type
Determine if you've been struck by ransomware which encrypts your computer (the worst kind) or if this is just something pretending to be ransomware, i.e. screen-locking ‘scareware’ which isn’t so bad. Use a healthy device to go to this website, type in the name of the ransomware the screen shows on your infected device and it’ll let you know what type of ransomware it is. If it’s not so obvious, test as follows;
- If you cannot navigate away from your current screen, its most likely just screen-locking ransomware.
- Try and navigate away from whatever message is being displayed. If you’re allowed to go
about your business, open the browser, open programs, etc. it is likely to be encrypting ransomware.
- Go to MyDocuments and open some of your files, videos, music and emails. Choose a wide selection. If you can’t open some, you’ve been struck by encrypting ransomware.
> If you’ve got screen-locking ransomware...following the usual steps to get rid of a standard virus should do the trick. You can find a post on removing viruses here.
> If you have encryption-based ransomware...continue to step 3 below.
3. Pay the Ransom?
Never pay the ransom. Not because we’re worried about encouraging the criminals necessarily but because we risk being added to a ‘sucker list’ and being subjected to a lifetime of attacks unless we change our entire online identity...yeh, not something we want for sure!
4. Remove Ransomware
Before we get to decrypting your files, we need to remove the infection first.
- Download a Decent Malware Scanner: if you have a second device, use this download a decent ‘on-demand’ scanner (either Bitdefender or Malwarebytes as they are both free and tend to catch everything) onto a USB drive. Load the anti-virus scanner onto the infected device from the USB. If you don’t have a second device to do this with, use the infected machine to download the scanner directly. Not ideal but you should be OK. If even this fails (unlikely), reboot your infected machine and enter safe mode as this can help stop the malware loading.
- Run a Scan: choose the most comprehensive scan possible. It should detect and remove anything malicious that is found. If viruses are found, reboot and have a play around to see if all is back to normal.
- Re-Scan with Another Scanner: it’s best to validate the “all-clear” with a different Anti-Virus (AV) as some scanners pick up different malware than others. I’d recommend finishing with either; Kaspersky TDSSKiller or HitmanPro.
d. Some clever malware strains will automatically kill any attempt to download or run an anti-virus program so if you see the program quitting halfway through a scan and not reopening, this could be why. If this happens, choose a custom scan and manually scan individual folders at a time (doing your PC in bite size chunks). These will complete much quicker before the malware has chance to close the scan down.
- Anti-Virus Rescue Disk: if all else fails, use another computer to create something called an ‘anti-virus rescue disk’. This is a disc you burn from a healthy computer and it’ll help do a deep clean of your infected PC without even loading the operating system. Just google for a step-by-step guide for your specific operating system (Windows/Apple/etc.).
- Decrypt or Recover Your Files: there are now a decent number of decryption tools available for us to recover our encrypted files. Navigate to nomoreransom.org and use the tool it recommends for your infection (refer to what you discovered from step 2). If you don’t find what you need, try the fightransomware.com website for a decryptor tool. If your files have simply been deleted, use the ShadowExplorer data recovery tool here to recover your documents or restore from a previous back-up you may have made.
Follow steps below to clean your device, to put functionality back to normal and help prevent it happening again.
- Fix Lingering Issues: some malware will leave lingering issues, such as not being able to connect to WiFi or your desktop background being changed. Use either Microsoft’s ‘Fix It’ tool or a tool called ‘Re-Enable II’ to get things back to normal.
- Update Software & OS: check your browser, apps and operating system for software updates and update them all. This will likely patch the original software vulnerability that was used to gain access in the first place.
- Clean-up: get rid of the apps you have that you never use. Every app likely has vulnerabilities that could be exploited. Use a tool like ‘CCleaner’ to remove all the gunk your machine accumulates over time.
- Scan System Restore Points / Time Machines: many viruses actively seek out to embed themselves into these automatic backups so even if we get rid of them once, they can come back to haunt us! Scan these back-ups to prevent any recurrence.
- Reset Passwords: go to haveibeenpwned.com to see if your password credentials have been leaked online. Most malware is designed to steal your credentials. If they have, reset all your passphrases associated with that email address.
- Automatic Back-ups: when you’re sure all the malware is gone (wait a day or two) setup automatic back-ups (see Basic Protection Plan for more details), so that next time you can simply restore from your back-up the day before.
Wow…if you’ve managed to follow it through, well done. As you’ve probably understood now, ransomware can be a real pain. Bookmark my website www.simplecyberlife.com now to ensure you have it on hand in case something goes wrong.
Founder of www.SimpleCyberLife.com. Cyber security expert, public speaker and entrepreneur.