Help! I'm Infected with Ransomware
Are you infected with ransomware? Time is of the essence! Ransomware spreads very quickly, and can encrypt your computer, networked file share, and even attached cloud storage. Act fast and you may be able to save data, or at least recover it quickly. Here is a handy response checklist for you, your colleagues and your friends.
Ransomware Response Checklist
• Pull the network cable out, or if your computer is connected wirelessly, find some way to get it off of your wireless network. Immediately disconnect any USB drives. Remember, the ransomware will crawl through your system encrypting files. You want to stop it from locking up files on any shared drives, or backup drives that you have attached to your system.
• Call IT right away. They may want you to pull your computer’s plug out of the wall (or pull out the battery if it is a laptop). The not-so-nice shutdown is important. If you try to shut your computer down nicely by pressing a button, sometimes the ransomware can tell and it might not actually shut down.
• Figure out quickly what was encrypted, and what the extent of the damage was. If you have backups for that data, GREAT! This really underscores the importance of taking regular backups, every single day, automatically.
• Check to see if the ransomware you got has a known bypass, if you can’t restore from backups. There are certain kinds of ransomware where we know how to break the encryption. For example, Kaspersky has released tools that will decrypt files if you’re infected with certain strains of ransomware. Another useful site is www.nomoreransom.org.
• If all else fails, you may choose to pay the ransom to get your data back. If you’re going to do it, do it quickly before the price goes up. If you don’t have Bitcoin on hand, call an experienced security firm (such as LMG) to take care of the transaction for you.
• Talk to legal counsel immediately if there’s a chance you have sensitive or regulated data on any computer that was encrypted (such as personal information, Social Security Numbers, health care information, or other sensitive data). Ransomware infections may be considered a data breach in certain circumstances, in which case you may be required to notify any parties involved.
• Finally, consider reporting the ransomware attack to the FBI. They are tracking these cases. Either contact your local field office, or go to the Internet Crime Complaint Center at www.ic3.gov.
Want to see videos of ransomware in action? Check out LMG’s research project, “Watch Ransomware Wreak Havoc in the Cloud.”
Sherri Davidoff is the CEO of LMG Security, which provides cybersecurity testing and audit services, digital forensics, and training. 855.LMG.8855, [email protected].