Reacting to Ransomware – Worst Case Scenario

Maybe you’ve heard about ransomware somewhere but never expected it to happen to your business.  Or maybe you knew about it and took precautionary steps, but still got infected.  Perhaps you are in disaster recovery mode as you are reading this – desperate to find any information that might help.  Make no mistake – ransomware attacks do not discriminate and the threat they pose to businesses is not a joke.  A report created by the Cyber Threat Alliance estimates that over $325 million in damage occurred to businesses in 2015 alone – and this analysis is based on only one particular strain of the malware.  Check out the report here.

Unfortunately, most cases of ransomware will ultimately result in lost data, time, productivity, and money for a business that has fallen victim.  While our team at Right Hand wants to equip clients with the tools and information needed to avoid this threat altogether, we also want business owners to know what to do when an infection hits.  The following guide will offer tips, best practices, and advice for anyone who is staring down one of those dreaded ransom notes.  Remember that all is not lost – acting quickly and decisively is the best counter to a ransomware threat.

Know when you’ve been infected and act fast.

It is easier to take action when you can quickly identify the signs of a ransomware attack.  The trademark of ransomware is to lock up access to your data – this means documents, spreadsheets, PDF forms, and many other file types.  If you realize that you cannot open any of them, this could be your first clear sign of an infection.  Error messages displayed when attempting to open a ransomware-encrypted file commonly report that the file may have become corrupted.  The hackers who write ransomware code want you to know what’s happening so that you can get to the part where you send them money.  The ransom note itself will likely be very obvious – displayed in the web browser or even replacing your current desktop background.  Some strains of ransomware will create small TXT files that will appear in locations where files have been encrypted.  Opening these files will reveal the ransom note.

The content detail of the ransom note can vary, but ultimately its purpose will be the same.  Your files have been encrypted or locked, and you will have to send money to the hackers in order to regain access.  Some ransom notes will even try to portray themselves as a charity or other good cause in the attempt to better convince victims to pay.  The payment itself is almost always requested in bitcoins, which is a virtually untraceable form of virtual currency.

Right Hand recognizes that in some cases, making payment can be the only remaining course of action to retrieve business critical data.  With that being said, we highly discourage this action for three major reasons.

  • There is no guarantee that the hackers will actually release your data upon receiving payment.
  • Your business will be flagged as a successful hit, inviting additional future attacks.
  • Your ransom helps to fund illegal activity, giving hackers access to newer and more dangerous types of malware.

If you’ve successfully identified that a computer or computers have been infected, your best chance at mitigating damage comes by acting fast.  NEVER allow an infected computer to sit idle while connected to the network and the internet.

Ransomware is almost exclusively initiated by social engineering tactics.  Right Hand offers training programs that simulate actual attacks, giving your users an edge when it comes to identifying a potential threat before it happens.

Click here to contact us and learn more.

Disconnect the computer from your network IMMEDIATELY.

Immediately disconnecting the computer from the network serves multiple purposes.  The most important part is that you prevent the infected computer from spreading to other resources on the network.  Never assume that the virus is limited to the computer where it originated.  Most strains of ransomware are smart enough to find and encrypt files not only on the originating computer, but also any shared folders or mapped drives.  This usually means that file storage servers on your network are also going to be at risk.

When you disconnect the computer from the network (and the internet) you cut off any outside access the hackers may have gained to your system.  In some rare cases, acting quickly to disconnect a computer can interrupt the malware as it does its work – and protect files that may otherwise have become encrypted.

This is the most important step to take for mitigation of damage.  This should be done anytime there is even a suspicion of ransomware.  In all cases, if there is any doubt, simply power the infected computer off.

Boot the computer into safe mode.

When you are ready to perform some initial troubleshooting on an infected machine, boot it into safe mode.  Safe mode is always the best environment to remove malware because the system will boot using only the bare minimum resources necessary to run the operating system.  In most cases, but not all, malware cannot run properly while in safe mode.

To get your computer into safe mode, press the F8 key during boot-up of pre-Windows 10 computers.  This displays a menu that offers the user choices of how they want to boot Windows.  For this scenario, choose safe mode without networking.  Remember that any kind of connectivity in this state can place other computers and servers on your network at risk.  If you are running Windows 10, you can reach safe mode by holding in the shift key while clicking the restart command.

Try using system restore.

System restore is a very handy feature that is built in on all current versions of Windows.  However – it should be noted that it is NOT turned on by default in Windows 10.  Right Hand recommends turning this feature on immediately for any Windows 10 computer.

System restore can be found by looking under Accessories – System Tools in the start menu.  This tool will attempt to revert the computer to a state it was in at some time in the past. (Preferably before it got a ransomware infection.)  In some cases where the user has acted fast enough, the computer can be restored to its previous state without suffering any ill effects of the attack.

It should be noted however that system restore is not foolproof.  Many malware strains specifically target system restore backup points and prevent you from using them.  It is also possible for system restore to complete successfully while files remain locked up and encrypted.  Another important thing to remember is that system restore will reboot your computer into normal mode.  If system restore doesn’t bring success, boot the computer back into safe mode and move to the next step.

Use a trusted anti-virus or anti-malware.

The next step to take would be to utilize anti-virus and anti-malware tools, using the most comprehensive or deep scanning options allowed by your software.  Locked files cannot be recovered by this means, but you can usually get the malware removed from the computer and prevent further damage to your system.

Re-install Windows.

A full format of the hard disk and fresh installation of your Windows operating system may be time consuming and stressful, but this is a guaranteed way to get the infected system clean again.

Many business owners will understandably save this step as an absolute last resort.  Still, Right Hand recommends this as the best solution to ensure any traces of ransomware are wiped out.  Ask yourself whether avoiding the downtime would be worth risking further damage to your data and network.

Restore from a good backup.

We wholeheartedly hope that you have one.  Once you have reformatted the infected computer and re-installed a fresh copy of Windows, you’ll need to restore from backups to get your old files back where they used to be.  If the infected computer was connected to external file shares on your network, those locations should also be checked for encryption.  Restore good copies if necessary.  Remember that any networked location that the infected user had access to is potentially damaged.

Having a solid backup solution in place is your #1 protection from the damaging effects of ransomware.  Encrypted files cannot be unlocked by anyone but the hacker.  Don’t take unnecessary risks with your business critical data – if you aren’t backed up, call us today or visit http://backup.rhtg.net.

Report the occurrence to the authorities.

They won’t hunt down and bring justice to the hacker that got you, at least not initially.  It may seem like a bother, but reporting your incident to the FBI may help them to identify patterns and investigate the crime at its source.  Incidents can be reported at the FBI’s Internet Crime Complaint Center at http://www.ic3.gov.

Bring your computer to the professionals.

If you have a computer infected with ransomware and you’re not sure what to do, let the pros take a look.  Our experienced technicians at Right Hand are knowledgable on the threat of ransomware and have encountered it in many different situations.  We have the tools and experience necessary to give you the best chance at saving your data and helping you to avoid another attack in the future.

Right Hand is a managed service provider offering custom IT solutions for any size business, large or small.  Our team can protect your network from ransomware and other threats.  Don’t wait for disaster to strike – call us today at 844.254.RHTG (7484).